Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

PywerView supports two forms of NTLM-based authentication: classic password authentication and pass-the-hash, where you supply raw NTLM hash material instead of a plaintext secret. Both modes use the same set of global credential flags and can target either a domain controller (for LDAP-based commands) or an individual host (for SMB/RPC-based commands). If you provide neither a password nor hashes, and you are not using certificate or Kerberos authentication, PywerView will interactively prompt for a password at runtime so credentials never have to be embedded in shell history.

Credential Flags

-w / --workgroup
string
The domain name to authenticate against. Must be the post-Windows 2000 UPN format (e.g., contoso.com), not the legacy NetBIOS name (e.g., CONTOSO).
-u / --user
string
The username to connect with. Corresponds to the samAccountName of the account (e.g., alice, SRV-MAIL$).
-p / --password
string
Plaintext password for the specified user. Omit this flag (along with --hashes) to trigger the interactive password prompt.
--hashes LMHASH:NTHASH
string
NTLM hash pair for pass-the-hash authentication. Accepts the full LMHASH:NTHASH format. If the LM portion is omitted (:NTHASH), PywerView automatically substitutes the well-known empty LM hash aad3b435b51404eeaad3b435b51404ee. If only an NT hash is provided with no colon, that value is treated as the NT hash.
-t / --dc-ip
string
IP address or hostname of the domain controller to target. Used by all LDAP commands (e.g., get-netuser, get-netcomputer).
--computername
string
Hostname or IP of the individual computer to target. Used by host-based SMB/RPC commands (e.g., get-netsession, get-netshare).
Every command requires the domain name in UPN format. For example, if your domain is USELESSDOMAIN (NetBIOS), pass uselessdomain.local as the -w argument — not USELESSDOMAIN. Using the wrong format will cause authentication to fail silently or produce unexpected results.

Password Authentication

Supply -w, -u, and -p together to authenticate with a plaintext password. 
pywerview get-netuser -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

Pass-the-Hash Authentication

Use --hashes with the full LM:NT pair, or omit the LM portion entirely using the shorthand colon prefix. PywerView fills in the well-known empty LM hash automatically. 
# NT hash only — LM hash is filled in automatically
pywerview get-netuser -t dc.contoso.com -u alice --hashes :5f4dcc3b5aa765d61d8327deb882cf99 -w contoso.com

# Explicit full LM:NT pair
pywerview get-netuser -t dc.contoso.com -u alice --hashes aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99 -w contoso.com

Interactive Password Prompt

If neither -p nor --hashes is provided, and Kerberos (-k) and certificate (--cert/--key) authentication are also absent, PywerView prompts you for a password at runtime: 
Password:
This is the safest way to pass credentials when scripting is not required, as the password never appears in process arguments or shell history.

Other Authentication Methods

Build docs developers (and LLMs) love

Get started for freeTalk to us