API Documentation
This document describes all HTTP APIs supported by powerview.
Most endpoints accept and return JSON unless otherwise specified. When Basic Auth is configured at launch, all routes require it.
Note
- Optional parameters are labeled as "optional".
- Defaults are shown as
default: <value>. - Each endpoint includes a Parameters section with:
- required: comma-separated list of required parameter names
- optional: bullets with name and default, plus brief note when helpful
- Example JSON payloads contain no inline comments; notes and constraints are listed under the Parameters section.
GET /health - Liveness check
- Description: Liveness check.
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "ok" } |
GET /api/server/info - Server info
- Description: Returns server information from the active connection.
- Responses:
| Code | Response body |
|---|---|
| 200 | JSON object from conn.get_server_info()
|
GET /api/server/schema - Schema info
- Description: Returns schema information from the active connection.
- Responses:
| Code | Response body |
|---|---|
| 200 | JSON object from conn.get_schema_info()
|
GET /api/settings - Read settings
- Description: Returns the current Powerview settings/arguments.
- Responses:
| Code | Response body |
|---|---|
| 200 | {"auth_aes_key":null,"dc_ip":"10.10.10.10","debug":true,"domain":"wonka.local","hashes":null,"keepalive_interval":0,"ldap_address":"10.10.10.10","lmhash":"","max_connections":10,"mcp":false,"mcp_host":"127.0.0.1","mcp_name":"PowerView","mcp_path":"/powerview","mcp_port":8080,"nameserver":null,"no_admin_check":false,"no_cache":true,"no_pass":false,"no_vuln_check":false,"nthash":"","obfuscate":false,"password":"P@$$w0rd!xyz","pfx":null,"pool_cleanup_interval":0,"port":null,"query":null,"raw":false,"relay":false,"relay_host":"0.0.0.0","relay_port":80,"stack_trace":false,"target":"example.local/john.doe:Pasword1234@10.10.10.10","use_adws":false,"use_channel_binding":false,"use_gc":false,"use_gc_ldaps":false,"use_kerberos":false,"use_ldap":false,"use_ldaps":false,"use_sign_and_seal":false,"use_simple_auth":false,"use_system_ns":true,"username":"Administrator","web":true,"web_auth":null,"web_host":"0.0.0.0","web_port":5000} |
POST /api/set/settings - Update settings
- Request:
{
"obfuscate": false,
"no_cache": false,
"no_vuln_check": false
}- Parameters:
- required: none
- optional:
- obfuscate (default: false)
- no_cache (default: false)
- no_vuln_check (default: false)
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "OK" } |
| 400 | { "error": "..." } |
GET /api/connectioninfo - Connection info
- Description: Returns connection and user context info.
- Responses:
| Code | Response body |
|---|---|
| 200 | {"domain":"example.lab","is_admin":true,"ldap_address":"10.10.10.10","nameserver":"127.0.0.53","protocol":"LDAPS","status":"OK","username":"10.10.10.10"} |
GET /api/get/domaininfo - Domain info
- Description: Returns basic domain info.
- Responses:
| Code | Response body |
|---|---|
| 200 | {"dc_dnshostname":"DC01.example.lab","domain":"example.lab","flatName":"EXAMPLE","root_dn":"DC=example,DC=local"} |
Dynamic API Wrappers - All supported methods
- Description: The following endpoints call corresponding
PowerViewfunctions via:- GET/POST
/api/get/<method> - POST
/api/set/<method> - POST
/api/add/<method> - POST
/api/remove/<method> - POST
/api/invoke/<method> - POST
/api/start/<method> - POST
/api/stop/<method> - POST
/api/convertfrom/<method> - POST
/api/convertto/<method>
- GET/POST
[!note] For GET routes, parameters may be passed via query string; for POST, via JSON body. If the JSON includes an
argsobject, it is converted to anargparse.Namespaceand passed asargs. Response values are serialized; errors return{ "error": "..." }with 4xx.
-
get_ methods:
domain_connection,object_across_domains,domain_sid,target_domain,admin_status,server_dns,domain_powerview,domainuser,localuser,domaincontroller,domainobject,domainobjectowner,domainou,domainobjectacl,domaincomputer,domaingmsa,domainrbcd,domainwds,domaingroup,domainforeigngroupmember,domainforeignuser,domaingroupmember,domaingpo,domaingpolocalgroup,domaingposettings,domaintrust,domain,domaindnszone,domaindnsrecord,domainsccm,domainsccmdatalib,domainca,domaincatemplate,domaindmsa,namedpipes,regloggedon,netloggedon,netcomputerinfo,netshare,netservice,netterminalsession,netprocess,netsession,domaintrustkey,exchangeserver,exchangemailbox,exchangedatabase,exchangepermissions. -
set_ methods:
domainrbcd,domainobjectowner,domaincatemplate,domaindnsrecord,domainuserpassword,domaincomputerpassword,domainobject,domainobjectdn,netservice. -
add_ methods:
domain_connection,primary_domain_to_pool,domaingmsa,domaingpo,domainou,gplink,domaincatemplateacl,domaincatemplate,domaingroupmember,domaingroup,domainuser,domainobjectacl,domaindnsrecord,domaindmsa,domaincomputer,netservice. -
remove_ methods:
domainobject,domaingmsa,domaincatemplate,domainou,gplink,domaindnsrecord,domaingroupmember,domainuser,domainobjectacl,domaincomputer,domaindmsa,netservice,netterminalsession,netsession. -
invoke_ methods:
dfscoerce,printerbug,asreproast,kerberoast,messagebox,badsuccessor. -
start_ methods:
netservice. -
stop_ methods:
netservice,computer,netprocess. -
convertfrom_ methods:
uacvalue,sid. -
convertto_ methods:
uacvalue,sid.
Responses - Dynamic API Wrappers
| Code | Response body |
|---|---|
| 200 | Serialized result of the invoked PowerView method |
| 400 | { "error": "..." } |
| 404 | { "error": "Method <name> not found" } |
POST /api/execute - Execute PowerView command
- Request:
{ "command": "get-domainuser -properties name" }- Parameters:
- required: command
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | { "result": <serialized>, "pv_args": { ... } } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
GET /api/constants - Constants map
- Query (optional):
-
get=uac→ returns UAC dictionary
-
- Responses:
| Code | Response body |
|---|---|
| 200 | JSON map or {}
|
GET /api/clear-cache - Clear caches
- Description: Clears powerview query results caches.
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "OK" } |
| 400 | { "status": "KO" } |
GET /api/logs - Paginated logs
- Query (optional):
page(default 1),limit(default 10, max 100) - Responses:
| Code | Response body |
|---|---|
| 200 | { "logs": [ ... ], "total": 123, "page": 1, "limit": 10 } |
| 500 | { "error": "..." } |
GET /api/history - Command history
- Description: Returns last 50 CLI history entries.
- Responses:
| Code | Response body |
|---|---|
| 200 | { "result": ["..."] } |
| 500 | { "error": "..." } |
GET /api/ldap/rebind - Rebind LDAP
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "OK" } |
| 400 | { "status": "KO" } |
GET /api/ldap/close - Close LDAP
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "OK" } |
| 400 | { "status": "KO" } |
POST /api/smb/connect - Connect SMB
- Request:
{
"computer": "host.example.com",
"username": "DOMAIN/user",
"password": "pass",
"domain": "DOMAIN",
"lmhash": null,
"nthash": null,
"aesKey": null
}- Parameters:
- required: computer
- optional:
- username (default: null)
- password (default: null)
- domain (default: null)
- lmhash (default: null)
- nthash (default: null)
- aesKey (default: null)
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "connected", "host": "..." } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
[!note]
usernamemay beDOMAIN\\userorDOMAIN/user. When using Kerberos, the host must resolve to an FQDN.
POST /api/smb/reconnect - Reconnect SMB
- Request:
{ "computer": "host.example.com" }- Parameters:
- required: computer
- optional: none (uses stored credentials if available)
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "reconnected", "host": "10.10.10.10", "used_stored_creds": true } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/disconnect - Disconnect SMB
- Request:
{ "computer": "DC01.example.com" }- Parameters:
- required: computer
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "disconnected" } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
GET /api/smb/sessions - SMB sessions
- Description: Lists tracked SMB session stats.
- Responses:
| Code | Response body |
|---|---|
| 200 | { "sessions": { "host": { "connected": true, "last_used": "...", "use_count": 1, "age": 0, "last_check": "..." } } } |
| 500 | { "error": "..." } |
POST /api/smb/shares - List shares
- Request:
{ "computer": "host.example.com" }- Parameters:
- required: computer
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | Array of shares: [{ attributes: { Name, Remark, Address } }, ...]
|
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/add-share - Create share
- Request:
{ "computer": "host.example.com", "share_name": "Docs", "share_path": "C:\\Shares\\Docs" }- Parameters:
- required: computer, share_name, share_path
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "success", "message": "..." } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/delete-share - Delete share
- Request:
{ "computer": "host.example.com", "share": "Docs" }- Parameters:
- required: computer, share
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "success", "message": "..." } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/ls - List path
- Request:
{ "computer": "host.example.com", "share": "Docs", "path": "Folder" }- Parameters:
- required: computer, share
- optional:
- path (default: "")
- Responses:
| Code | Response body |
|---|---|
| 200 | Array of entries: [{ name, size, is_directory, created, modified, accessed }]
|
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/mv - Move file
- Request:
{ "computer": "host.example.com", "share": "Docs", "source": "a.txt", "destination": "b.txt" }- Parameters:
- required: computer, share, source, destination
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | { "message": "File moved successfully" } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/get - Download file
- Request:
{ "computer": "host.example.com", "share": "Docs", "path": "a.txt" }- Parameters:
- required: computer, share, path
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | application/octet-stream with Content-Disposition header |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/put - Upload file
- Content-Type:
multipart/form-data - Fields:
- required:
file,computer,share - optional:
path(destination directory; default root)
- required:
- Responses:
| Code | Response body |
|---|---|
| 200 | { "message": "File uploaded successfully" } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/cat - Read file content
- Request:
{ "computer": "host.example.com", "share": "Docs", "path": "a.txt" }- Parameters:
- required: computer, share, path
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | Raw file content |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/rm - Delete file
- Request:
{ "computer": "host.example.com", "share": "Docs", "path": "a.txt" }- Parameters:
- required: computer, share, path
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | { "message": "File deleted successfully" } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/mkdir - Create directory
- Request:
{ "computer": "host.example.com", "share": "Docs", "path": "NewFolder" }- Parameters:
- required: computer, share, path
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | { "message": "Directory created successfully" } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/rmdir - Remove directory
- Request:
{ "computer": "host.example.com", "share": "Docs", "path": "OldFolder" }- Parameters:
- required: computer, share, path
- optional: none
- Responses:
| Code | Response body |
|---|---|
| 200 | { "message": "Directory deleted successfully" } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/properties - File/Share properties
- Request:
{ "computer": "host.example.com", "share": "Docs", "path": "a.txt" }- Parameters:
- required: computer, share
- optional:
- path (default: none; when omitted, returns share info)
- Responses:
| Code | Response body |
|---|---|
| 200 | Share info when path is empty, else file info (owner/group resolved; DACL includes trustee names) |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/set-security - Set file ACL
- Request:
{ "computer": "host.example.com", "share": "Docs", "path": "a.txt", "username": "DOMAIN/user", "mask": "fullcontrol", "ace_type": "allow" }- Parameters:
- required: computer, share, path, username
- optional:
- mask (default: "fullcontrol")
- ace_type (default: "allow")
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "success", "message": "..." } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/remove-security - Remove file ACL
- Request:
{ "computer": "host.example.com", "share": "Docs", "path": "a.txt", "username": "DOMAIN/user", "mask": "fullcontrol", "ace_type": "allow" }- Parameters:
- required: computer, share, path, username
- optional:
- mask (default: null)
- ace_type (default: null)
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "success", "message": "ACE removed successfully" } |
| 404 | { "error": "No matching ACEs found to remove" } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/set-share-security - Set share ACL
- Request:
{ "computer": "host.example.com", "share": "Docs", "username": "DOMAIN/user", "mask": "read", "ace_type": "deny" }- Parameters:
- required: computer, share, username
- optional:
- mask (default: "fullcontrol")
- ace_type (default: "allow")
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "success", "message": "..." } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/remove-share-security - Remove share ACL
- Request:
{ "computer": "host.example.com", "share": "Docs", "username": "DOMAIN/user", "mask": "read", "ace_type": "allow" }- Parameters:
- required: computer, share, username
- optional:
- mask (default: null)
- ace_type (default: null)
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "success", "message": "Share security removed successfully" } |
| 404 | { "error": "No matching ACEs found to remove" } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/smb/search - Search SMB
- Request:
{
"computer": "host.example.com",
"share": "Docs",
"query": "*.txt",
"depth": 3,
"start_path": "",
"use_regex": false,
"content_search": false,
"case_sensitive": false,
"cred_hunt": false,
"item_type": "all",
"max_file_size": 5242880,
"file_extensions": [".txt", ".cfg"]
}- Parameters:
- required: computer, share
- optional:
- query (default: required unless cred_hunt=true)
- depth (default: 3)
- start_path (default: "")
- use_regex (default: false)
- content_search (default: false)
- case_sensitive (default: false)
- cred_hunt (default: false)
- item_type (default: "all")
- max_file_size (default: 5242880)
- file_extensions (default: common text/config extensions)
- Responses:
| Code | Response body |
|---|---|
| 200 | { "items": [ ... ], "total": 0, "search_info": { ... } } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
GET /api/smb/search-stream - Streaming search (SSE)
-
Query:
- required:
computer,share - optional: same as POST
/api/smb/search
- required:
-
Headers:
Content-Type: text/event-stream -
Events:
data: { "type": "found", "item": { ... } }data: { "type": "done", "total": N }
-
Responses:
| Code | Response body |
|---|---|
| 200 |
text/event-stream with events as specified above |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
[!note]
queryis required unlesscred_hunt=true.
POST /api/login_as - Login as a diffent user from current context
- Request:
{
"username": "user",
"password": "pass",
"domain": "DOMAIN",
"lmhash": null,
"nthash": null,
"auth_aes_key": null
}- Parameters:
- required: username
- optional:
- password (default: null)
- domain (default: null)
- lmhash (default: null)
- nthash (default: null)
- auth_aes_key (default: null)
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "success", "message": "...", "connection_info": { ... } } |
| 401 | { "status": "failure", "error": "..." } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
POST /api/computer/restart - Restart computer
- Request:
{
"computer": "host.example.com",
"username": null,
"password": null,
"domain": null,
"lmhash": null,
"nthash": null
}- Parameters:
- required: computer
- optional:
- username (default: null)
- password (default: null)
- domain (default: null)
- lmhash (default: null)
- nthash (default: null)
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "OK", "message": "..." } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
[!note] FQDN is required when using Kerberos. Returns success if the reboot signal is sent; does not await completion.
POST /api/computer/shutdown - Shutdown computer
- Request:
{
"computer": "host.example.com",
"username": null,
"password": null,
"domain": null,
"lmhash": null,
"nthash": null
}- Parameters:
- required: computer
- optional:
- username (default: null)
- password (default: null)
- domain (default: null)
- lmhash (default: null)
- nthash (default: null)
- Responses:
| Code | Response body |
|---|---|
| 200 | { "status": "OK", "message": "..." } |
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
[!note] Sends shutdown signal; does not await power-off completion.
POST /api/computer/tasklist - Process list
- Request:
{
"computer": "host.example.com",
"username": null,
"password": null,
"domain": null,
"lmhash": null,
"nthash": null,
"pid": null,
"name": null
}- Parameters:
- required: computer
- optional:
- username (default: null)
- password (default: null)
- domain (default: null)
- lmhash (default: null)
- nthash (default: null)
- pid (default: null)
- name (default: null)
- Responses:
| Code | Response body |
|---|---|
| 200 | Array of objects: [{ attributes: { ImageName, PID, SessionID, SessionName, State, SessionUser, SID, MemUsage } }, ... ]
|
| 400 | { "error": "..." } |
| 500 | { "error": "..." } |
[!note] Filters by
pidor case-insensitive substring match onnamewhen provided.
- On errors, endpoints return
{ "error": "<message>" }with appropriate 4xx/5xx. - Some endpoints return
status: "KO"on operational failures with 400.
