Kerberoasting
Kerberoasting with Impacket
Impacket can identify kerberoastable accounts and dump packets remotely. It comes standard with Kali Linux.
GetUserSPNs.py ${DOMAIN}/${USER}:${PASSWORD} \ -dc-ip $DOMAIN_CONTROLLER_IP -requestThe password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).
Link to original
AS-REP roasting
AS-REP roasting with Impacket
Impacket (via GetNPUsers.py) support AS-REP roasting. However, GetNPUsers.py requires that user accounts already be enumerated and roastable accounts identified.
When using GetNPUsers.py, specify the target as
Link to original${DOMAIN}/(i.e., leave off the user-part).
PsExec
Impacket PsExec reimplementation
Impacket includes a reimplementation of PsExec. Under Linux (but not Windows) you can pass in an NTLM hash instead of a password for the target user.
Link to original # Psexec.py (but ONLY on Linux; this won't work on Windows!) # psexec.py -hashes $TARGET_USER_NTLM_HASH \ $TARGET_DOMAIN\$TARGET_USER@$TARGET_HOST