How do I crack the extracted NTLMv2 hash to recover the plaintext password?

Use Hashcat with a dictionary or brute-force attack on the assembled hash string (`username::domain:challenge:HMAC-MD5:blob`). For example, `hashcat -m 5600 hash.txt wordlist.txt` will attempt to crack NTLMv2 hashes. For a detailed walkthrough, refer to the article Introduction to Windows Password Hashes - NTLM Hash and Net-NTLM Hash or the related technique for brute-forcing PPTP passwords in Penetration Techniques - Acquisition and Brute-Force of PPTP Passwords.