Which tools are commonly used to capture Net-NTLM hashes, and how do they work?

Two widely used tools are Responder (Python, available at https://github.com/lgandx/Responder) and Inveigh (PowerShell, at https://github.com/Kevin-Robertson/Inveigh). Both operate as MITM listeners on the network, spoofing services like SMB, HTTP, or LLMNR to intercept NTLM authentication attempts. When a client sends a Net-NTLM response to an attacker-controlled service, the tool captures the hash for offline cracking. These tools are essential for lateral movement in penetration tests, especially when combined with techniques like relaying—see the original article's reference to byt3bl33d3r's guide for more advanced usage.