What is a pass-the-hash attack, and how does it exploit NTLM authentication? Learn how attackers use stolen password hashes to gain unauthorized access without cracking passwords—essential for CompTIA Security+ (Plus) SY0-701 exam success.
Table of Contents
Question
An attacker captures an NTLM authentication hash from a network and replays it to authenticate as the victim without cracking it. What is this attack?
A. Credential stuffing
B. Replay attack
C. Session hijacking
D. Golden ticket attack
E. Pass-the-hash
Answer
E. Pass-the-hash
Explanation
Instead of cracking a password hash, an attacker reuses it directly to gain access.
The described attack is a pass-the-hash attack.
In a pass-the-hash attack, an attacker captures a hashed password (such as an NTLM hash) from a network or compromised system and reuses it to authenticate as the victim, without ever needing to crack or know the original plaintext password.
The attacker presents the stolen hash directly to the authentication protocol, tricking the system into granting access because the hash is a valid representation of the user’s credentials.
This technique is especially effective against Windows environments using NTLM authentication, where password hashes are often stored or transmitted and can be reused for lateral movement across systems.
Pass-the-hash attacks differ from credential stuffing or replay attacks in that the attacker does not need to decrypt or brute-force the password; the hash itself is sufficient for authentication.
Defenses include minimizing privileged account use, enforcing strong password policies, segmenting networks, and using advanced authentication mechanisms.
Pass-the-hash attacks allow an attacker to reuse stolen password hashes (such as NTLM) to authenticate as a user, bypassing the need to crack the password itself.
CompTIA Security+ (Plus) SY0-701 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the CompTIA Security+ (Plus) SY0-701 exam and earn CompTIA Security+ (Plus) SY0-701 certification.