The Kerberos authentication protocol works with tickets in order to grant access. A ST (Service Ticket) can be obtained by presenting a TGT (Ticket Granting Ticket). That prior TGT can be obtained by validating a first step named "pre-authentication" (except if that requirement is explicitly removed for some accounts, making them vulnerable to ASREProast).
The pre-authentication requires the requesting user to supply its secret key (DES, RC4, AES128 or AES256) derived from the user password. Technically, when asking the KDC (Key Distribution Center) for a TGT (Ticket Granting Ticket), the requesting user needs to validate pre-authentication by sending a timestamp encrypted with it's own credentials in an
AS_REQmessage. It ensures the user is requesting a TGT for himself. When attackers obtain a man-in-the-middle position, they are sometimes able to capture pre-authentication messages, including the encrypted timestamps. Attackers can try to crack those encrypted timestamps to retrieve the user's password.
This technique is similar to ASREProasting but doesn't rely on a misconfiguration. It relies instead on an attacker successfully obtain a powerful enough man-in-the-middle position (i.e. ARP poisoning, ICMP redirect, DHCPv6 spoofing).
PCredz (Python) is a good example and allows extraction of credit card numbers, NTLM (DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
# extract credentials from a pcap file
Pcredz -f "file-to-parse.pcap"
# extract credentials from all pcap files in a folder
Pcredz -d "/path/to/pcaps/"
# extract credentials from a live packet capture on a network interface
Pcredz -i $INTERFACE -v