Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netsubnet queries the domain controller via LDAP to enumerate all subnet objects defined in Active Directory Sites and Services. Each subnet object associates an IP address range (in CIDR notation) with an AD site, which controls how clients locate domain controllers and how replication traffic is routed. By default the command returns only the name (the CIDR range) of each subnet; use --full-data to retrieve the full LDAP attribute set including the associated site linkage. Filtering by --sitename lets you quickly identify which IP ranges belong to a particular site, which is valuable for mapping a target organisation’s physical network layout from an AD perspective alone.

Flags

-t, --dc-ip
string
required
IP address of the domain controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to connect to the domain controller.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or zeroed out.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found.
--tls
boolean
Force a TLS (LDAPS) connection to the domain controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key file associated with --cert.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default SASL/NTLM binding.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.
--sitename
string
Return only subnets associated with the specified site name. Wildcards are accepted (e.g. London*). When omitted, subnets for all sites are returned.
-d, --domain
string
Domain to query. Defaults to the domain inferred from the credentials or the target DC.
-a, --ads-path
string
Additional ADS path to restrict the LDAP search base.
--full-data
boolean
Return all LDAP attributes for each subnet object. Without this flag only the subnet name (CIDR range) is returned.

Examples

# List all AD subnets (CIDR names only)
pywerview get-netsubnet -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Return subnets for a specific site
pywerview get-netsubnet -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --sitename 'London-HQ'

# Return subnets for sites matching a wildcard
pywerview get-netsubnet -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --sitename 'London*'

# Return full LDAP attributes for all subnets
pywerview get-netsubnet -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --full-data

# Pass-the-hash authentication
pywerview get-netsubnet -t dc.contoso.com -u alice --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com

# Kerberos authentication
KRB5CCNAME=alice.ccache pywerview get-netsubnet -t dc.contoso.com -k -w contoso.com

# JSON output
pywerview get-netsubnet -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --json
Pair get-netsubnet with get-netsite to build a complete picture of the network topology registered in AD. First enumerate sites with get-netsite, then query each site’s subnets to map IP ranges to physical locations.

Build docs developers (and LLMs) love

Get started for freeTalk to us