How can an attacker exploit the HTTP protocol to capture Net-NTLM hashes in a domain environment?

An attacker can use tools like Responder or Inveigh within the Intranet zone to intercept NTLM authentication requests. When the client automatically sends its credentials (under the right settings), the attacker captures the Net-NTLM hash, which can then be cracked offline using tools like Hashcat. In a workgroup environment, however, the current user's hash is not automatically sent unless the registry is modified to enable automatic logon.