Pass the Hash attacks exploit the authentication protocol, as the hash of the password remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.
While the attacks can occur on Linux, Unix, and other platforms, they are most prevalent on Windows systems. In Windows, Pass the Hash exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols. When a password is created in Windows, it is hashed and stored in the Security Accounts Manager (SAM), Local Security Authority Subsystem (LSASS) process memory, the Credential Manager (CredMan) store, a ntds.dit database in Active Directory, or elsewhere. When a user logs onto a Windows workstation or server, they essentially leave behind their password credentials.