Based on "Auditing Cached credentials with cachedump" from Eoin Miller and Adair Collins at Shmoocon, 2007.
Under certain conditions, Windows domain credentials (usernames and passwords) are cached (stored) in a local machine's registry. Windows consults these credentials when a user logs into a network-disconnected domain member machine. If an attacker grabs and cracks a domain admin password from a workstation, he owns the entire domain!
Domain admin credentials are cached on a machine if an admin logs into it, uses "Run As" from it or accesses it with Remote Desktop. Caching also occurs when admins share laptops.
You can use tools like fgdump (http://swamp.foofus.net/fizzgig/fgdump) or Cain and Abel (http://www.oxid.it) to dump the credentials from a local or remote machine (stored in HKLM\SECURITY\Cache\NL[1-10]), assuming you have local admin privileges. Use John the Ripper (http://www.openwall.com/john) or Cain to crack the passwords.
