Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netsite queries the domain controller via LDAP to enumerate Active Directory Site objects, which represent the physical or logical network topology groupings used by AD to control replication and client authentication. By default the command returns only the name of each site, giving you a quick overview of how the domain’s geography is partitioned. Supply --full-data to retrieve the full set of LDAP attributes including replication schedules and GPO links. The --guid filter lets you find sites linked to a specific Group Policy Object, making this command useful for understanding how policy rolls out across different physical locations. Wildcard patterns in --sitename allow flexible fuzzy matching.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or zeroed out.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found.
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key file associated with --cert.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM binding.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--sitename
string
Site name to query. Wildcards are accepted (e.g. London*). When omitted, all sites are returned.
--guid
string
Only return sites that have the specified GPO GUID present in their gplink property.
-d, --domain
string
Domain to query. Defaults to the domain inferred from the credentials or the target DC.
-a, --ads-path
string
Additional ADS path to restrict the LDAP search base.
--full-data
boolean
Return all LDAP attributes for each site object. Without this flag only the site name is returned.

Examples

# List all AD sites (name only)
pywerview get-netsite -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Filter sites by name with a wildcard
pywerview get-netsite -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --sitename 'London*'

# Return full LDAP attributes for all sites
pywerview get-netsite -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --full-data

# Find sites linked to a specific GPO by its GUID
pywerview get-netsite -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --guid '{31B2F340-016D-11D2-945F-00C04FB984F9}'

# Pass-the-hash authentication
pywerview get-netsite -t dc.contoso.com -u alice --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com

# Kerberos authentication
KRB5CCNAME=alice.ccache pywerview get-netsite -t dc.contoso.com -k -w contoso.com

# JSON output
pywerview get-netsite -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --full-data --json
AD site objects are stored under CN=Sites,CN=Configuration,DC=contoso,DC=com in the directory. The --ads-path flag can be used to restrict queries to a specific configuration partition path if needed.

Build docs developers (and LLMs) love

Get started for freeTalk to us