Pass-the-hash (PtH) attacks work on Windows systems/services that use NetNTLM authentication. The plaintext password is not needed, instead the hash alone is sufficient.
Requirements
Security Update
After the 2014 security update, PtH will work only on domain users and the built-in Administrator account (excluding other local admin accounts).
Some tools also asks for a LM hash. If the user has no LM hash (i.e. only NTLM hash), use aad3b435b51404eeaad3b435b51404ee
(which is a blank hash, i.e. LM hash of empty string).
Tools
Note: Cobalt Strike also supports pth through built-in Mimikatz.
Warning & OPSEC
Only the linux version of psexec support PtH. Sometimes psexec.py will automatically elevate to
NT AUTHORITY\SYSTEM
when user has enough privileges, which may not be preferable.
See also pass-the-key for Kerberos authenticatoin.