Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

PywerView is a Python rewriting of PowerSploit’s PowerView — the gold-standard Windows Active Directory reconnaissance toolkit — rebuilt from the ground up to run natively on Linux. Born out of a pentester’s frustration with having to run mimikatz sekurlsa::pth just to launch a PowerShell prompt with stolen domain credentials, PywerView replaces that brittle, Windows-only workflow with a clean Python CLI that speaks LDAP, SMB, and RPC directly from any Linux machine, no domain membership required.

Why PywerView Exists

Before PywerView, conducting thorough Active Directory enumeration from Linux meant stitching together credential-passing hacks, Wine-wrapped binaries, or incomplete third-party scripts. PowerView itself is brilliant, but it requires a PowerShell runtime and, until recently, a domain-joined machine to function properly. PywerView was created to close that gap: a Linux-native, scriptable, Python-based tool that replicates PowerView’s core enumeration capabilities and integrates naturally into existing Python-based offensive tooling powered by impacket.

Key Capabilities

PywerView’s commands fall into two broad categories based on the underlying protocol they use.

LDAP-Based Enumeration

These commands query the Domain Controller’s LDAP service and cover the majority of AD object enumeration:
  • Usersget-netuser: query domain user accounts, filter by delegation flags, SPNs, adminCount, and more
  • Groupsget-netgroup, get-netgroupmember: list domain groups and resolve group membership
  • Computersget-netcomputer: enumerate domain-joined machines, filter by OS, SPN, or delegation
  • Domain Controllersget-netdomaincontroller: discover all DCs for a given domain
  • Organizational Unitsget-netou, get-netsite, get-netsubnet: map the domain’s structural layout
  • Group Policy Objectsget-netgpo, get-netgpogroup, find-gpocomputeradmin, find-gpolocation: enumerate GPOs and determine who has administrative access via policy
  • PKI / Certificatesget-netpki, get-netcerttmpl: list Certificate Authority enrollment services and certificate templates
  • Managed Service Accountsget-netgmsa, get-netsmsa: enumerate gMSA and sMSA accounts (password retrieval requires --tls)
  • Object ACLs & Ownersget-objectacl, get-objectowner: inspect discretionary ACLs and identify object owners
  • Domain Trustsget-netdomaintrust: list all trust relationships for the target domain

RPC/SMB-Based Enumeration

These commands target individual hosts over SMB/RPC and are invaluable for lateral-movement reconnaissance:
  • Active sessionsget-netsession: list sessions currently open on a host
  • Logged-on usersget-netloggedon: call NetWkstaUserEnum to find who is actively using a machine
  • Network sharesget-netshare: enumerate available shares on a target host
  • Local groupsget-netlocalgroup: list local group members, including resolution of domain SIDs
  • Running processesget-netprocess: execute a WMI Win32_Process query against a remote host
  • Local disksget-localdisks: list attached disks on a remote host
  • Admin access checkinvoke-checklocaladminaccess: verify whether the current user has local admin rights on a target
  • User huntinginvoke-userhunter, invoke-processhunter, invoke-eventhunter: find where domain users are logged in across the network

Authentication Methods

PywerView supports four authentication mechanisms so you can use whatever credentials or tickets you have available:
MethodHow to Use
NTLM password-u <user> -p <password> -w <domain.com>
NTLM hash (Pass-the-Hash)--hashes [LMHASH:]NTHASH
Kerberos (ccache ticket)KRB5CCNAME=<file.ccache> ... -k (requires pywerview[kerberos])
SChannel (certificate)--cert <file.crt> --key <file.key> (optionally with --tls)
A TLS connection to LDAPS can be forced with --tls. This is required for certain operations, such as reading gMSA managed passwords with get-netgmsa.
Domain names must be supplied in post-Win2k UPN format — e.g., contoso.comnot the legacy Windows 2000 NetBIOS style (e.g., CONTOSO). Passing the short NetBIOS name will cause authentication or query failures.

License

PywerView is free software released under the GNU General Public License v3.0 (GPL-3.0). Copyright © 2024 Yannick Méheut. See the LICENSE file for the full terms.

Get Started

Installation

Install PywerView from PyPI or build from source. Covers pip, optional Kerberos support, and Docker.

Quickstart

Run your first AD enumeration in five minutes — computers, users, and group membership.

Authentication & Credentials

Deep dive into NTLM, Pass-the-Hash, Kerberos ccache, and SChannel certificate authentication.

get-netuser Reference

Full flag reference for querying domain user accounts, SPNs, delegation settings, and more.

Build docs developers (and LLMs) love

Get started for freeTalk to us