I know one can retrieve password hashes via RPC (ms-drsr), like it's done in the DSInternals PowerShell Module. Is there any way to get the MD4 hashes via LDAP?
So far I've tried using the AdDirSyncRequest control (1.2.840.113556.1.4.841), but with no luck. I can see the password attributes (ntPwdHistory, unicodePwd, etc) but they have no value.
No, there isn't. The unicodePwd attribute is used to set the password, but the documentation says:
The unicodePwd attribute is never returned by an LDAP search.