This attack only works with local SAM hashes(NTLM) and not Domain hashes(NTLM2). Since many administrators use the same passwords for both local and domain accounts it is possible to login to a domain controller and other high value systems using only local hashes.
Hash Spraying
IMPackets crackmapexec is able to use a single hash and spray the entire subnetwork with it to not only try and gain access but once gaining access to a system, dumping all of those local hashes as-well. Crackmapexec is able to spray for the following protococols: ldap, ssh, smb, winrm and mssql.
crackmapexec smb 192.168.1.0/24 -u Administrator -H 64f12cddaa88057e06a81b54e73b949b –sam
As you can see the Administrator has local accounts on a number of systems including a Server2019 system.
Logging into accounts using the hash