You will need valid credentials for a domain user to be able to do this!

Why does Kerberoasting work?

In a Kerberoasting attack, the attacker identifies user accounts in the AD domain that have service principal names (SPNs) associated with them, indicating that the user has access to specific network services. The attacker then requests a service ticket for the user account, which contains the user’s hashed password.

The Kerberos protocol uses a ticket-granting ticket (TGT) to authenticate users and grant access to network resources. When a user logs in to a domain, they receive a TGT from the domain controller. The TGT is used to request service tickets for specific network services.

When a user requests a service ticket, the Kerberos protocol generates a session key that is used to encrypt the communication between the user and the service. The session key is encrypted with the user’s hashed password and included in the service ticket.

How to do it!

Check for user SPNs. This can be done using impacket-GetUserSPNs:

impacket-GetUserSPNs -request -dc-ip <DC-IP> <DOMAIN.TLD>/<USERNAME>

Check to see if there are any TGS tickets in the output. Move on to trying to crack this with hashcat, there are multiple types of hashes associated with Kerberoasting, consult the Hashcat wiki example hashes.

Limitations

These are not passable, but, they are crackable.