Funnily enough, myself and a colleague were just talking about something like this. However what we posed was that;
Suppose you spoof an AP & de-authenticate clients, relying on them to re-authenticate and connect to your MITM device. A Pineapple perhaps or Kali-powered machine. Would it not be a possibility to create a phishing type page to redirect them to, Google for example, which also deploys a self-executing script (a la rubber ducky) to pull out these cached passwords & upload them to your device or external web server - before removing the script.
Of course there will be the reliance on the gullibility of PC users to accept any UAC prompts etc which may arise.
I'm a relative newbie, but long-term aim is to become very educated in this field (having a great interest in this) so please forgive any general ignorance I might have to any security or technical limitations.