Lateral Movement: Pass-the-Hash and Pass-the-Ticket
Understand how attackers reuse NTLM hashes and Kerberos tickets to move laterally without knowing plaintext passwords, and the defenses that stop them.
Lateral Movement: Spreading Through the Network
Lateral movement refers to techniques attackers use to progressively move through a network after establishing an initial foothold, aiming to reach higher-value targets such as domain controllers, databases, and administrative workstations. Unlike initial access (which usually targets a single endpoint), lateral movement exploits trust relationships between systems — authentication mechanisms, shared credentials, network connectivity, and administrative tools — that legitimate users rely on daily. Effective lateral movement allows a single compromised low-privilege account to eventually reach every system in an environment.
How Windows Authentication Works: NTLM
NTLM (NT LAN Manager) is a legacy Windows authentication protocol based on a challenge-response mechanism. When a client authenticates to a server, the server sends a random challenge; the client responds by hashing the challenge with the user's NT hash (a fixed hash derived from the password). The critical design flaw: the NT hash itself is sufficient to authenticate — not the password. The NT hash is stored in the Security Account Manager (SAM) database on workstations and in NTDS.DIT on domain controllers. If an attacker obtains the NT hash, they can authenticate as that user without ever knowing the password.
# NT hash example: MD4 of Unicode password
# Password 'Password123' -> NT hash: 58a478135a93ac3bf058a5ea0e8fdb71
# This hash alone is sufficient for NTLM authentication
# An attacker with the hash can authenticate to any service accepting NTLMAll lessons in this course
- APT Lifecycle: Initial Access to Persistence
- Lateral Movement: Pass-the-Hash and Pass-the-Ticket
- Kerberoasting and Golden Ticket Attacks
- MITRE ATT&CK Framework for Detection and Response