Kerberoasting
Kerberoasting with Impacket
Impacket can identify kerberoastable accounts and dump packets remotely. It comes standard with Kali Linux.
The password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).
Link to original
AS-REP roasting
AS-REP roasting with Impacket
Impacket (via GetNPUsers.py) support AS-REP roasting. However, GetNPUsers.py requires that user accounts already be enumerated and roastable accounts identified.
When using GetNPUsers.py, specify the target as
Link to original${DOMAIN}/
(i.e., leave off the user-part).
PsExec
Impacket includes a reimplementation of PsExec. Under Linux (but not Windows) you can pass in an NTLM hash instead of a password for the target user.