Generally the way to grab the password is to dump the LM/NT hashes either by grabbing the SAM or from a RAM dump and then use Rainbow tables (or a dictionary or brute force attack) to decrypt the plain text. This is not terribly hard but requires some knowledge and there is always the possibility of the crack not coming through for you.
Somehow I had missed the release of a tool called Mimikatz written by a chap with an extraordinary ability to undermine security holes within Microsoft (and has a penchant for writing everything in French, tres bien). If you would like to know how his technique works then please take the time our to read his cracking Powerpoint click here (Thankfully not in French!). Thanks to my friend Jon Evans who mentioned it to me last week.
Mimikatz can achieve a number of things but the most useful to me is its claim to extract plain text user passwords. Guess what - it works!
Here's what to do.
Run the 32bit or 64bit version as administrator (please dont make me explain how you would know which!!) and you are presented with a console environment.
Next get into debug mode with the command:-
Next simply dump the passwords by running:-
Username - nickfx
Password - 123
This is an extremely useful addition to any first responder toolkit and I highly recommend having a go for 10 minutes.