Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netcerttmpl searches the CN=Certificate Templates,CN=Public Key Services,CN=Services subtree of the configuration naming context for all pKICertificateTemplate objects. By default it returns each template’s name, enrollment flags (msPKI-Enrollment-Flag), extended key usages (pKIExtendedKeyUsage), and the set of principals granted enrollment rights derived from the template’s nTSecurityDescriptor (allowedprincipals). Use --resolve-sids to translate raw SIDs in the security descriptor into human-readable distinguished names, and --caname to restrict output to only the templates published by a specific Certificate Authority — pywerview will first look up the CA’s certificateTemplates attribute and then filter the full template list accordingly.
Certificate templates with overly permissive enrollment rights or dangerous configuration flags are the root cause of the ESC1–ESC8 ADCS privilege escalation attack paths documented by SpecterOps. Attributes like msPKI-Enrollment-Flag, pKIExtendedKeyUsage, and allowedprincipals are precisely what tools such as Certipy and Certify inspect to detect vulnerable templates automatically. Pipe get-netcerttmpl --json --resolve-sids output into those tools to correlate pywerview’s enumeration with a full vulnerability assessment.

Flags

Global flags

-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
Name of the domain to authenticate with.
-u, --user
string
Username used to connect to the Domain Controller.
-p, --password
string
Password associated with the username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. Use :$NTHASH to supply only the NT hash.
-k
boolean
Use Kerberos authentication. Credentials are sourced from the KRB5CCNAME ccache file based on target parameters, falling back to the values provided on the command line.
--tls
boolean
Force a TLS (LDAPS) connection to the Domain Controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key associated with the certificate.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM bind.
-l, --logging-level
string
STDERR logging verbosity. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results in JSON format instead of the default key-value output.

Command-specific flags

-d, --domain
string
Target domain to query. Defaults to the domain of the authenticating user.
--resolve-sids
boolean
Resolve SIDs found in each template’s nTSecurityDescriptor to human-readable names when populating allowedprincipals.
--caname
string
Filter results to only the certificate templates published by the named CA. The CA’s certificateTemplates attribute is fetched first and used to filter the full list. Must match the CA’s displayName exactly.

Examples

# List all certificate templates in the domain
pywerview get-netcerttmpl -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# List templates with enrollment principals resolved to names
pywerview get-netcerttmpl -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --resolve-sids

# Filter to only templates published by a specific CA
pywerview get-netcerttmpl -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --caname 'contoso-CA'

# Combine CA filter with SID resolution
pywerview get-netcerttmpl -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --caname 'contoso-CA' --resolve-sids

# JSON output with resolved SIDs for use with Certipy or custom tooling
pywerview get-netcerttmpl -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --json --resolve-sids

# Kerberos authentication
pywerview get-netcerttmpl -t dc.contoso.com -k -w contoso.com --resolve-sids

Example output

name:                     User
mspki-enrollment-flag:    ['AUTO_ENROLLMENT']
pkiextendedkeyusage:      ['1.3.6.1.5.5.7.3.4', '1.3.6.1.5.5.7.3.2', '1.3.6.1.4.1.311.20.2.2']
allowedprincipals:        S-1-5-21-863927164-4106933278-53377030-513
With --resolve-sids: 
name:                     User
mspki-enrollment-flag:    ['AUTO_ENROLLMENT']
pkiextendedkeyusage:      ['1.3.6.1.5.5.7.3.4', '1.3.6.1.5.5.7.3.2', '1.3.6.1.4.1.311.20.2.2']
allowedprincipals:        CN=Domain Users,CN=Users,DC=contoso,DC=com

Build docs developers (and LLMs) love

Get started for freeTalk to us