Responder, netNTLMv2, and oclHashcat
#1
Ok, so I have a question about netNTLMv2, Responder, and oclhashcat.

I am currently on multiple pentests right now, and we are trying to crack some netNTLMv2 password hashes from multiple clients. After taking a look at the captured hashes, I noticed that the the end of the hashes contains the exact same hash information. These hashes are from different clients, different users, at different locations.

I then did some research on how the security blob is constructed on the netNTLMv2 hashtype, that brought me to this article and found that the section that is the exact same in both hashes contains the actual hash data. To get more specific, all of the data after the Timestamp, and Client Nonce is all the same:

Hash 1:
0000000002000A0073006D006200310032000100140053004500520056004############################################################00630061006C0003002C0053004500520056004500520032############################################################00500160073006D006200310032002E006C006F00630061006C000000000000000000

Hash 2:
0000000002000A0073006D006200310032000100140053004500520056004############################################################00630061006C0003002C0053004500520056004500520032############################################################00500160073006D006200310032002E006C006F00630061006C0000000000

(There are more 0's in the first hash, but from what I have read, those are variable)

I fed these into hashcat using -m5600 and they accepted the format, so the format is correct.

My base questions are this:
1. Is anyone else having trouble capturing legitimate netNTLMv2 hashes with responder?

2. I know the probability of a hash clash is less likely than me winning the lottery everyday for the rest of my life, but do any of you have any idea why this would happen to two separate hashes in two separate locations/clients/domains etc.?

3. Is the section in the posted link accurate with regards to the construction of the netNTLMv2 response hash.?

p.s. I know that this is more of a "Hash" or "responder" question. Just want to cover all of my bases before I stop using responder for NTLMv2 captures.