Documentation Index
Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt
Use this file to discover all available pages before exploring further.
get-netfileserver queries a domain controller via LDAP to retrieve all domain user objects and then extracts server hostnames referenced in the homeDirectory, scriptPath, and profilePath attributes. These attributes frequently contain UNC paths pointing to file servers that store sensitive user data, logon scripts, and roaming profiles. The command deduplicates and returns the unique set of hostnames, making it a fast and passive technique for discovering high-value file server targets without scanning the network. Results can be piped into other PywerView commands or used to target specific hosts for further enumeration.
Flags
IP address of the domain controller to query.
Name of the domain to authenticate with.
Username for authentication against the domain controller.
Password associated with the specified username.
NTLM hashes for pass-the-hash authentication. Format:
[LMHASH:]NTHASH. The LM portion can be omitted or replaced with the empty LM hash.Use Kerberos authentication. Reads credentials from the
KRB5CCNAME ccache file based on target parameters.Force a TLS (LDAPS) connection to the domain controller.
Path to a certificate file for certificate-based authentication.
Path to a private key file associated with the certificate for authentication.
Force SIMPLE LDAP authentication instead of the default NTLM/Kerberos.
Space-separated list of usernames to target when extracting file server paths. Wildcards are accepted (e.g.,
admin*). When omitted, all domain users are queried.Domain to query. Defaults to the domain of the authenticating user when not specified.
Logging verbosity sent to stderr. Choices:
CRITICAL (default), WARNING, DEBUG, ULTRA.Print results as JSON instead of the default human-readable format.