Cyber Security Academy · Lesson

Pass-the-Hash and Pass-the-Ticket

Reusing stolen credentials.

Credentials Without Passwords

Windows authentication often does not require the plaintext password at the point of use. Both NTLM hashes and Kerberos tickets can authenticate on their own. Attackers exploit this: steal the artifact, reuse it.

Pass-the-Hash (PtH) reuses an NTLM hash.
Pass-the-Ticket (PtT) reuses a Kerberos ticket.
Neither requires cracking the password.

Where Credentials Live

Credential material is cached in memory and on disk during normal operation. Common sources include:

LSASS process memory holds hashes and tickets for logged-on users.
SAM database stores local account hashes.
NTDS.dit on DCs stores every domain hash.
DPAPI-protected credential vaults and browser stores.

Dumping LSASS is the most common harvesting step.

# Mimikatz: dump logon passwords and hashes
privilege::debug
sekurlsa::logonpasswords

# Comsvcs minidump of lsass (living-off-the-land)
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <pid> lsass.dmp full

All lessons in this course

Active Directory Attack Surface
Kerberos and Kerberoasting
Pass-the-Hash and Pass-the-Ticket
Privilege Escalation and Domain Dominance

← Back to Cyber Security Academy