Strategies for cracking with known password parameters

I was hoping some of the experienced folks here could help me crack passwords where I know most of the requirements. A friend at an old job several years ago challenged me to crack his password. I didn't put much effort in at the time but I stumbled across the old hashes and decided to give it a go on newer hardware.

This was an AD environment that only stored NTLM hashes and the requirements were to include three of the following:
  • Uppercase characters
  • Lowercase characters
  • Base 10 digits (0 through 9)
  • Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/

I also know the length was forced to 14 characters. After speaking with him recently, he gave me a few hints such as he puts two words together with random capitalization, followed by a 2-4 digit number, followed by a special character at the end.

I have run through some of the larger wordlists I can find with several different rulesets and haven't hit it yet. I tried combining the google 10,000 most used english words together into a dictionary, applied rules, and that did not yield a result.

I've thought about combining the 100,000 most used words in english together, then running rules against that, but that dictionary is like 100GB and that doesn't seem like the most efficient approach to me.

Trying to brute force the entire 14 character range even with these known parameters seems too large.

Does anyone have any strategies for how to approach this in a more efficient way?

Just create candidates that match the policy. There's no one-command solution, you have to build stuff yourself. Check hashcat-utils for combinator.bin, maskprocessor the the numbers and the special at end and the togglesX.rule for the capitalization. Also use --stdout to check your candidates.
Thanks for the suggestions.

After some initial cracking attempts, I have managed to crack several of the password histories for this particular user, without cracking the actual password that I was after.

The history has shown me a pattern of First Name+LastName+Number.

For example:


I had a couple of thoughts on approaching this given the pattern and wanted to ask for feedback. The first is using maskprocessor to generate candidates based on the pattern and piping that into hashcat, something like this:

mp64 -1 Jj -2 Ss -3 ?l?u ?1ohn?3?3?3?3?2mith?d?d

The other thought was using maskprocessor to generate rules that would do something similar to the above (inserting characters in between the first and last name, adding numbers at the end, etc) and just having a small dictionary that contained the permutations of the name (JohnSmith, Johnsmith, johnSmith). Would this be faster than using maskprocessor as shown above and piping it to hashcat, or would it be slow because the dictionary is too small?

Or is there a better way than either of these two? Clearly I'm fairly new at this so I definitely don't know what I don't know.