# Intercept and Hashcat

Using [Responder](https://github.com/lgandx/Responder), we can make this attack happen using this command :

```
python responder.py -I <interface> -rdwv
```

Now you should see some hashes (NTLMv2) captured. The captured hashes are output into the logs file of Responder (/usr/share/responder/logs)\
At this point, you have two options, either relay the hash to try and have an open session (we'll see that in the next page) or you can take the hash and try to crack it offline by running [hashcat](https://github.com/hashcat/hashcat) on it using the following command (depending on where you're running it, its best to run it on your host system) :

```
hashcat -m 5600 hashes.txt dictionary.txt
```

You can use the following cheat sheet for more infos on how to use hashcat

{% file src="/files/-M0cIcgoJnA1XHwEfEyU" %}
Hashcat Cheat sheet
{% endfile %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/initial-attack-vectors/llmnr-nbt-ns-poisoning/intercept-and-hashcat.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.