Pass-the-Hash

Windows stores passwords as hashes in the Security Accounts Manager (SAM) file. Microsoft use a suite of protocols for authentication called New Technology Local Area Network Manager (NTLM), there are two versions: NTLMv1 and NTLMv2. NTLM is mostly replaced now, but may still be used when a client authenticates to a server via IP or to a server in a different AD forest.

If an attacker can compromise the SAM, they can just send the hash directly from a compromised system to login, rather than trying to figure out what the password is.

Last updated 21 days ago