This does not require domain credentials. A list of potential usernames will do!

Why does this work?

AS-REP Roasting is an exploitation technique that targets the Kerberos protocol. It allows an attacker to retrieve password hashes for users that do not require pre-authentication.

Pre-authentication is an initial stage in Kerberos authentication that prevents brute-force attacks. If a user has “Do not use Kerberos pre-authentication” enabled, an attacker can recover a Kerberos AS-REP encrypted with the user’s RC4-HMAC’d password and attempt to crack this ticket offline.

How to do it!

Check to see if there are any AS-REP roastable accounts:

impacket-GetNPUsers -request -dc-ip <DC-IP> <DOMAIN.TLD>/<USERNAME>

Check the output and see if we get any asrep roastable hashes. If there is, move on to trying to crack this with hashcat in 18200 mode.

Limitations

These are not passable, but, they are crackable :)