To move from one Windows computer to another using "Pass-the-Hash", what secret piece of information, not the actual password, do you need?

To move from one Windows computer to another using "Pass-the-Hash", the secret piece of information needed, not the actual password, is the NTLM hash of the user's password. The NTLM hash is a one-way cryptographic representation of a password. This means a specific algorithm is used to convert the password into this hash value, but the original password cannot be easily determined from the hash itself. Windows operating systems, particularly when using the NTLM (NT LAN Manager) authentication protocol, do not transmit or process the actual plaintext password for authentication. Instead, they rely on this hash. The "Pass-the-Hash" (PtH) attack exploits this by directly using a stolen NTLM hash to authenticate to another remote Windows system or service. This is possible because the NTLM authentication protocol, which is commonly used in Windows networks, uses a challenge-response mechanism that operates solely with the password hash, not the plaintext password. When a client attempts to authenticate, the server sends a random "challenge" value. The client then takes its password's NTLM hash, combines it with the challenge, and performs a cryptographic calculation to generate a "response". This response is sent back to the server. The server, which also knows or can retrieve the user's NTLM hash, performs the same calculation with the challenge. If the client's calculated response matches the server's calculation, authentication is granted. An attacker possessing the NTLM hash can therefore compute the correct response to any server challenge, successfully authenticating as the user without ever needing to know or crack the actual plaintext password.