PRIMARY CATEGORY → WINDOWS CREDENTIALED ENUMERATION
Theory
The PASSWD_NOTREQD is a flag within the UserAccountControl attribute of a domain user account
If set, the given user account is not subject to the current Password Policy, meaning that it could have a shorter and less complex password or no password at all (If the domain allows empty passwords)
It is important to note that just because this flag is enabled, it does not mean that no password is set for the given account
Zoom in
Recon - UNIX-like
LDAPSearch
ldapsearch -LLL -x -H 'ldap://<TARGET>' -D '<USER>@<DOMAIN>' -w '<PASSWD>' -b 'DC=<DOMAIN>,DC=<TLD>' '(&(ObjectCategory=person)(UserAccountControl:1.2.840.113556.1.4.803:=32)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' samAccountName dnRecon - Windows
Powershell AD Module
Get-ADUser -LDAPFilter '(&(ObjectCategory=person)(UserAccountControl:1.2.840.113556.1.4.803:=32)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' | Select samAccountName, userPrincipalNamePowerview
Get-DomainUser -UACFilter 'PASSWD_NOTREQD' -LDAPFilter '(!(UserAccountControl:1.2.840.113556.1.4.803:=2))' | Select samAccountName, userAccountControl | fl