In Metasploit 2.7 there existed a moduled called "smb_sniffer" that listened as a Windows SMB server, responded to negotiations with a preset challenge and forced crypto to NTLMv1. When I asked the devs about it they said it was for "future purposes."
That future purpose is now documented!
Step 1 - Download my slightly updated version from here and place it in your exploits/ directory.
Step 2a - Run it with root privs on a UNIX host (doesn't work on Windows, sorry).
Step 2b - Have a Windows machine connect to your "share" - they will get an access denied but stuff like will work.
Step 3 - Send the hashes to Cain & Abel for cracking or cryptanalysis! Obtain the HALFLMCHALL tables from FreeRainbowCrack.Com or run a brute force, dictionary, hybrid, etc.
Step 4 - Success!
One caveat -- the half-lm challenge table only does the first 7 characters of LANMAN. You still have to brute force the last 7 and if the user's password is greater than 14 characters, you're really out of luck.