I’m loving WCE (Windows Credentials Editor) v1.2! Download available here
On the most basic level this allows you to view logon sessions and change the associated credentials, which in turn can be used to perform pass the hash. I’ve just tested this technique between my fully patched Windows 7 SP1 laptop and an ESXi hosted VM with no issues – I state this as I’ve found Core Security Technologies’ pass the hash toolkit v1.4 isn’t too happy with the later Microsoft OS’s.
Overview of the Available Switches:
-l List logon sessions and NTLM credentials (default).
-s Changes NTLM credentials of current logon session.
-r Lists logon sessions and NTLM credentials indefinitely. Refreshes every 5 seconds if new sessions are found.
Optional: -r<refresh interval>.
-c Run in a new session with the specified NTLM credentials.
-e Lists logon sessions NTLM credentials indefinitely. Refreshes every time a logon event occurs.
-o saves all output to a file.
-i Specify LUID instead of use current logon session.
-d Delete NTLM credentials from logon session.
-v verbose output.