I believe you'd need to exploit a domain controller for that.

This should be of interest if the DC is Win2k8: http://www.room362.com/blog/2011/5/15/dumping-hashes-on-win2k8-r2-x64-with-metasploit.html
and check out smart_hashdump: http://www.darkoperator.com/blog/2011/5/19/metasploit-post-module-smart_hashdump.html

There is a module in metasploit to do it, but it's separate from meterpretery. Mubix displayed it here http://www.room362.com/blog/2009/8/26/pass-the-hash-metasploit-demo.html

cd1zz beat me to it hehe.  Here's a section in Metasploit Unleashed that explains "pass the hash" as well:

http://www.offensive-security.com/metasploit-unleashed/PSexec_Pass_The_Hash

Mubix to the rescue
http://www.room362.com/blog/2011/2/14/cachedump-for-meterpreter-in-action.html

http://lab.mediaservice.net/code/cachedump.rb

Hi!,

I'm the author of the defunct pass-the-hash toolkit, and also of the  Windows Credentials Editor (WCE).

I wrote the pass-the-hash toolkit and I can tell you it does not longer work. It only works on xp/2003, without current patches, and it does not work on windows 7/2008, etc etc.  So you should not expect it to work anymore.

I did write a new tool called Windows Credentials Editor, it's a much improved version of the pass-the-hash toolkit and it supports windows 7/2008. It also supports Pass-the-ticket for Kerberos which is something new I implemented..

You can download it here:
http://www.ampliasecurity.com/research/wce_v1_2.tgz

A presentation about how it works, features, etc:
http://www.ampliasecurity.com/research/WCE_Internals_RootedCon2011_ampliasecurity.pdf

Also, I'd like to point out a few things:

1-With WCE you don't need to own a Domain Controller to obtain the hashes. That's one of the good things about these tools I wrote. You can compromise a regular machine, like a backup server, and if at some point a domain administrator (or any other domain user) remotely accessed that machine using RDP for example, those hashes can remain in memory (even after the session is terminated, because of a bug in windows), and WCE will steal those hashes from memory. WCE (and previously pth toolkit) does not touch the SAM database, it steals everything from memory.

hashes are stored in memory not just by RDP sessions, but also by the runas command, services that login using an specific windows account, etc etc

2-cachedump is not the same as WCE. With cachedump you are obtaining hashes
cached. This functionality can be disabled. WCE 'steals' hashes from memory.. you can have the cache disabled, and WCE will still give you hashes..
The tools are stealing credentials from different places..

3-WCE provides 'native' pass-the-hash. You are not dependant on a third-party SMB implementation, like a modified smbclient or a SMB stack written in ruby or python which have limited functionality (can be enough for some things, but it is limited), which WCE, besides 'stealing' hashes, you can also use those hashes and do pass-the-hash directly from windows, and access remote shares using thoses hashes, etc etc

4-with WCE you can also steal kerberos tickets and reuse them on another windows box or a unix box.. but that's another story..

I hope it helps.

Thank you!

That's interesting, hernano.  Thank you for the update about the successor of your well-known Pass-the-Hash toolkit.