What role does the NTLM hash play in Pass the Hash attacks?

The NTLM hash (specifically the NT hash) is the core credential used in Pass the Hash attacks. In Windows NTLM authentication, the system verifies a user by their password hash without ever using the plaintext password. If an attacker captures this hash (e.g., from `lsass` memory), they can directly supply it to authentication protocols, impersonating the user. Since Windows Vista/Server 2008, LM hash is disabled by default, so the NT hash is often the only hash available. This hash can be used with tools like `wmiexec` or mimikatz, as described in Domain Penetration - Implementation of Pass The Hash.