If the client simply browses (using Windows Explorer) to a folder with a malicious link file (various forms exist), Windows will automatically send NTLM hash to authenticate against the linked HTTP server (Responder). Simply upload the file to a file share. See examples