4.6.2. Modern Credential Attacks: Pass-the-Hash and Kerberos Exploitation
💡 First Principle: Modern credential attacks do not break cryptographic algorithms — they steal or reuse the cryptographic artifacts (hashes, tickets, tokens) that authentication systems produce, bypassing the authentication process entirely without ever needing the user's password.
NTLM Pass-the-Hash
Windows NTLM authentication uses a challenge-response protocol based on the MD4 hash of the user's password. The critical vulnerability: the hash itself is the credential. An attacker who obtains the NTLM hash from memory (LSASS process), the SAM database, or network capture can authenticate to any system that accepts NTLM — without cracking the hash to recover the password.
Attack flow:
- Attacker compromises a workstation (phishing, exploit, physical access)
- Extracts NTLM hashes from LSASS memory using tools like Mimikatz (
sekurlsa::logonpasswords) - Presents the stolen hash directly to target systems in NTLM challenge-response
- Target system validates the hash and grants access — the password was never needed
Windows Credential Guard mitigates this by isolating LSASS in a virtualization-based security (VBS) container. Even a kernel-level compromise cannot read the protected LSASS memory because the isolation is enforced by the hypervisor, not the OS kernel.
Kerberos Attacks
Kerberos replaced NTLM as the default Windows authentication protocol, but introduces its own attack surface:
| Attack | What Is Stolen/Forged | Impact | Key Defense |
|---|---|---|---|
| Pass-the-Ticket | Stolen TGT from memory | Impersonate the user until TGT expires (default 10 hours) | Credential Guard, short TGT lifetime |
| Golden Ticket | Forged TGT using stolen KRBTGT hash | Unlimited domain access; persists until KRBTGT is reset TWICE | Rotate KRBTGT regularly; detect anomalous TGT lifetimes |
| Silver Ticket | Forged service ticket using stolen service account hash | Access specific service; bypasses DC validation | Managed service accounts with auto-rotating passwords |
| Kerberoasting | Request service tickets for SPNs, crack offline | Recover service account passwords from weak passwords | Strong passwords / gMSAs for service accounts; monitoring |
Golden Ticket is the most devastating: the KRBTGT account hash signs every TGT in the domain. An attacker with this hash can forge TGTs for any user (including non-existent users) with any group membership (including Domain Admins) with any lifetime (including 10-year validity). The forged ticket is cryptographically valid — the domain controller cannot distinguish it from a legitimate TGT. Recovery requires resetting the KRBTGT password twice (because Kerberos remembers the current and previous password) and rebuilding the domain controller if the attacker had persistent access.
Kerberoasting is the most common: any authenticated domain user can request a Kerberos service ticket for any SPN (Service Principal Name) in the domain. The service ticket is encrypted with the service account's password hash. The attacker takes the ticket offline and cracks it — weak service account passwords fall in minutes. No elevated privileges are needed to execute this attack.
Credential Stuffing vs. Password Spraying
| Attack | Method | Detection Pattern |
|---|---|---|
| Credential stuffing | Verified username/password pairs from breach databases; 1-2 attempts per account across many accounts | High success rate per pair; distributed across accounts |
| Password spraying | Small set of common passwords tried against all accounts | 1-3 attempts per account; evades per-account lockout thresholds |
Both attacks exploit the gap between per-account lockout policies and organization-wide monitoring. An account lockout threshold of 5 attempts protects against brute force on individual accounts but is irrelevant against spraying (3 attempts across 10,000 accounts = 30,000 total attempts, zero lockouts).
Defenses
| Defense | What It Addresses |
|---|---|
| Credential Guard (VBS) | Pass-the-hash — isolates LSASS from kernel-level credential theft |
| LAPS (Local Admin Password Solution) | Shared local admin passwords — unique, auto-rotating password per machine |
| Tiered AD administration (Tier 0/1/2) | Cross-tier credential reuse — domain admin creds never touch Tier 1/2 systems |
| Phishing-resistant MFA (FIDO2) | Credential theft via phishing — origin-bound, cannot be relayed |
| PAM with JIT access | Standing privileged access — privileges exist only during approved windows |
| gMSA (Group Managed Service Accounts) | Kerberoasting — 240-character auto-rotating passwords eliminate offline cracking |
⚠️ Exam Trap: Pass-the-hash attacks use the NTLM hash directly — they do NOT crack the hash first. The hash IS the credential. This is different from Kerberoasting, where the attacker obtains an encrypted ticket and DOES crack it offline to recover the service account password. The exam tests whether you understand which attacks require cracking and which bypass cracking entirely.
Reflection Question: After a red team exercise achieves domain admin via Kerberoasting a service account with a weak password, the IT team proposes resetting all user passwords. Explain why this is insufficient — what specific credential artifacts must be addressed, and in what order?
