Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

PywerView supports Kerberos authentication so you can leverage existing TGTs or TGSs stored in a ccache file rather than passing plaintext passwords or NTLM hashes. This is particularly useful in engagements where you have captured a ticket with tools like Impacket’s getTGT.py or Rubeus and want to reuse it from a Linux host. Kerberos support is partial and relies on a mixed architecture: LDAP commands use ldap3 with gssapi, while SMB/RPC commands use impacket — each with subtly different SPN requirements that you must account for.
Kerberos support is an optional extra. You must install it explicitly before using the -k flag:
pip install pywerview[kerberos]
This also requires the system package libkrb5-dev (Debian/Ubuntu) or its equivalent. Without it, gssapi cannot be compiled and the import will fail.

How It Works

PywerView reads Kerberos credentials from the file pointed to by the KRB5CCNAME environment variable. If the ccache file contains a TGS for the target service, that ticket is presented directly. If it contains only a TGT, gssapi (for LDAP commands) or impacket (for SMB/RPC commands) will request a TGS automatically.

Setup and Usage

1

Obtain a Kerberos ticket

Acquire a TGT or TGS for your target using your preferred method — e.g., getTGT.py from Impacket, kinit, or export from a Windows machine. Verify the ticket contents with klist:
klist stormtroopers.ccache
Example output:
Ticket cache: FILE:stormtroopers.ccache
Default principal: stormtroopers@CONTOSO.COM

Valid starting       Expires              Service principal
10/03/2022 16:46:45  11/03/2022 02:46:45  ldap/srv-ad.contoso.com@CONTOSO.COM
    renew until 11/03/2022 16:43:17
2

Export KRB5CCNAME

Point the environment variable at your ccache file. You can export it for the shell session or prefix it inline on each command:
# Persistent for the session
export KRB5CCNAME=/path/to/stormtroopers.ccache

# Or inline, per command
KRB5CCNAME=stormtroopers.ccache pywerview get-netcomputer ...
3

Run PywerView with the -k flag

Add -k to your command. Also supply -u with the account name and -t with the full hostname of the domain controller (required for LDAP SPN resolution):
KRB5CCNAME=stormtroopers.ccache pywerview get-netcomputer -t srv-ad.contoso.com -u stormtroopers -k
Expected output:
dnshostname: centos.contoso.com

dnshostname: debian.contoso.com

dnshostname: Windows7.contoso.com

dnshostname: Windows10.contoso.com

dnshostname: SRV-MAIL.contoso.com

dnshostname: SRV-AD.contoso.com

SPN Compatibility

PywerView’s mixed ldap3 + impacket architecture creates different SPN requirements depending on the command type.
  • LDAP commands (e.g., get-netuser, get-netcomputer) use ldap3 with gssapi. The gssapi library requires the full hostname in the SPN — it cannot resolve tickets that use a short hostname.
  • SMB/RPC commands (e.g., get-localdisks, get-netsession) use impacket and are more lenient: tickets with an incomplete hostname SPN work, as long as --computername matches the short name in the SPN.
SPN in the ticketLDAP commandsSMB/RPC commands
ldap/srv-ad.contoso.com@CONTOSO.COM✔️✔️
cifs/srv-ad.contoso.com@CONTOSO.COM✔️✔️
ldap/srv-ad@CONTOSO.COM✔️
The example below shows using a short-hostname LDAP ticket successfully with an SMB/RPC command by matching --computername to the short name in the SPN: 
klist skywalker.ccache
# Service principal: ldap/srv-ad@CONTOSO.COM

KRB5CCNAME=skywalker.ccache pywerview get-localdisks --computername srv-ad -u skywalker -k

disk: A:

disk: C:

disk: D:
SPN patching is not yet implemented. PywerView cannot rewrite SPNs on the fly. If your ccache contains a ticket with a short hostname SPN and you need to run an LDAP command, you must obtain a new ticket with the full FQDN in the SPN (e.g., ldap/srv-ad.contoso.com@CONTOSO.COM). The same limitation applies to TGTs: krbtgt/srv-ad.contoso.com@CONTOSO.COM will work, but krbtgt/srv-ad@CONTOSO.COM will not for LDAP functions.

Build docs developers (and LLMs) love

Get started for freeTalk to us