Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

PywerView is not limited to its command-line interface. Every enumeration capability is exposed through importable Python classes and a set of helper functions in pywerview.cli.helpers, making it straightforward to embed Active Directory queries into your own scripts, automation pipelines, or post-exploitation frameworks. Results are returned as Python objects whose attributes map directly to LDAP attribute names, so you can filter, transform, and output data however your workflow requires — no shell parsing needed.

Core Classes

PywerView’s functionality is organized into four main classes. Each wraps an authenticated LDAP or RPC connection and exposes methods that correspond to CLI subcommands.

NetRequester

pywerview.functions.net.NetRequesterThe primary class for LDAP-based AD queries: users, computers, groups, OUs, sites, subnets, domain controllers, trusts, ACLs, and more.

GPORequester

pywerview.functions.gpo.GPORequesterHandles Group Policy Object enumeration: GPOs, PSOs, GPO groups, domain policy, and GPO-based admin lookups.

Hunting Classes

pywerview.functions.hunting.UserHunter pywerview.functions.hunting.ProcessHunter pywerview.functions.hunting.EventHunterHunt for users logged into machines, running processes, and Windows event log entries across the domain.

Misc

pywerview.functions.misc.MiscMiscellaneous helpers, including invoke_checklocaladminaccess for testing local admin access on remote hosts.

Using Helper Functions

The pywerview.cli.helpers module provides thin wrapper functions that instantiate the appropriate class and call the correct method in a single call. This is the recommended entry point for most scripting use cases. 
from pywerview.cli.helpers import get_netuser, get_netcomputer, get_netgroupmember

# Get all domain computers (returns a list of AD objects)
computers = get_netcomputer(
    domain_controller='dc.contoso.com',
    domain='contoso.com',
    user='alice',
    password='P@ssw0rd'
)
for computer in computers:
    print(computer.dnshostname)

# Get domain users with a Service Principal Name set (Kerberoastable accounts)
users = get_netuser(
    domain_controller='dc.contoso.com',
    domain='contoso.com',
    user='alice',
    password='P@ssw0rd',
    spn=True
)
for user in users:
    print(user)
Every result object has a .to_json() method that serializes the AD object to a JSON-compatible dictionary. This is the same serialization used by the --json CLI flag and is ideal for building structured output in scripts.

Retrieving Group Members

from pywerview.cli.helpers import get_netgroupmember

members = get_netgroupmember(
    domain_controller='dc.contoso.com',
    domain='contoso.com',
    user='alice',
    password='P@ssw0rd',
    queried_groupname='Domain Admins',
    recurse=True
)
for member in members:
    print(member)

Using NetRequester Directly

For repeated queries against the same domain controller, instantiate NetRequester once and call its methods directly. This avoids the overhead of establishing a new LDAP connection on every call. 
from pywerview.functions.net import NetRequester

requester = NetRequester(
    'dc.contoso.com',
    'contoso.com',
    'alice',
    'P@ssw0rd'
)
results = requester.get_netcomputer()
for r in results:
    print(r)

Authentication Parameters

All helper functions share a consistent set of authentication parameters. They mirror the CLI flags exactly, so anything that works on the command line translates directly to library calls.
ParameterTypeDefaultDescription
domain_controllerstrrequiredIP address or hostname of the Domain Controller
domainstrrequiredUPN domain name (e.g. contoso.com, not CONTOSO)
userstrrequiredUsername to authenticate with
passwordstr''Password for the user
lmhashstr''LM hash for pass-the-hash authentication
nthashstr''NT hash for pass-the-hash authentication
do_simpleboolFalseForce SIMPLE LDAP bind instead of NTLM/SASL
do_kerberosboolFalseUse Kerberos authentication instead of NTLM
do_tlsboolFalseForce LDAPS (port 636) instead of plain LDAP
user_certstr''Path to a PEM certificate file for SChannel auth
user_keystr''Path to the private key file for SChannel auth
When do_kerberos=True, PywerView reads the ccache ticket file pointed to by the KRB5CCNAME environment variable. You must set this variable in your script’s environment before calling any helper function or instantiating a requester class. For example: import os; os.environ['KRB5CCNAME'] = '/tmp/alice.ccache'.

Pass-the-Hash Example

from pywerview.cli.helpers import get_netuser

# Authenticate using an NT hash (LM hash can be left empty)
users = get_netuser(
    domain_controller='dc.contoso.com',
    domain='contoso.com',
    user='alice',
    lmhash='aad3b435b51404eeaad3b435b51404ee',
    nthash='<32-char-NT-hash>',
    admin_count=True
)
for user in users:
    print(user.samaccountname)

GPO Enumeration Example

from pywerview.cli.helpers import get_netgpo, get_netgpogroup

# List all GPOs
gpos = get_netgpo(
    domain_controller='dc.contoso.com',
    domain='contoso.com',
    user='alice',
    password='P@ssw0rd'
)
for gpo in gpos:
    print(gpo)

# Find GPOs that grant Restricted Group memberships
groups = get_netgpogroup(
    domain_controller='dc.contoso.com',
    domain='contoso.com',
    user='alice',
    password='P@ssw0rd',
    resolve_sids=True
)
for group in groups:
    print(group)

Build docs developers (and LLMs) love

Get started for freeTalk to us