[PEN-TEST] Sniffing web-based NT logins

["Batten, Gerald" <GBatten () EXOCOM COM>]

I was wondering if there was a tool, or if someone knew how to pick it off
of a regular sniffer, to pick up the NT has of an NT login over the web.
Let me explain...

The server is IIS 5.0, the web clients are IE 5.x, and the server is
configured to take NT authentication to the protected web pages exclusively.
This means that Netscape won't work, and that the passwords are not sent as
the standard Base64 encoding.

So, how are the passwords transferred, and how would I use a sniffer to pick
it up?  I'm assuming that they would be Lanman hashes and that I could pull
them off the wire somehow and use LophtCrack to guess the passwords?

Gerald.