Password cracking was always one of my favorite parts of any assessment. It's not just the thrill of watching tens of thousands of accounts succumb to the sheer power of even a modest PC – it is among the most useful things you can do for a client. Sure, you can conduct a pen test and hand over a really nice-looking report; but it's the impact of the results that can mean the difference between bare-minimum compliance and actual effort to effect some change in the organization. Nothing says impact quite like showing the executives of a bank their personal passwords.
There are some fundamentals we need to understand before we look at the tools. We need to understand what the hash cracking effort really is and apply some human psychology to our strategy. This is another aspect of password...