How can I brute-force ADAudit Plus user passwords using the encryption analysis?

Since the bcrypt hash in the `public.aaapassword` table contains the salt in the first 29 bytes (e.g., `$2a$12$...`), you can extract that salt and use it with known plaintext guesses to compute candidate hashes. If the computed hash matches the stored one, you have found the password. This technique is useful for penetration testing as described in Penetration Basics - Obtaining Domain User Password Policies.