Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-dfsshare queries the domain controller via LDAP to enumerate all Distributed File System (DFS) share objects registered in the domain. DFS namespaces allow organisations to publish shared network paths that are transparently load-balanced and replicated across multiple servers, making them a valuable source of information during Active Directory reconnaissance — DFS targets often host sensitive internal resources, and the namespace roots reveal the underlying file server infrastructure. The command supports both DFS version 1 (msDFS-Namespacev1) and version 2 (msDFS-Namespacev2) objects, querying both by default.
get-dfsshare uses the standard ad_parser for authentication and requires a domain controller IP (-t/--dc-ip). It does not support certificate-based or --simple-auth authentication modes.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or zeroed out.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found.
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
-d, --domain
string
Domain to query. Defaults to the domain inferred from the credentials or the target DC.
-v, --version
string[]
default:"['v1', 'v2']"
DFS version(s) to query. Accepted values: v1, v2. Pass one or both. Defaults to querying both v1 and v2 when not specified.
-a, --ads-path
string
Additional ADS path to restrict the LDAP search base.

Examples

# List all DFS shares (v1 and v2) in the domain
pywerview get-dfsshare -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Query only DFS v1 shares
pywerview get-dfsshare -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com -v v1

# Query only DFS v2 shares
pywerview get-dfsshare -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com -v v2

# Pass-the-hash authentication
pywerview get-dfsshare -t dc.contoso.com -u alice --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com

# Kerberos authentication
KRB5CCNAME=alice.ccache pywerview get-dfsshare -t dc.contoso.com -k -w contoso.com

# JSON output
pywerview get-dfsshare -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --json
DFS share roots expose the underlying file servers hosting replicated content. Use the server names returned by get-dfsshare as input to get-netshare or get-netsession for further host-level enumeration.

Build docs developers (and LLMs) love

Get started for freeTalk to us