"Given GenericWrite/GenericAll DACL rights over a target, we can modify most of the user's attributes. We can change a victim's userAccountControl to not require Kerberos preauthentication, grab the user's crackable AS-REP, and then change the setting back." (@harmj0y, ref)
In case LDAP(S) ports are blocked, kerberoasting can be performed via the Global Catalog port (3268/TCP). For that purposes changeldap:// scheme to gc://.
Check if there're any brutable kerberoastable users with a path to high value targets having got cracked NTDS (useful when writing a report):
$ cat ~/ws/enum/tgsrep.in | grep -Pho 'krb5tgs\$23\$.*?\$' | cut -d'*' -f2 | cut -d'$' -f1 > t
$ for acc in `cat t`; do grep -ai $acc ~/ws/loot/ntds.cracked | cut -d: -f1 >> t2; done && rm t
$ vi t2
...convert domain prefix to domain suffix (megacorp.local\svcsql -> svcsql@megacorp.local)...
$ python3 max.py -u neo4j -p 'WeaponizeK4li!' mark-owned -f t2 --add-note "kerberoasted" && rm t2
$ python3 max.py -u neo4j -p 'WeaponizeK4li!' query -q 'MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p' --path
"We can execute 'normal' Kerberoasting instead: given modification rights on a target, we can change the user's serviceprincipalname to any SPN we want (even something fake), Kerberoast the service ticket, and then repair the serviceprincipalname value." (@harmj0y, ref)
