respon­der: Lis­ten with respon­der on a net­work and wait for AD sys­tems to ask for a DC. This can reveal a NTLM hash. (Source) Start respon­der on the own system: sudo responder -I tun0 --wpad Con­nect from the tar­get sys­tem to this sys­tem via smb. In the Win­dows explor­er, or in the com­mand line via dir…