Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netcomputer queries Active Directory via LDAP to enumerate computer accounts registered in the domain. By default it returns only the dnsHostName of each computer, keeping output concise; use --full-data or --attributes to retrieve richer object properties. A broad range of filters — operating system, service principal name, unconstrained delegation, LAPS password readability, and raw LDAP expressions — lets you scope results precisely, making this command the primary starting point for computer-centric AD reconnaissance from Linux.

Global Flags

-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
required
Name of the domain used for authentication (e.g. contoso.com).
-u, --user
string
Username to authenticate with against the Domain Controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Credentials are read from the KRB5CCNAME ccache file; falls back to command-line credentials if no valid ticket is found.
--tls
boolean
Force a TLS-encrypted connection to the Domain Controller.
--cert
string
Path to the certificate file to use for authentication.
--key
string
Path to the private key file associated with the certificate.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM binding.
-l, --logging-level
string
Logging verbosity. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results in JSON format instead of the default tabular output.

Command Flags

--computername
string
Filter results to a specific computer name (matches against dnsHostName).
-os, --operating-system
string
Return only computers matching this operating system string. Wildcards are accepted (e.g. Windows Server*).
-sp, --service-pack
string
Return only computers matching this service pack string. Wildcards are accepted.
-spn, --service-principal-name
string
Return only computers that have a matching service principal name registered. Wildcards are accepted.
-d, --domain
string
Domain to query. Defaults to the domain supplied by -w if omitted.
-a, --ads-path
string
Additional ADS (Active Directory Service) path to narrow the LDAP search base.
--printers
boolean
Query only printer objects (objectCategory=printQueue) rather than regular computer accounts.
--unconstrained
boolean
Return only computers configured with unconstrained Kerberos delegation (userAccountControl flag 524288). Useful for identifying high-value lateral movement targets.
--laps-passwords
boolean
Return only computers where the authenticated user can read the LAPS managed local administrator password (ms-mcs-AdmPwd attribute is visible). The LAPS password itself is included in the output.
--pre-created
boolean
Return computers potentially vulnerable to the pre-created computer account attack by filtering on the relevant userAccountControl bitmask (4128).
--ping
boolean
Ping each discovered computer and omit hosts that do not respond. Only live hosts are returned.
--full-data
boolean
Return all available LDAP attributes for each computer object instead of just dnsHostName and samaccountname.
--custom-filter
string
Append a raw LDAP filter expression to the search query, enabling arbitrary attribute-level filtering beyond the built-in options.
--attributes
string[]
Explicit list of LDAP attributes to include in the output. Overrides the default attribute set (unless --full-data is also set).
--pre-created uses a userAccountControl bitmask to detect potentially vulnerable pre-created computer accounts, but this heuristic is prone to false positives and false negatives. Always verify flagged accounts manually before drawing conclusions. See TrustedSec’s research for background on the attack.

Examples

# List all domain computers (dnsHostName only)
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Filter by Windows Server OS (wildcard)
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com -os 'Windows Server*'

# Find computers with unconstrained delegation
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --unconstrained

# Find computers with readable LAPS passwords
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --laps-passwords

# Full data on a specific computer
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --computername SRV-WEB --full-data

# Only return live (pingable) hosts
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --ping

# Find pre-created computer accounts (verify results manually)
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --pre-created

# Custom LDAP filter — computers with an SPN containing 'http'
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --custom-filter '(servicePrincipalName=http*)'

# Select specific attributes
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --attributes samaccountname operatingsystem

# JSON output for pipeline processing
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --full-data --json

Build docs developers (and LLMs) love

Get started for freeTalk to us