Kerberoasting is the cleanest example I know of an attack that breaks nothing. It just uses the protocol exactly as designed.
The one detail that matters: when you request a service ticket (a TGS) for a service in the domain, that ticket is encrypted with the password hash of the account the service runs under. And any authenticated user is allowed to request a ticket for any service. The domain just hands it over.
So the attack is:
1. Enumerate accounts that have a Service Principal Name (SPN) set.
2. Request a service ticket for each one.
3. Extract the encrypted blob. It's locked with the service account's password.
4. Crack it offline with hashcat. The domain never sees a single guess.
You are not knocking on a door and waiting to get caught. You took the lock home and you're working on it in the garage at a few hundred million guesses a second.
Why it works in practice: service accounts get a password set once, by a human, in 2014, who figured "it's just a service account" and used something hashcat eats for breakfast. And because the cracking is offline, there's no lockout, no failed-logon noise, nothing for the blue team to alert on until you log back in as the account.
kerbrute-py wraps impacket so the enumeration and roasting read clearly instead of cryptically. Ran the full chain against GOAD: SPN → ticket → hash → crack → authenticate. Documented every command, because the documentation is the deliverable, not the dopamine.