Using Impacket


Impacket can identify kerberoastable accounts and dump packets remotely. It comes standard with Kali Linux.

python3 \
	/usr/share/doc/python3-impacket/examples/ \
	-dc-ip $DOMAIN_CONTROLLER_IP -request

The password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).

AS-REP Roasting

Impacket (via support AS-REP roasting. However, requires that user accounts already be enumerated and roastable accounts identified.

When using, specify the target as ${DOMAIN}/ (i.e., leave off the user-part).