Using the hash generator at insidepro.com, I created 2 NTLM hashes, one for Passord, and one for Passor (a single space character replacement - ASCII Hex20 - for the letter d at the end there).
Passord : 72892f1b58f8708c3f07639f6c08daea
Passor : 42ae7b3af2c5c22514b89355dfa8b3be
Using GRTCrack.exe -h NTLM -s (hashvalue) GRT-NTLM-len7-fullcharset-perfect\*.grt --threads 512 --blocks 512 -m 500, my GTX580 goes to 99%. Tables are stored on a 2x1TB soft striped array on SATA, i7 cpu, 24GB memory and W7x64.
Passord is found in the second table, while Passor is found in the first table after a few seconds. Here are screenshots of the output:
|GRTCrack output for Passord)|
|GRTCrack output for Passor )|
Chances are rather slim for finding a Windows domain controller with LM disabled and no LM hashes available. Add to that one or more users "padding" their password with one or more HEX20's at the end up to and including length 7, and charset limited within full US ASCII (or 8, with the Terabyte NTLM tableset that Bitweasil offers to ship to you for USD 500,-)... Well, not many does that.
However; I NEED to see the HEX output of the passwords as well Bitweasil! :-)
Even better: As soon as the password is found, calculate its hash value and compare it to the original input value - for added confidence in the results. Allow me to output the results to a TAB separated file (optional parameter?), making it easier to work with the results when users have used those darn ::::: colons in their passwords - for the fun of seeing me get angry. :-)