Default authentication package for windows domain authentication is Kerberos. But it is possible to perform pass-the-hash by using Windows Credentials Editor, for example (even in Windows 8). WCE works with NTLM credentials, and attack is possible despite the fact that default protocol is Kerberos. Why? Am I wrong or client can somehow initiate NTLM authentication?
The short is that yes it is possible to initiate NTLM auth.
For MS, it is not possible to fix it completely because that would break the backward compatibility.
You can read more about it on this thread http://www.reddit.com/r/netsec/comments/1ypdo1/sorry_microsoft_pass_the_hash_on_windows_81_still/