Is there a search I can execute that will show me all the passwords that have been sent across the network in cleartext in my windows environment? LDAP, HTTP, etc?
I have tried several combinations of Event ID 540 Logon Type 8 from my windows security log, but it does not seem accurate.
Windows authentication itself is not passthru as cleartext, with a few exceptions (IIS basic authentication, Telnet, etc etc). If these are the items you're looking for, you might find this on different logs than from the Security event log, as that stores actual Windows logon, and are therefore, not going to be cleartext. My understanding is that Telnet is sent in the clear, and therefore you will see the password when you perform network sniffing, but I'm not sure if it ends up clear on the server. Eitherway, you might be looking at a different eventID than 540.
BTW, only because I'm a security geek, be careful looking for cleartext password.