Documentation Index
Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt
Use this file to discover all available pages before exploring further.
get-netdomaincontroller enumerates every domain controller in a given domain by issuing an LDAP query filtered on the userAccountControl Server Trust Account flag (0x2000). It is implemented as a thin wrapper around get-netcomputer with --full-data enabled, so each result includes the complete computer object rather than just a hostname. This makes it straightforward to identify all DCs at the start of an assessment, verify their names before targeting, or pivot into a trusted child domain to enumerate its controllers from a single entry point.
Global Flags
IP address of the Domain Controller to target.
Name of the domain used for authentication (e.g.
contoso.com).Username to authenticate with against the Domain Controller.
Password associated with the specified username.
NTLM hashes for pass-the-hash authentication. Format:
[LMHASH:]NTHASH.Use Kerberos authentication. Credentials are read from the
KRB5CCNAME ccache file; falls back to command-line credentials if no valid ticket is found.Force a TLS-encrypted connection to the Domain Controller.
Path to the certificate file to use for authentication.
Path to the private key file associated with the certificate.
Force SIMPLE LDAP authentication instead of the default SASL/NTLM binding.
Logging verbosity. Choices:
CRITICAL (default), WARNING, DEBUG, ULTRA.Print results in JSON format instead of the default tabular output.
Command Flags
Domain to enumerate domain controllers for. Defaults to the domain supplied by
-w if omitted. Set this to a trusted domain name to enumerate its controllers through the initially targeted DC.