NTFSDOS - (http://www.sysinternals.com)
pwdump2 - (http://www.webspan.net/~tas/pwdump2/)
John the Ripper - (http://www.openwall.com/john/)
L0phtCrack - (http://www.atstake.com/research/lc3/)
chntpw - (http://home.eunet.no/~pnordahl/ntpasswd/)
By default Windows 2000, XP and 2003 systems in a domain or Active Directory tree cache the passwords and credentials of previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as hashes in the local systems registry at the values HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10. Unless the ACL is changed these values require SYSTEM level privileges to access (you can set it so an admin account can read them but you would still want to use a tool to parse out the data). Arnaud Pilon has created a tool called CacheDump for extracting these password hashes out of the registry. He and his team have also come up with patches for the password cracking tool "John the Ripper" that allow you to use John to crack these stored credential hashes. More on the technical details can be found at http://www.cr0.net:8040/misc/cachedump.html for those who are so inclined. Fortunately from a security standpoint the way Microsoft hashes cached passwords is much more secure than the way they store local passwords in the SAM file. Since each cached hash has its own salt (a set of more or less random bits figured into the hash algorithm to help foil pre-computed attacks) cached passwords hashes take much longer to crack than LM (LAN Manager) hashes which don't salt the same way, are case insensitive and are split into seven character chunks
In most cases cached passwords should not be much of a problem since they can take a long time to crack if you have good password policies in place. For those who are still paranoid and have a very reliable connection to their domain controller, they can follow these steps to disable the caching of passwords and credentials:
1. Set the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ CachedLogonsCount to 0.
2. Reboot