LinuxCommandLibrary

evil-winrm

TLDR

Connect to target

$ evil-winrm -i [target_ip] -u [username] -p [password]
copy
Connect with hash
$ evil-winrm -i [target_ip] -u [username] -H [NTLM_hash]
copy
Use SSL
$ evil-winrm -i [target_ip] -u [user] -p [pass] -S
copy
Upload file
$ upload [local_file] [remote_path]
copy
Download file
$ download [remote_file] [local_path]
copy
Load PowerShell script
$ evil-winrm -i [ip] -u [user] -p [pass] -s [scripts/]
copy

SYNOPSIS

evil-winrm [options]

DESCRIPTION

Evil-WinRM is a penetration testing shell for Windows Remote Management (WinRM). It provides an interactive PowerShell session with additional features for pentest activities.
The tool supports pass-the-hash authentication, file upload/download, and loading custom PowerShell scripts. It's designed for red team operations and authorized security testing.
Evil-WinRM provides better functionality than basic WinRM clients for security assessment workflows.

PARAMETERS

-i IP

Target IP address.
-u USER
Username.
-p PASSWORD
Password.
-H HASH
NTLM hash for pass-the-hash.
-S
Use SSL.
-s PATH
PowerShell scripts directory.
-e PATH
Executables directory.
-P PORT
Custom port.
--help
Display help information.

CAVEATS

Only use with authorization. WinRM must be enabled on target. May trigger security alerts. AMSI bypass needed for some scripts.

HISTORY

Evil-WinRM was created by Hackplayers for the security research community, providing a feature-rich alternative to standard WinRM tools for penetration testing.

SEE ALSO

winrm(1), psexec(1), impacket(1)

Copied to clipboard