Once you have low-level credentials to a Windows domain, you may be able to leverage those credentials to perform a Kerberoast attack against a higher-level user account. The easiest way to identify if a user account is vulnerable to a Kerberoast attack is via BloodHound.
Once you have identified a Kerberoastable user, you can leverage Impacket to perform the attack w/ the following command. This command will require valid domain credentials for at least a low-level user, but it should return the password hash of any Kerberoastable user on the domain.
GetUserSPNs.py -request -dc-ip <ip-addr> <domain>/<user>
We can then take this password hash to hashcat with the following command.
hashcat -m 13100 <hashfile> <wordlist>