Strategies for cracking with known password parameters

[dalikad]

Hi,

I was hoping some of the experienced folks here could help me crack passwords where I know most of the requirements. A friend at an old job several years ago challenged me to crack his password. I didn't put much effort in at the time but I stumbled across the old hashes and decided to give it a go on newer hardware.

This was an AD environment that only stored NTLM hashes and the requirements were to include three of the following:

• Uppercase characters
  
• Lowercase characters
  
• Base 10 digits (0 through 9)
  
• Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
  
  

I also know the length was forced to 14 characters. After speaking with him recently, he gave me a few hints such as he puts two words together with random capitalization, followed by a 2-4 digit number, followed by a special character at the end.

I have run through some of the larger wordlists I can find with several different rulesets and haven't hit it yet. I tried combining the google 10,000 most used english words together into a dictionary, applied rules, and that did not yield a result.

I've thought about combining the 100,000 most used words in english together, then running rules against that, but that dictionary is like 100GB and that doesn't seem like the most efficient approach to me.

Trying to brute force the entire 14 character range even with these known parameters seems too large.

Does anyone have any strategies for how to approach this in a more efficient way?

Thanks.