Post cover image

June 15, 2026

From Domain Hashes to Remote Access: Demonstrating Pass-the-Hash in an Active Directory Lab

Introduction

Jai Bhattacharya

4 min read

Introduction

After successfully compromising a Windows 7 workstation using EternalBlue (MS17–010) and performing token impersonation, I gained administrative access within my Active Directory lab environment.

During post-exploitation activities on the Domain Controller, I extracted NTLM password hashes from Active Directory accounts. Rather than attempting to crack these hashes, I demonstrated a technique known as Pass-the-Hash (PtH), which allows authentication using an NTLM hash directly without knowing the user's plaintext password.

In this blog, I will demonstrate how Pass-the-Hash can be used for lateral movement and remote command execution within an Active Directory environment.

Disclaimer: All activities were performed in a personal lab environment for educational and research purposes only.

Lab Environment

The environment consisted of:

  • Kali Linux (Attacker Machine)
  • Windows 7 Client (Initial Compromise)
  • Windows Server 2012 R2 (Domain Controller)

Internal Network

  • Kali Linux → 192.168.27.30
  • Windows 7 Client → 192.168.27.20
  • Domain Controller → 192.168.27.110

Attack Path Overview

The attack chain followed the sequence below:

None

Understanding Pass-the-Hash

In real-world assessments, attackers may first attempt to crack NTLM hashes using tools such as Hashcat to recover plaintext credentials. However, if the password is strong or cracking is unsuccessful, Pass-the-Hash allows authentication using the NTLM hash directly without recovering the original password.

None

When NTLM hashes are obtained during post-exploitation, attackers generally have two choices: crack the hash offline to recover the plaintext password or use the hash directly through Pass-the-Hash authentication.

In many situations, Pass-the-Hash is significantly faster because successful authentication can occur without waiting for password cracking to complete. For this demonstration, I chose the Pass-the-Hash approach.

Step 1: Verifying Administrative Context

Before interacting with the Domain Controller, I verified that token impersonation had successfully provided administrative privileges.

The Meterpreter session confirmed that the current security context belonged to the domain administrator.

None

This administrative context enabled further actions against the Domain Controller.

Step 2: Accessing the Domain Controller

Using the impersonated administrative token obtained from the compromised Windows 7 workstation, I was able to authenticate to the Domain Controller and establish administrative access.

After successful access, the Meterpreter session confirmed control of the target system.

None

The output verified:

  • Hostname: WINDC
  • Operating System: Windows Server 2012 R2
  • Domain: DCLABS

At this stage, administrative access to the Domain Controller had been achieved.

Step 3: Extracting NTLM Hashes

With elevated privileges on the Domain Controller, I extracted account hashes using Meterpreter's hashdump functionality.

None

At this stage, an attacker could attempt to crack the extracted NTLM hashes using tools such as Hashcat or John the Ripper. However, password recovery is not always necessary. If NTLM authentication is enabled, the hash itself can often be used directly through a Pass-the-Hash attack.

The output contained:

  • Domain Administrator account hashes
  • Service account hashes
  • Domain user account hashes
  • Machine account hashes

These hashes represent credential material that could potentially be abused for further access.

For security reasons, sensitive hash values should be redacted when publishing screenshots.

Step 4: Performing Pass-the-Hash Authentication

Rather than attempting to crack the Administrator password, I used the extracted NTLM hash directly for authentication.

CrackMapExec was used to authenticate to the Domain Controller using the Administrator account hash.

None

The output returned:

"Pwn3d!"

This indicates that the authentication succeeded and that administrative access was granted using only the NTLM hash.

No plaintext password was required.

Step 5: Remote Command Execution

After successful authentication, I executed commands remotely against the Domain Controller.

A simple whoami command was used to verify execution.

None

The response returned:

dclabs\administrator

confirming that commands were being executed successfully on the Domain Controller.

Additional verification was performed using the ipconfig command.

None

The results confirmed successful remote command execution through Pass-the-Hash authentication.

Security Impact

Pass-the-Hash demonstrates why credential theft can be extremely dangerous in Active Directory environments.

Even when attackers do not know the actual password, possession of an NTLM hash may be sufficient to:

  • Authenticate to systems
  • Execute commands remotely
  • Move laterally through the network
  • Access administrative resources
  • Expand control across the domain

This highlights the importance of protecting credential material stored in memory and on Domain Controllers.

Mitigation Strategies

Organizations can reduce the risk of Pass-the-Hash attacks by:

  • Applying Microsoft's latest security updates
  • Restricting administrative privileges
  • Implementing Credential Guard
  • Disabling NTLM where possible
  • Enforcing strong password policies
  • Using multi-factor authentication
  • Monitoring suspicious authentication activity
  • Limiting administrative account usage

Reducing the exposure of privileged credentials significantly lowers the effectiveness of Pass-the-Hash attacks.

Key Takeaways

This exercise demonstrated several important Active Directory security concepts:

  • Initial access can lead to credential compromise.
  • NTLM hashes may provide access without password cracking.
  • Pass-the-Hash enables efficient lateral movement.
  • Administrative credentials represent a high-value target.
  • Domain Controllers require additional protection because of the sensitive credentials they contain.

Conclusion

Pass-the-Hash remains one of the most widely abused credential theft techniques in Windows environments. This exercise demonstrated how an initial workstation compromise can ultimately lead to Domain Controller access, credential extraction, and authenticated remote command execution without ever recovering the Administrator account's plaintext password.

This exercise demonstrated how credential theft can quickly transform an initial compromise into broader access across an Active Directory environment.

In the next blog of this series, I will explore Kerberoasting and demonstrate how service accounts can be targeted through Kerberos ticket requests and offline password cracking.

Thank you for reading.