{"id":145,"date":"2025-10-12T03:27:55","date_gmt":"2025-10-12T03:27:55","guid":{"rendered":"https:\/\/vinpearl.ca\/?p=145"},"modified":"2025-10-12T03:27:55","modified_gmt":"2025-10-12T03:27:55","slug":"pass-the-hash","status":"publish","type":"post","link":"https:\/\/vinpearl.ca\/index.php\/2025\/10\/12\/pass-the-hash\/","title":{"rendered":"pass-the-hash"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">How It Works (Step-by-Step)<\/h2>\n\n\n\n<ol start=\"1\">\n<li><strong>Initial Compromise<\/strong>\n<ul>\n<li>Attacker gains access to a Windows machine (via phishing, exploit, or misconfig).<\/li>\n\n\n\n<li>They escalate privileges to access LSASS memory.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Hash Extraction<\/strong>\n<ul>\n<li>Tools like <code>Mimikatz<\/code>, <code>ProcDump<\/code>, or <code>Pypykatz<\/code> are used to dump LSASS.<\/li>\n\n\n\n<li>Extracted NTLM hashes include those of local admins or domain users.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Authentication Replay<\/strong>\n<ul>\n<li>Using tools like <code>pth-winexe<\/code>, <code>Impacket<\/code>, or <code>Cobalt Strike<\/code>, the attacker authenticates to another system by passing the hash.<\/li>\n\n\n\n<li>No password cracking required\u2014just hash injection.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Lateral Movement<\/strong>\n<ul>\n<li>Attacker pivots across systems using the same hash.<\/li>\n\n\n\n<li>If local admin passwords are reused across machines, one hash unlocks many endpoints.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Privilege Escalation &amp; Persistence<\/strong>\n<ul>\n<li>Attacker may target DCs, dump more hashes, create backdoors, or exfiltrate data.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udee1\ufe0f Why It\u2019s Dangerous<\/h2>\n\n\n\n<ul>\n<li><strong>Bypasses password complexity<\/strong>: Doesn\u2019t matter how strong the password is.<\/li>\n\n\n\n<li><strong>Evades detection<\/strong>: Appears as legitimate user activity.<\/li>\n\n\n\n<li><strong>Enables rapid lateral movement<\/strong>: Especially in flat networks or with reused credentials.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd10 Mitigation Strategies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Defense Layer<\/th><th>Action<\/th><\/tr><\/thead><tbody><tr><td>Credential Hygiene<\/td><td>Use unique local admin passwords (LAPS), enforce password rotation<\/td><\/tr><tr><td>Memory Protection<\/td><td>Enable Credential Guard, isolate LSASS<\/td><\/tr><tr><td>Logging &amp; Detection<\/td><td>Monitor for LSASS access, unusual SMB\/RDP logins<\/td><\/tr><tr><td>Network Segmentation<\/td><td>Limit lateral movement paths, restrict admin access<\/td><\/tr><tr><td>MFA &amp; PAM<\/td><td>Use multi-factor authentication and privileged access management<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>How It Works (Step-by-Step) \ud83d\udee1\ufe0f Why It\u2019s Dangerous \ud83d\udd10 Mitigation Strategies Defense Layer Action Credential Hygiene Use unique local admin passwords (LAPS), enforce password rotation Memory Protection Enable Credential Guard, isolate LSASS Logging &amp; Detection Monitor for LSASS access, unusual SMB\/RDP logins Network Segmentation Limit lateral movement paths, restrict admin access MFA &amp; PAM Use [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,10],"tags":[],"_links":{"self":[{"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/posts\/145"}],"collection":[{"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/comments?post=145"}],"version-history":[{"count":1,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/posts\/145\/revisions"}],"predecessor-version":[{"id":146,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/posts\/145\/revisions\/146"}],"wp:attachment":[{"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/media?parent=145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/categories?post=145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/tags?post=145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}