Responder is an impacket tool that is capable of capturing NetNTLM hashes by faking many different Windows services.
It should be the first thing to go up in a pentest engagement (best for breakfast, and right after noon, since most login will happen at this time). Also fire it up before nmap since some Windows service may try to talk back to us