Why not copy and paste the following into your /etc/john.conf and try them out! Got a suggestion for a rule? Leave a comment! They can then be called with ‐‐rules=Try, ‐‐rules=TryHarder and ‐‐rules=BeBrutal! You can find an explanation of how these rules are built here.
Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool.
One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm]much more secure[/sarcasm]: Password1.
A tool exists for dumping plaintext passwords out of memory on Windows, it requires Local Administrator level privileges but it’s a great tool for privilege escalation from Local Admin to Domain Admin. There are Windows EXEs available but it’s also been rolled into Meterpreter! It can also inject a hash into memory to effectively perform a local pass-the-hash attack! If you want to run it on a remote machine remember to check out this post on running remote commands on Windows machines.
During Penetration Testing engagements one of my favourite issues to exploit is a Domain User with Local Administrator permissions. It’s a pretty common issue to see and when speaking to IT Departments about the issue it seems that the risk is often under-estimated. So a user has been given administrative permission over one workstation – what’s the worst that can happen?