What attack reuses password hashes to authenticate?

Pass-the-hash is an attack where an attacker uses stolen password hashes as if they were the actual credentials to authenticate to other systems. In environments that rely on hash-based authentication (such as NTLM in Windows), the hash itself can serve as proof of identity, so if an attacker obtains that hash from a compromised machine or domain controller, they can present it to log into other services without ever knowing the plaintext password. This differs from a replay attack, which simply reuses a valid login message; pass-the-hash instead reuses the credential material itself to establish new authenticated sessions. HTTPS and a nonce are unrelated to this specific attack—HTTPS is a secure transport, and a nonce is a value used to prevent replays—whereas pass-the-hash targets the credential mechanism. Defenses include disabling weak protocols like NTLM in favor of Kerberos, implementing multi-factor authentication, limiting hash exposure, and monitoring for unusual authentication patterns.