Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netpki searches the Active Directory configuration naming context for all pKIEnrollmentService objects — each one representing a Certificate Authority (CA) published by an Active Directory Certificate Services (ADCS) deployment. By default, the command returns the CA display name, DNS host name, the list of certificate templates it publishes (certificateTemplates), the enrollment server URIs (msPKI-Enrollment-Servers), and — after parsing the raw nTSecurityDescriptor — the set of principals who hold enrollment rights (allowedprincipals). Pass --full-data to retrieve every available attribute for deeper inspection. Use --resolve-sids to convert the raw SIDs in the security descriptor into human-readable names, and --caname to scope the search to a specific CA when the environment contains multiple issuing CAs.
get-netpki and get-netcerttmpl together expose the two layers of ADCS access control — CA-level enrollment permissions and template-level configuration. Combining both outputs gives you the data required to identify ESC1–ESC8 attack paths. Feed the results into tools like Certipy or Certify for automated vulnerability analysis.

Flags

Global flags

-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
Name of the domain to authenticate with.
-u, --user
string
Username used to connect to the Domain Controller.
-p, --password
string
Password associated with the username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. Use :$NTHASH to supply only the NT hash.
-k
boolean
Use Kerberos authentication. Credentials are sourced from the KRB5CCNAME ccache file based on target parameters, falling back to the values provided on the command line.
--tls
boolean
Force a TLS (LDAPS) connection to the Domain Controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key associated with the certificate.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM bind.
-l, --logging-level
string
STDERR logging verbosity. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results in JSON format instead of the default key-value output.

Command-specific flags

-d, --domain
string
Target domain to query. Defaults to the domain of the authenticating user.
--resolve-sids
boolean
Resolve SIDs found in the CA’s nTSecurityDescriptor to human-readable names when populating allowedprincipals.
--full-data
boolean
Return all available LDAP attributes for each pKIEnrollmentService object instead of the default subset (certificateTemplates, displayName, dNSHostName, name, msPKI-Enrollment-Servers, nTSecurityDescriptor).
--caname
string
Filter by CA display name. Wildcards accepted (matched against the displayName attribute).

Examples

# List all Certificate Authorities in the domain
pywerview get-netpki -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Retrieve full CA data with SIDs resolved to names
pywerview get-netpki -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --full-data --resolve-sids

# Query a specific CA by display name
pywerview get-netpki -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --caname 'contoso-CA'

# JSON output with resolved SIDs for automated analysis
pywerview get-netpki -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --json --resolve-sids

# Pass-the-hash with TLS
pywerview get-netpki -t dc.contoso.com -u alice --hashes :$NT_HASH -w contoso.com --tls --resolve-sids

Example output

displayname:              contoso-CA
dnshostname:              pki.contoso.com
name:                     contoso-CA
certificatetemplates:     ['User', 'Machine', 'WebServer', 'SubCA']
mspki-enrollment-servers: 1\npki.contoso.com\ncontoso-CA\n60\nhttps://pki.contoso.com/certsrv/mscep/mscep.dll
allowedprincipals:        S-1-5-21-863927164-4106933278-53377030-513
With --resolve-sids: 
allowedprincipals:        CN=Domain Users,CN=Users,DC=contoso,DC=com

Build docs developers (and LLMs) love

Get started for freeTalk to us