A very detailed post explaining the process they used to
“…or why you should ensure all Windows machines are domain joined.
The first thing I run on an internal is the Responder tool. This will grab Windows hashes from LLMNR or NetBIOS requests on the local subnet. However, this client was wise to this and had LLMNR & NetBIOS requests disabled. Despite already knowing this fact from the previous engagement, one of the things I learned during my OSCP course was to always try the easy things first – there’s no point in breaking in through a skylight if the front door is open.
So I ran Responder, and I was surprised to see the following hash captured: ….”