-
Notifications
You must be signed in to change notification settings - Fork 113
Hunting functions (CLI mode)
the-useless-one edited this page Aug 24, 2016
·
1 revision
usage: pywerview.py invoke-userhunter [-h] [-w DOMAIN] -u USER [-p PASSWORD]
[--hashes LMHASH:NTHASH] -t
DOMAIN_CONTROLLER
[--computername QUERIED_COMPUTERNAME [QUERIED_COMPUTERNAME ...]]
[--computerfile QUERIED_COMPUTERFILE]
[--computer-adspath QUERIED_COMPUTERADSPATH]
[--unconstrained]
[--groupname QUERIED_GROUPNAME]
[--targetserver TARGET_SERVER]
[--username QUERIED_USERNAME]
[--user-adspath QUERIED_USERADSPATH]
[--userfile QUERIED_USERFILE]
[--threads THREADS] [-v] [--admin-count]
[--allow-delegation] [--stop-on-success]
[--check-access] [-d QUERIED_DOMAIN]
[--stealth]
[--stealth-source {dfs,dc,file} [{dfs,dc,file} ...]]
[--show-all] [--foreign-users]
optional arguments:
-h, --help show this help message and exit
-w DOMAIN, --workgroup DOMAIN
Name of the domain we authenticate with
-u USER, --user USER Username used to connect to the Domain Controller
-p PASSWORD, --password PASSWORD
Password associated to the username
--hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-t DOMAIN_CONTROLLER, --dc-ip DOMAIN_CONTROLLER
IP address of the Domain Controller to target
--computername QUERIED_COMPUTERNAME [QUERIED_COMPUTERNAME ...]
Host to enumerate against
--computerfile QUERIED_COMPUTERFILE
File of hostnames/IPs to search
--computer-adspath QUERIED_COMPUTERADSPATH
ADS path used to search computers against the DC
--unconstrained Query only computers with unconstrained delegation
--groupname QUERIED_GROUPNAME
Group name to query for target users
--targetserver TARGET_SERVER
Hunt for users who are effective local admins on this
target server
--username QUERIED_USERNAME
Hunt for a specific user name
--user-adspath QUERIED_USERADSPATH
ADS path used to search users against the DC
--userfile QUERIED_USERFILE
File of user names to target
--threads THREADS Number of threads to use (default: 1)
-v, --verbose Displays results as they are found
--admin-count Query only users with adminCount=1
--allow-delegation Return user accounts that are not marked as 'sensitive
and not allowed for delegation'
--stop-on-success Stop hunting after finding target user
--check-access Check if the current user has local admin access to
the target servers
-d QUERIED_DOMAIN, --domain QUERIED_DOMAIN
Domain to query for machines
--stealth Only enumerate sessions from commonly used target
servers
--stealth-source {dfs,dc,file} [{dfs,dc,file} ...]
The source of target servers to use, 'dfs'
(distributed file server), 'dc' (domain controller),
or 'file' (file server) (default: all)
--show-all Return all user location results
--foreign-users Only return users that are not part of the searched
domain
PywerView - A Python rewriting of PowerSploit's PowerView
Yannick Méheut [yannick (at) meheut (dot) org] - Copyright © 2023 - License GNU GPLv3