Skip to main content
Python Software Foundation 20th Year Anniversary Fundraiser  Donate today!

A Python port of PowerSploit's PowerView

Project description

 ____                        __     ___
|  _ \ _   ___      _____ _ _\ \   / (_) _____      __
| |_) | | | \ \ /\ / / _ \ '__\ \ / /| |/ _ \ \ /\ / /
|  __/| |_| |\ V  V /  __/ |   \ V / | |  __/\ V  V /
|_|    \__, | \_/\_/ \___|_|    \_/  |_|\___| \_/\_/

A (partial) Python rewriting of PowerSploit’s PowerView.

Fork me on GitHub.

License Python versions GitHub release PyPI version


As a pentester, I love using PowerView during my assignments. It makes it so easy to find vulnerable machines, or list what domain users were added to the local Administrators group of a machine, and much more.

However, running PowerView on a computer which is not connected to the domain is a pain: I always find myself using mimikatz’s sekurlsa::pth to run a Powershell prompt with stolen domain credentials, and that’s not easy to script. Plus, I’m a Linux guy and I’ve always found it a shame that there were no complete Windows/Active Directory enumeration tool on Linux.

That’s why I decided to rewrite some of PowerView’s functionalities in Python, using the wonderful impacket library.

Update: I haven’t tested the last version of PowerView yet, which can run from a machine not connected to a domain. I don’t know if it works correctly under Linux using Powershell. If anyone has had any experience with this at all, you can contact me, I’m really interested. We’ll see if pywerview has become obsoleted ;) but I think I’ll continue working on it eitherway: I’d still rather use Python than Powershell on Linux, and I’m learning a lot! Plus, it may integrated in existing Linux tools written in Python. It’s still great news that PowerView now supports machines not connected to the domain!


This tool is far from complete (as you’ll see in the TODO section)! I still have a lot more awesome PowerView functionalities to implement (the user hunting functions, the GPO functions, the local process enumeration, etc.), but I still think it can be useful as is.

It’s also (very) possible that there are (many) bugs in the code: I’ve only tested the simplest test cases. If you use this tool during an assignment and you get an error, please, open an issue with the error and the conditions that triggered this error.

Also, blah blah blah, don’t use it for evil purposes.


  • Python 3.6
  • impacket >= 0.9.22
  • ldap3 >= 2.8.1


If you like living on the bleeding edge, check out the development branch.

Here’s the list of available commands:

$ ./ --help
usage: [-h]

Rewriting of some PowerView's functionalities in Python

optional arguments:
  -h, --help            show this help message and exit

  Available subcommands

    get-adobject        Takes a domain SID, samAccountName or name, and return
                        the associated object
    get-netuser         Queries information about a domain user
    get-netgroup        Get a list of all current domain groups, or a list of
                        groups a domain user is member of
    get-netcomputer     Queries informations about domain computers
                        Get a list of domain controllers for the given domain
    get-netfileserver   Return a list of file servers, extracted from the
                        domain users' homeDirectory, scriptPath, and
                        profilePath fields
    get-dfsshare        Return a list of all fault tolerant distributed file
                        systems for a given domain
    get-netou           Get a list of all current OUs in the domain
    get-netsite         Get a list of all current sites in the domain
    get-netsubnet       Get a list of all current subnets in the domain
    get-netgpo          Get a list of all current GPOs in the domain
    get-domainpolicy    Returns the default domain or DC policy for the
                        queried domain or DC
    get-gpttmpl         Helper to parse a GptTmpl.inf policy file path into a
                        custom object
    get-netgpogroup     Parses all GPOs in the domain that set "Restricted
                        Group" or "Groups.xml"
                        Takes a computer (or OU) and determine who has
                        administrative access to it via GPO
    find-gpolocation    Takes a username or a group name and determine the
                        computers it has administrative access to via GPO
    get-netgroupmember  Return a list of members of a domain group
    get-netsession      Queries a host to return a list of active sessions on
                        the host (you can use local credentials instead of
                        domain credentials)
    get-localdisks      Queries a host to return a list of active disks on the
                        host (you can use local credentials instead of domain
    get-netdomain       Queries a host for available domains
    get-netshare        Queries a host to return a list of available shares on
                        the host (you can use local credentials instead of
                        domain credentials)
    get-netloggedon     This function will execute the NetWkstaUserEnum RPC
                        call to query a given host for actively logged on
    get-netlocalgroup   Gets a list of members of a local group on a machine,
                        or returns every local group. You can use local
                        credentials instead of domain credentials, however,
                        domain credentials are needed to resolve domain SIDs.
                        Checks if the given user has local admin access on the
                        given host
    get-netprocess      This function will execute the 'Select * from
                        Win32_Process' WMI query to a given host for a list of
                        executed process
    get-userevent       This function will execute the 'Select * from
                        Win32_Process' WMI query to a given host for a list of
                        executed process
    invoke-userhunter   Finds which machines domain users are logged into
                        Searches machines for processes with specific name, or
                        ran by specific users
    invoke-eventhunter  Searches machines for events with specific name, or
                        ran by specific users

Take a look at the wiki to see a more detailed usage of every command.

Attention: in every command, the used domain name must be the post-Win2k UPN, and not the Win2k compatible name.

For example, my domain name is uselessdomain.local. The Win2K compatible name is USELESSDOMAIN. In every command, I must use ``uselessdomain.local`` as an argument, and not USELESSDOMAIN.


  • Many, many more PowerView functionalities to implement. I’ll now focus on forest functions, then inter-forest trust functions
  • Lots of rewrite due to the last version of PowerView
  • Implement a debugging mode (for easier troubleshooting)
  • Gracefully fail against Unix machines running Samba
  • Support Kerberos authentication
  • Perform range cycling in get-netgroupmember
  • Manage request to the Global Catalog
  • Try to fall back to tcp/139 for RPC communications if tcp/445 is closed
  • Comment, document, and clean the code


Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for pywerview, version 0.3.1
Filename, size File type Python version Upload date Hashes
Filename, size pywerview-0.3.1-py3-none-any.whl (52.7 kB) File type Wheel Python version py3 Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page