LEAP attack
The 3rd DES key is weak (due to the 5 NULL's in every challenge/response) there are only 2^16 hash possibilites
'grep "BN-1BN$" nthash-dict > possible-passwords'
Take a large password list, calculate MD4 hashes and password+NT hash list
Capture LEAP challenge/response, extract username, challenge, response, calculate the last 2 bytes bytes of the NT hash from the response
Search through password+hash list for hashes with matching bytes
Use matching entries to encrypt the challenger - matching captured and calculated response will indicate the user's password