Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netlocalgroup queries a target Windows host to enumerate the members of a specific local group, defaulting to the built-in Administrators group. It can also list all local groups present on the machine. Members may be local accounts, domain accounts, or domain groups. When domain SID resolution is needed — for example, to translate a domain group SID into a readable name — you can supply a domain controller IP via -t. The --recurse flag will further expand any domain groups found in the local group to enumerate their full membership. Local credentials are accepted and sufficient for basic enumeration, but domain credentials are required for SID resolution.
Domain SID resolution requires supplying a domain controller IP address via -t/--dc-ip. Without this, domain SIDs in the local group membership will appear as raw SID strings.

Flags

--computername
string
required
IP address or hostname of the target Windows host to enumerate local groups on.
-w, --workgroup
string
Name of the domain to authenticate with. Can be omitted when using local credentials.
-u, --user
string
Username for authentication. Accepts both domain and local accounts.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or replaced with the empty LM hash.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found.
--groupname
string
Name of the local group to list members of. Defaults to the local Administrators group when not specified.
--list-groups
boolean
If set, returns a list of all local groups on the target instead of enumerating members of a specific group.
-t, --dc-ip
string
IP address of a domain controller, used to resolve domain SIDs found in local group membership to human-readable names.
--tls
boolean
Force a TLS connection to the domain controller when resolving SIDs.
-r, --recurse
boolean
If a member of the local group is itself a domain group, recursively resolve its members as well.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.

Examples

# List members of the local Administrators group (default)
pywerview get-netlocalgroup --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com

# List all local groups on the target
pywerview get-netlocalgroup --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com --list-groups

# List Remote Desktop Users and resolve domain SIDs via DC
pywerview get-netlocalgroup --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'Remote Desktop Users' -t dc.contoso.com --recurse

# Pass-the-hash with SID resolution
pywerview get-netlocalgroup --computername 192.168.1.10 -u alice --hashes :aad3b435b51404eeaad3b435b51404ee \
  -w contoso.com -t dc.contoso.com

# JSON output
pywerview get-netlocalgroup --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com --json

Build docs developers (and LLMs) love

Get started for freeTalk to us