During Penetration Tests I often gain access to a selection of domain user accounts on my path to compromising a domain admin account. This is often a requirement these days for enumerating domain policy and also it’s quite common to find standard user accounts that have access to interesting information, such as HR or Finance accounts with access to staff and payroll information or a user with VPN access. During the post-engagement meeting with clients they’re often shocked at how I could launch online brute-force attacks against accounts without locking them out.
Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool.
One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm] much more secure [/sarcasm]: Password1.