I'm asking for help to understand how NTLM works.
I have this scheme: two Windows 7 computers, one workgroup-joined and another is domain-joined. I use any NTLM downgrade attack and log on to domain machine with domain account.
As I know, in this sheme no clear NTLM hash is passed over the network from DC to domain machine. But if I scan LSASS memory, I will find the hash.
How it gets there?