Attacking Active Directory domains often leads to obtaining password interesting, but either hashed or encrypted data. When this information cannot be directly leveraged for higher privileges (like with pass-the-hash, overpass-the-hash), it is required to crack it.
Cracking is an operation that can be carried out through different types of attacks:
Brute-force: every possibility for a given character set and a given length (i.e. aaa, aab, aac, ...) is hashed and compared against the target hash.
Dictionary: every word of a given list (a.k.a. dictionary) is hashed and compared against the target hash.
Rainbow tables: the hash is looked for in a pre-computed table. It is a time-memory trade-off that allows cracking hashes faster, but costing a greater amount of memory than traditional brute-force of dictionary attacks. This attack cannot work if the hashed value is salted (i.e. hashed with an additional random value as prefix/suffix, making the pre-computed table irrelevant)
There are many other and more complex types of attacks (incremental, mask, rules, hybrid types, ...) but the major/core ones are the three above.
One of the greatest tools that can be used for cracking is hashcat (C). It implements different types of attacks and many types of hashes. It has many other great features like
it is cross-platform (support for Linux, Windows and macOS) and supports anything that comes with an OpenCL runtime (CPU, GPU, APU, ...)
it can crack multiple hashes at the same time and use multiple devices at once (distributed cracking networks supported too)
it can save and restore sessions
it has a builtin benchmarking system
Below is a short list of the most useful hash types for Active Directory hunting.
Hashcat has the ability to inject the plain passwords cracked into the dictionary and start the attack again, and this recursively until no new passwords are found. This can be done with the --loopback argument.
Nota bene: the new passwords are added to dictionnary caches that will be temporary and deleted after the bruteforce+rules+loopack attack ends.
Hashcat can also be used in a hybrid mode by combining a dictionary attack with rules that will operate transformations to the words of the list.
More information on how to fully use hashcat can be found here.
A robust alternative to hashcat is John the Ripper, a.k.a. john (C). It handles some hash types that hashcat doesn't (Domain Cached Credentials for instance) but it also has a strong community that regularly releases tools in the form of "something2john" that convert things to a john crackable format (e.g. bitlocker2john, 1password2john, keepass2john, lastpass2john and so on).