So i was reading a magazine (Hackinthebox) an article regarding LDAP and it got me thinking, would it be possible to query an Active directory domain anonymously? After a little search i found that it was not enabled by default in Windows 2003, well actually you can get some info but not much. So if i was logged into the network with a domain account (just basic user level permissions) would i be able to perform an LDAP query requesting password hashes? I'm not at home to try on my test network. If i had to guess i would say that it's not possible to get the hashes but possibly other useful information for a pentester. Anyone know if it is possible to get the password hashes via this method?