Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netuser queries Active Directory for user account objects and returns their attributes. It is one of the most frequently used PywerView commands during domain reconnaissance — you can enumerate every user in the domain, narrow results to accounts that carry Service Principal Names for Kerberoasting, surface accounts vulnerable to AS-REP roasting because pre-authentication is disabled, identify accounts with unconstrained delegation, or isolate highly privileged accounts protected by adminCount=1. All filters translate directly to optimised LDAP search filters, so results are returned server-side rather than filtered locally.

Global Flags

These flags are shared across all PywerView commands that communicate with a Domain Controller.
-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
Name of the domain to authenticate with (e.g. contoso.com).
-u, --user
string
Username used to authenticate to the Domain Controller.
-p, --password
string
Password associated with the authenticating user.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Reads credentials from the KRB5CCNAME ccache file; falls back to command-line credentials if none are found.
--tls
boolean
Force a TLS (LDAPS) connection to the Domain Controller.
--cert
string
Path to a certificate file for certificate-based authentication.
--key
string
Path to the private key associated with the certificate.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default NTLM/Kerberos binding.
-l, --logging-level
string
Stderr logging verbosity. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results in JSON format instead of the default human-readable output.

Command Flags

--username
string
SAM account name of the user to query. Wildcards are accepted (e.g. admin*). When omitted, all domain users are returned unless --spn is set.
-d, --domain
string
The domain to query. Defaults to the domain of the authenticating user.
-a, --ads-path
string
Additional LDAP ADS path to search within (e.g. OU=Finance,DC=contoso,DC=com).
--unconstrained
boolean
Return only user accounts that have unconstrained Kerberos delegation enabled (userAccountControl flag TRUSTED_FOR_DELEGATION).
--admin-count
boolean
Return only user accounts where adminCount=1, indicating the account has been or is currently protected by AdminSDHolder.
--allow-delegation
boolean
Return user accounts that are not marked as sensitive and not allowed for delegation. Useful for finding accounts that can be delegated to services.
--preauth-notreq
boolean
Return accounts with the PREAUTH_NOT_REQUIRED flag set in userAccountControl. These accounts are vulnerable to AS-REP roasting — their encrypted TGT pre-auth data can be requested without valid credentials and cracked offline.
--spn
boolean
Return only accounts with a non-null servicePrincipalName attribute. These accounts are Kerberoastable — a TGS ticket can be requested for them and cracked offline. Cannot be combined with --username.
--custom-filter
string
Append a raw LDAP filter string to the query (e.g. (department=Engineering)). The filter is combined with the base samAccountType filter using a logical AND.
--attributes
string[]
Space-separated list of LDAP attributes to include in the output (e.g. distinguishedname memberof lastlogon). When omitted, a default set of user attributes is returned.

Examples

# List all domain users
pywerview get-netuser -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com

# Find Kerberoastable users (have SPNs)
pywerview get-netuser -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --spn

# Find AS-REP roasting targets
pywerview get-netuser -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --preauth-notreq

# Find admin users (adminCount=1)
pywerview get-netuser -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --admin-count

# Find users with unconstrained delegation
pywerview get-netuser -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --unconstrained

# Query specific user with specific attributes
pywerview get-netuser -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob --attributes distinguishedname memberof lastlogon

# JSON output (useful for piping into jq or other tools)
pywerview get-netuser -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com --spn --json

Build docs developers (and LLMs) love

Get started for freeTalk to us