Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

PywerView supports SChannel authentication, which lets you authenticate to Active Directory LDAP using an X.509 certificate and its corresponding private key instead of a password or hash. This is the authentication path you reach for after a successful AD CS (Active Directory Certificate Services) attack — for example, after abusing a vulnerable certificate template with certipy or relaying NTLM authentication with ntlmrelayx.py to obtain a certificate on behalf of a target user or machine account. SChannel authentication is supported for a specific subset of LDAP-backed commands listed below.

Obtaining a Certificate

Any tool that can request or relay authentication to AD CS and export a PFX bundle will work. Common options include:
  • certipy — ESC1–ESC8 exploitation and certificate requests
  • ntlmrelayx.py — relay NTLM to ADCS HTTP endpoint to mint a certificate
Both tools typically produce a .pfx (PKCS#12) file containing the certificate and private key. PywerView requires them as separate PEM-encoded files.

Extracting the Certificate and Key from a PFX

1

Extract the certificate

Use openssl to pull out the public certificate in PEM format:
openssl pkcs12 -in user.pfx -clcerts -nokeys -out user.crt
2

Extract the private key

Pull the unencrypted private key. The -nodes flag disables key encryption so PywerView can read it without a passphrase prompt:
openssl pkcs12 -in user.pfx -nocerts -nodes -out user.key
3

Pass both files to PywerView

Use --cert and --key in your command:
pywerview get-netuser \
  -w contoso.com \
  --dc-ip 172.16.0.55 \
  --cert stormtroopers.crt \
  --key stormtroopers.key \
  --username administrator \
  --attributes distinguishedname useraccountcontrol \
  --tls
Output:
distinguishedname:  CN=Administrator,CN=Users,DC=contoso,DC=com
useraccountcontrol: NORMAL_ACCOUNT

Certificate Flags

--cert
string
Path to the X.509 certificate file in PEM format (.crt or .pem). This is the public certificate associated with the authenticating account.
--key
string
Path to the private key file in PEM format (.key). Must be unencrypted (use -nodes when extracting from a PFX).

TLS Behavior with Certificate Authentication

The --tls flag changes the underlying bind mechanism used for certificate authentication:
  • Without --tls — PywerView negotiates StartTLS on the standard LDAP port (389) and performs an EXTERNAL SASL bind, as described in the Microsoft MS-ADTS documentation.
  • With --tls — PywerView connects directly to the LDAPS port (636) and presents the certificate over the TLS channel.
If your domain controller does not have StartTLS enabled or you encounter certificate validation errors on port 389, add --tls to force LDAPS. See TLS / LDAPS for more detail.

Supported Commands

SChannel authentication is available for the following commands:
CommandDescription
get-adobjectQuery objects by SID, samAccountName, or name
get-objectownerReturn the owner of an AD object
get-netpkiList pKIEnrollmentService (CA) objects
get-netcerttmplList certificate templates
get-netgmsaList Group Managed Service Accounts
get-netsmsaList standalone Managed Service Accounts
get-objectaclReturn the ACL of an AD object
get-netuserQuery domain user information
get-netgroupList domain groups or group memberships
get-netcomputerQuery domain computer accounts
get-netdomaincontrollerList domain controllers
get-netfileserverList file servers from user attributes
get-netouList Organizational Units
get-netsiteList AD sites
get-netsubnetList AD subnets
get-netdomaintrustList domain trusts
get-netpsoList Password Settings Objects
get-netgpoList Group Policy Objects
get-netgroupmemberList members of a domain group
Commands that operate over SMB or RPC (e.g., get-netsession, get-netshare) do not support SChannel and require NTLM or Kerberos credentials instead.

Build docs developers (and LLMs) love

Get started for freeTalk to us