How does the NTLM Challenge fit into Pass the Hash attacks against Exchange?

In NTLM authentication, the server sends a random Challenge (16-byte nonce) to the client. During a Pass the Hash attack, the attacker uses the stolen NTLM hash to encrypt this Challenge, producing the correct response. The server then verifies the response, granting access if it matches. This is identical to the normal process but uses the hash directly instead of deriving it from a password. The article details the full exchange in the Penetration Techniques - Pass the Hash with Exchange Web Service article.