Demo code JavaScript POC that tricks user into sending Windows hash to responder.
Requires Chromium based browser on Windows, and automatic downloads turned on. Does not work if user has set Chrome to ask where to save files for every download.
Demo app hosted at: https://www.dragonhash.fun
Blog post at: https://trustedsec.com/blog/dragging-secrets-out-of-chrome-ntlm-hash-leaks-via-file-urls
Plot spoiler if you haven't figured it out, the "try again" can be avoided and this can trigger the hash on the drag and drop action alone.
@hoodoer