You are on a test and pop a box which has an FTP client on it. On investigation you find it has credentials stored but the boxes they are for aren’t in scope. Knowing the passwords could be reused on other boxes that are in scope you really want to collect them.
You could try grabbing the credentials file and trying to crack it but this might be an easier way…
Set up an FTP server on your machine then modify the hosts file on your popped box to point all the hosts with credentials to your machine. Then start a TCP sniffer on your machine and ask the client to connect.
The client will find the server and send the credentials which you can simply pull out of the packet capture.
This will also work with other plain text protocols such as HTTP basic auth and POP3 as long as you can get your own “fake” server to respond with enough initial info to trigger the details to be sent.
That is a cute little trick isn’t it!