Several of the tools I demonstrated the pass-the-hash technique with are either part of Samba or use its libraries to access Windows DCE/RPC functionality and build from there.
Many of the Samba tools use many of the same command line arguments, which I will cover a couple of the commonly used ones briefly. After that, I'll introduce you to smbclient, one of the staples of the Samba suite of utilities.
Common useful options:
(Capital) U then the target user's domain followed by a '/' followed by '%' and the password or hash.
I like specifying everything for the user I'm impersonating in one complete blob.
-n <netbios name to use>
(Lowercase n) By default Samba will use the computer's host name as its client-side netbios name when issuing requests. In the case of Backtrack, this will probably be "BT5". Use of this option can make it more stealthy on the network and in the event logs.
-W <workgroup / domain name>
(Capital W) Specify the domain to use in the client side request. Usually set to "workgroup" if not otherwise specified in the smb.conf or on the command line. Another option to set to be more stealthy on the wire.
Smbclient is a client that allows you to mount a windows file share and maneuver around in a very similar manner to the venerable 'ftp' client. It also allows you to list shares available on a remote server.
To list the shares on a remote machine:
smbclient -L <IP>
to mount a share , specify the machine and share :
smbclient -U <user info> //<machine>/<share>
so, to bring it all together :
We attach to the C$ share on 172.16.1.1 as the admin user. We also specify that our domain is "demo" and that our name is "2k864-svr", which happens to be the exchange server. :-)