Squirtle: squirting browser-based NTLM site on your intranet

Just a quick note about something interesting I ran across out at Google Code. Squirtle uses Internet Explorer's use of trusted zones and grabs NTLM hashes when a user browses to a site that is running squirtle. No muss, no fuss, just pure Windows credential hashes. After glancing through the code I honestly can't imagine why it took so long for this to come along. Personally, I think XSS and social engineering are your most likely attack vector and that deploying squirtle is dead simple... and NTLM is just dead (FD: I have never liked nor thought NTLM was effective and was a MS lock-in trick to make people feel better... but not make them more secure (like SMB signing). More info here and here.