1. Purchase the Openwall wordlists collection. This is a very comprehensive password list with over 40 million entries. It is maintained by the venerable Solar Designer (author of John the Ripper). Download various dictionaries, e.g. rockyou is awesome!
2. Use Shadow Copy to copy files from Active Directory Domain Controller:
   shadowcp.bat C:\Windows\NTDS.dit ntds.dit
shadowcp.bat C:\Windows\System32\config\SAM SAM
shadowcp.bat C:\Windows\System32\config\SECURITY SECURITY
3. Copy the files to an offline Backtrack Linux system (SFTP)
4. Use NTDSXtract to extract password hashes from NTDS.DIT
   # cd ~/libesedb-20120102/esedbtools;
# ./esedbexport ~/abraham-2012-03-26/ntds_dump/ntds.dit
   # cd ~/NTDSXtract\ 1.0
5. You can roughly follow this guide.
6. Run John the Ripper to perform dictionary attack:
   # john --wordlist=Wordlists-20031009/all.lst --rules /root/password_hashes.txt
# john --wordlist=Wordlists-20031009/all.lst --single /root/password_hashes.txt  
7. Run John the Ripper to perform brute force attack:
   # john --incremental /root/password_hashes.txt
8. Run John the Ripper with custom charset:
9. root@bt:/pentest/passwords/john# john -i=Custom /root/password_hashes.txt
10. To generate a charset file based on a wordlist, create a fake john.pot: sed 's/^/:/' < passwords.lst> john.pot
    Then use “john --make-charset=...” as usual
11. You can learn a lot from these john rules
12. You can learn even more from these slides

# chkconfig --list | grep :on

Schedule a return to your previous ruleset in 5 minutes.

# pfctl -f /etc/pf.conf | at now + 5 minutes

Now it’s safe to activate a ruleset you’d like to test:

# pfctl -f /etc/pf.test

This can come in handy when you have to configure PF remotely (a risky endeavor; something you should avoid doing).