This technique can be performed against any server or service accepting LM or NTLM authentication, whether it runs on a machine with Windows, Unix, or any other operating system.
This means that even after performing NTLM authentication successfully using the pass the hash technique, tools like Samba's SMB client might not have implemented the functionality the attacker might want to use.
The tool also introduced a new technique which allowed dumping password hashes cached in the memory of the lsass.exe process (not in persistent storage on disk), which quickly became widely used by penetration testers (and attackers).
This toolkit has subsequently been superseded by "Windows Credential Editor", which extends the original tool's functionality and operating system support.
To this end, penetration testers and attackers can harvest password hashes using a number of different methods: Any system using LM or NTLM authentication in combination with any communication protocol (SMB, FTP, RPC, HTTP etc.)
[16] Limiting the scope of debug privileges on system may frustrate some attacks that inject code or steal hashes from the memory of sensitive processes.
[12] Restricted Admin Mode is a new Windows operating system feature introduced in 2014 via security bulletin 2871997, which is designed to reduce the effectiveness of the attack.