What are the common methods to enumerate SPNs and request TGS tickets for Kerberoasting?

Attackers can enumerate valuable SPNs using the `setspn.exe` command, the PowerShell Active Directory module (`Get-ADUser -Filter {AdminCount -eq 1 -and servicePrincipalName -ne 0}`), or tools like PowerView (`Get-NetUser -SPN -AdminCount`). To request TGS tickets, they use `New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken` with the SPN name. These steps are detailed in the implementation section of Domain Penetration - Kerberoasting.