Consider a Linux box that will eventually mount a Windows share using samba. At some point, that box will invoke smbmount. Anyone with root access to that box can simply replace smbmount with a script that logs the parameters, and thereby capture the Windows password that is being used to access that share.

Consider a Windows box that has recently been used by a Windows administrator. When the admin logged into the domain from that workstation, the cached credentials were left behind. We can use cachedump or the local copy of the binary to dump the domain administrator (and all other) cached credentials in a hashed form. We can then use John the Ripper to break any weak passwords back to clear text.

A local copy of John, patched so that it processes the hashes produced by cachedump, and compiled for Linux on intel processors is here.

If you run cachedump, you should get some output with lines that look like

user:2d9f0b052932ad18b87f315641921cda:lab:lab.internal

Copy those text lines into $file, and then

cd john-1.7.0.2-patched
run/john -format:mscash $file

We might be able to fix this with some patches from JoMo-kun. We could use that as a starting point to change smbmount to accept a "password" that is actually the hash. That only prevents the attacker (who already has root access to the Linux box) from easily discovering the plain text Windows password. Of course, the attacker can still use this hash to connect to other Windows machines that will accept those credentials.