Let's say the attacker got the username and the hashed password. How can he use it when authenticating to some service in its domain with for example NTLM?
How can he send the request as the compromised user? What tools and techniques should he use?