One oldie but good attack is the UNC path hash capturing feature of Windows. Metasploit has a module called capture/smb which will intercept challenge/response hashes when a share is requested. I've added this attack vector into SET and can be used either through a new addition number in the Spear-Phishing attack vector which will email a document that contains the linked UNC image or now available in the web attack vector and configurable through the config/set_config is the UNC_EMBED=ON. This will automatically embed a UNC path to the cloned victims machine. As soon as they click the link regardless of attack vector (i.e. Java, Metasploit Client-Side, Harvester, Multi-Attack, etc.) it will shoot a request off to the attack machine and intercept the hash values which can be cracked via half lm, etc. Note that the victim has to have 445 allowed outbound (egress). Thanks to Jim (elwood) for the idea!