PywerView gets you from zero to enumerating Active Directory objects in under five minutes. All you need is a reachable Domain Controller, a set of valid domain credentials (password or NTLM hash), and Python 3.6 or later on your Linux machine. This guide walks you through installation, verifying the CLI, and running three of the most commonly used enumeration commands —Documentation Index
Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt
Use this file to discover all available pages before exploring further.
get-netcomputer, get-netuser, and get-netgroupmember — against a real domain.
Prerequisites
Before you begin, make sure you have the following:- PywerView installed — see Installation if you haven’t done this yet.
- Domain credentials — a valid username and either a plaintext password or an NTLM hash (
[LMHASH:]NTHASH). - DC IP or hostname — the IP address or fully qualified hostname of a Domain Controller you can reach on the network.
- Domain name in UPN format — e.g.,
contoso.com. Do not use the legacy NetBIOS short name (e.g.,CONTOSO); PywerView requires the post-Win2k UPN form.
Steps
Install PywerView
If you haven’t installed PywerView yet, the quickest path is a single pip command. Create a virtual environment first to keep dependencies isolated:Need Kerberos ccache support? Add the optional extra instead:See the full Installation guide for source builds, system dependencies, and Docker options.
Verify the installation
Confirm that the You should see the main help page listing all available subcommands:If
pywerview CLI entry-point is on your PATH and is responsive:pywerview is not found, ensure your virtual environment is activated (source pywerview-env/bin/activate) and retry.Enumerate domain computers
get-netcomputer queries the DC over LDAP and returns the DNS hostname of every computer object in the domain. By default it prints only the dnshostname attribute — pass --full-data if you want the complete object.| Flag | Description |
|---|---|
-t / --dc-ip | IP address or hostname of the Domain Controller |
-u / --user | Username to authenticate with |
-p / --password | Password for the user account |
-w / --workgroup | Domain name in UPN format (e.g., contoso.com) |
Enumerate domain users
get-netuser queries all user accounts in the domain. Without additional filters it returns every user object. You can scope it to a specific account with --username.-p for --hashes:Find Domain Admins group members
get-netgroupmember resolves the membership of any domain group. Querying Domain Admins is a natural first step to understand the high-privilege attack surface.Domain Admins, add -r:If
--groupname is omitted, get-netgroupmember defaults to querying the Domain Admins group automatically.jq:Global Flags at a Glance
Every PywerView subcommand that targets a Domain Controller accepts the following global flags:| Flag | Long form | Description |
|---|---|---|
-t | --dc-ip | IP address or hostname of the target Domain Controller |
-u | --user | Username for authentication |
-p | --password | Plaintext password |
-w | --workgroup | Domain name in UPN format (e.g., contoso.com) |
--hashes | NTLM hashes: [LMHASH:]NTHASH (Pass-the-Hash) | |
-k | Use Kerberos authentication from KRB5CCNAME ccache file | |
--cert | Path to a PEM certificate file (SChannel auth) | |
--key | Path to the private key file (SChannel auth) | |
--tls | Force TLS / LDAPS connection | |
-l | --logging-level | Verbosity: CRITICAL (default), WARNING, DEBUG, ULTRA |
--json | Output results as JSON |
Next Steps
Authentication & Credentials
Learn how to authenticate with Kerberos tickets, NTLM hashes, and certificates.
get-netuser Reference
Explore every flag available for user enumeration, including SPN, delegation, and custom LDAP filters.