In modern enterprise networks—especially those built on Windows Active Directory (AD)—authentication plays a crucial role in verifying user identities and controlling access to sensitive resources. While robust authentication protocols such as NTLM and Kerberos are designed to secure this process, attackers have discovered ways to exploit inherent weaknesses in these protocols without needing to crack passwords outright. Two such advanced techniques are Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) attacks.
Both techniques enable lateral movement and privilege escalation across networks by reusing legitimate authentication artifacts, allowing adversaries to impersonate users (including administrators) and access protected systems. This essay delves deeply into the mechanisms behind PtH and PtT attacks, how they exploit network authentication models, their real-world impact, and mitigation strategies—with a concrete example to illustrate their consequences.
1. Understanding the Network Authentication Landscape
Before diving into PtH and PtT attacks, it’s important to understand how authentication typically works in a Windows domain environment.
1.1 NTLM (NT LAN Manager)
NTLM is an older Microsoft authentication protocol that uses challenge-response mechanisms and hash-based credentials for authentication. Despite being largely replaced by Kerberos, NTLM is still supported for backward compatibility.
-
Authentication involves sending an NTLM hash (a cryptographic representation of the password) to the server.
-
The hash can be used repeatedly without requiring the actual plaintext password.
1.2 Kerberos
Kerberos is the default authentication protocol in Active Directory environments.
-
Users authenticate once to a Key Distribution Center (KDC) and receive a Ticket Granting Ticket (TGT).
-
The TGT is then used to obtain Service Tickets (TGS) for accessing network resources.
These tickets are cached on the user’s system and are valid for a specific time window.
2. What is a Pass-the-Hash (PtH) Attack?
2.1. Definition
Pass-the-Hash is a technique where an attacker captures the NTLM hash of a user’s password and reuses it to authenticate to other systems without needing the plaintext password.
It leverages the fact that many systems treat the hash itself as sufficient proof of identity.
2.2. How It Works
-
Obtain the Hash:
-
The attacker gains local administrative access to a Windows machine (e.g., via phishing, exploit, or malware).
-
They dump password hashes from the memory or SAM (Security Accounts Manager) using tools like Mimikatz, LSASS dump, or Windows Credential Editor.
-
-
Use the Hash:
-
The attacker injects the stolen hash into their session.
-
They then use tools like PsExec, WMIC, or Remote Desktop to access another machine on the network that trusts the user represented by the hash.
-
-
Lateral Movement:
-
Once access is gained, the attacker repeats the process, moving laterally and harvesting more credentials until domain admin access is achieved.
-
2.3. Why It’s Effective
-
NTLM allows authentication via hashes.
-
Many organizations do not disable NTLM due to legacy dependencies.
-
Hashes remain valid until a password is changed.
-
No need to decrypt or crack the password.
3. What is a Pass-the-Ticket (PtT) Attack?
3.1. Definition
Pass-the-Ticket involves stealing Kerberos tickets from a user’s session and reusing them to access resources within the domain—again, without needing the user’s password.
3.2. How It Works
-
Obtain the Tickets:
-
The attacker compromises a system and extracts the TGT and TGS Kerberos tickets from memory.
-
Tools like Mimikatz or Rubeus can dump these tickets from the LSASS (Local Security Authority Subsystem Service) process.
-
-
Inject the Tickets:
-
The attacker uses ticket-injection tools to load the stolen ticket into their session.
-
The operating system then treats the attacker as the authenticated user.
-
-
Access Services:
-
With valid tickets, the attacker can access any service that the original user could (e.g., file shares, email, databases, domain controllers).
-
3.3. Advanced Variants
-
Golden Ticket Attack:
-
The attacker forges a TGT using the KRBTGT account hash (which signs all tickets in a domain).
-
Gives the attacker domain-wide persistent access.
-
-
Silver Ticket Attack:
-
The attacker forges a TGS for a specific service without needing a TGT.
-
Requires the service account’s hash only.
-
4. Comparing Pass-the-Hash and Pass-the-Ticket
| Feature | Pass-the-Hash (PtH) | Pass-the-Ticket (PtT) |
|---|---|---|
| Protocol Targeted | NTLM | Kerberos |
| Artifact Used | NTLM Hash | Kerberos Tickets (TGT/TGS) |
| Requires Admin Privileges | Yes (to access hashes from LSASS/SAM) | Yes (to extract tickets from memory) |
| Tools Commonly Used | Mimikatz, WCE, Hashcat, Impacket | Mimikatz, Rubeus, Kekeo |
| Can Forge Credentials? | No | Yes (Golden/Silver tickets) |
| Ideal in Legacy Environments | Yes | Yes, but also common in modern environments |
5. Real-World Example: The NotPetya Cyberattack (2017)
Background
The NotPetya malware, which initially posed as ransomware, was in fact a destructive cyber weapon targeting Ukrainian infrastructure and spreading globally. It used advanced credential theft and lateral movement techniques including PtH and PtT.
How PtH and PtT Were Used
-
Initial Infection:
-
NotPetya was delivered through a compromised Ukrainian tax software called MeDoc.
-
Once inside a network, the malware executed LSASS dumps to extract credentials and NTLM hashes.
-
-
Lateral Movement:
-
Used PsExec and WMIC with extracted hashes (PtH) to move laterally across systems.
-
Harvested Kerberos tickets from memory and reused them (PtT) to access additional network resources.
-
-
Privilege Escalation and Spread:
-
Combined PtH and PtT with EternalBlue (SMBv1 exploit) and Mimikatz to spread rapidly.
-
Crippled multinational corporations (e.g., Maersk, FedEx, Merck) causing billions in damages.
-
Lessons from NotPetya
-
Valid credentials and authentication tokens can be weaponized.
-
Lateral movement is swift once domain trust is abused.
-
Relying on passwords or single-sign-on (SSO) without behavioral analysis is a critical vulnerability.
6. Impact of PtH and PtT on Organizations
6.1. Lateral Movement and Privilege Escalation
-
Attackers can leapfrog across the network using stolen credentials.
-
Leads to full domain compromise if a domain admin is impersonated.
6.2. Bypassing MFA and Authentication Policies
-
MFA typically protects login attempts, not token usage.
-
Once a hash or ticket is stolen, MFA is circumvented.
6.3. Persistence
-
Golden tickets can remain valid for 10 years if not detected.
-
Attackers can establish backdoors or create new domain accounts.
6.4. Difficulty in Detection
-
Activity often appears legitimate because the attacker uses valid credentials.
-
SIEMs must detect anomalous behavior rather than failed login attempts.
7. Mitigation and Defense Strategies
7.1. Credential Hygiene
-
Enforce strong password policies.
-
Regularly rotate passwords—especially for service accounts.
-
Avoid password reuse across systems.
7.2. Harden Authentication Protocols
-
Disable NTLM where possible; enforce Kerberos-only authentication.
-
Implement Extended Protection for Authentication (EPA).
7.3. Enable LSASS Protection
-
Use Credential Guard (Windows 10+) to isolate secrets.
-
Set
RunAsPPLto run LSASS in protected process mode.
7.4. Deploy Multi-Factor Authentication (MFA)
-
While not foolproof, it raises the barrier for initial compromise.
-
Combine with context-aware authentication (device, IP, geolocation).
7.5. Least Privilege and Admin Tiering
-
Segment admin accounts by role (e.g., workstation vs. domain admin).
-
Use Just-In-Time (JIT) and Just-Enough-Access (JEA) principles.
7.6. Monitor and Detect
-
Use tools like Sysmon, ELK, Sentinel, or Splunk for telemetry.
-
Monitor for suspicious logins, token reuse, or ticket anomalies.
7.7. Rotate and Secure KRBTGT
-
Reset the KRBTGT account password at least twice when compromised.
-
Secure domain controllers and restrict physical/logical access.
8. Conclusion
Pass-the-Hash and Pass-the-Ticket attacks are sophisticated techniques that exploit the trust-based nature of authentication in Windows networks. By reusing valid credentials—whether in hash or ticket form—attackers can bypass traditional security measures, impersonate users, and traverse the network undetected.
These attacks underscore a key principle in cybersecurity: Authentication artifacts are just as sensitive as passwords. If they can be stolen, they can be misused.
The modern defense against these threats is not just better passwords or more firewalls, but rather a layered security posture involving credential protection, behavioral analytics, privileged access management, and vigilant monitoring. As attackers continue to evolve, so too must our defenses, rooted in the understanding that trust, once broken, becomes the ultimate vulnerability.
