[!NOTE] This guide outlines techniques used during authorized security assessments. Unauthorized access to computer systems or data is illegal.

In a modern Active Directory environment, a single weak password can be the difference between a failed engagement and Domain Admin. While lateral movement techniques like Pass-the-Hash (PtH) exist, cleartext credentials remain king for VPN access, SSO portals, and cloud resources.

Reliable password recovery separates the script kiddies from the professionals. It’s not just about running rockyou.txt against a captured NTLM hash; it’s about infrastructure, statistical probability, and understanding human psychology.

The Infrastructure: High-Performance Compute

You cannot crack effectively on a laptop CPU. You need parallel processing power.

Hardware vs. Cloud

Building a dedicated rig offers long-term ROI and privacy (client data never leaves your premise), while cloud instances offer burst speed for critical engagements.

  • Dedicated Rig: A focused rig with 4x NVIDIA RTX 4090s can churn through NTLM hashes at hundreds of gigahashes per second.
  • Cloud (AWS/Azure): Expensive (p3.16xlarge instances) but capable of deploying 8x Tesla V100s instantly.
  • Vast.ai / Tensordock: Cheaper rental marketplaces, but present a huge OPSEC risk. Never upload client hashes to untrusted community providers.

Hashcat Optimization

Hashcat is the industry standard. To get the most out of it, you need to tune it.

1
2

# Standard high-performance run
hashcat -m 1000 -a 0 -w 4 -O --status hashes.txt wordlist.txt
  • -m 1000: NTLM mode (standard Windows hash).
  • -w 4: Workload profile “High”. This will make your desktop unusable but maximizes GPU utilization.
  • -O: Optimized kernels. Increases speed but limits password length (usually < 32 chars).
  • --status: Updates the status screen automatically.

Beyond RockYou: Targeted Wordlist Generation

If you are attacking “CorpFinance LLC”, rockyou.txt might fail if employees are forced to use compliant passwords (e.g., Summer2023!).

Contextual Scraping with CeWL

CeWL (Custom Word List generator) crawls a target website to build a dictionary of industry-specific terms.

1

cewl https://www.corpfinance.com -d 2 -m 5 -w corp_base.txt
  • -d 2: Depth of crawl.
  • -m 5: Minimum word length.

Rule-Based Attacks

The real magic is in the rules. Humans follow patterns. They capitalize the first letter, append a year, and add a special character.

Hashcat’s best64.rule is a good start, but we can do better.

The “Enterprise” Rule:

  1. Take the company name or base words.
  2. Capitalize the first letter.
  3. Append current/previous years (2022, 2023, 2024).
  4. Append special characters (!, @, #).

Using maskprocessor for Hybrid Attacks: Instead of a static wordlist, we use masks to brute-force a specific pattern.

1
2
3

# Attack pattern: [Wordlist word] + [4 digits] + [Symbol]
# e.g., "Welcome2023!"
hashcat -a 6 -m 1000 hashes.txt wordlist.txt ?d?d?d?d?s

Statistical Analysis (PRINCE)

PRINCE (PRobability INfinite Chained Elements) is an algorithm that combines words from a dictionary to form longer passwords (passphrases).

If your dictionary has “apple” and “orange”, PRINCE generates “appleorange”, “orangeapple”, “appleeapple”, etc. It is incredibly effective against passphrases.

1

pp64.bin < wordlist.txt | hashcat -m 1000 hashes.txt

Hash Types and Strategies

NTLM (Windows)

  • Speed: Extremely fast.
  • Strategy: Brute force 1-8 chars utilizing full keyspace (?a?a?a?a?a?a?a?a). For >8 chars, use targeted dictionaries + rules.

NetNTLMv2 (SMB/Relay)

  • Speed: Moderate.
  • Strategy: Captured via Responder/Inveigh. Prioritize dictionary attacks as brute force is too slow for complex passwords.

Kerberoasting (TGS-REP)

  • Speed: Slow.
  • Strategy: These are service accounts. They often use words related to their service (SQL, Backup, Service, Admin). Use a service-specific wordlist.

Operational Security Management

  1. Sanitization: Never store client hashes on a machine connected directly to the internet if possible. Use an air-gapped or strictly firewall-controlled rig.
  2. Cleanup: Hashcat creates a potfile storing all cracked passwords. Purge this credential material after the engagement ends.

Conclusion

Password cracking is an iterative process. Start fast and cheap (top 1k words), move to targeted lists (company content), then apply complex rules, and finally resort to masks/brute force. A methodical approach yields better results than throwing computing power at a wall.

Happy Cracking.

UncleSp1d3r