You can use ettercap and the man in the middle attacks to sniff the username and password of a user over the network.
You can read ettercap tutorials.
There so much that ettercap can do and there are many tutorials covering how to use it !
Here, AnAdministrativeUser’s account will be used to perform the password dump. Keep in mind that any user used to perform password dumps needs administrative credentials. In this scenario, you will be prompted for the password before the password dump starts.
fgdump hashes are stored in *.pwdump file ; pwdump6 will dump the SAM to the screen.