evil-winrm

Windows Remote Management (WinRM) shell for pentesting.

TLDR

Connect to a host

$ evil-winrm --ip [ip] --user [user] --password [password]
copy

Connect to a host, passing the password hash

$ evil-winrm --ip [ip] --user [user] --hash [nt_hash]
copy

Connect to a host, specifying directories for scripts and executables

$ evil-winrm --ip [ip] --user [user] --password [password] --scripts [path/to/scripts] --executables [path/to/executables]
copy

Connect to a host, using SSL

$ evil-winrm --ip [ip] --user [user] --password [password] --ssl --pub-key [path/to/pubkey] --priv-key [path/to/privkey]
copy

Upload a file to the host

$ PS > upload [path/to/local/file] [path/to/remote/file]
copy

Get a list of loaded PowerShell functions

$ PS > menu
copy

Load a PowerShell script from the --scripts directory

$ PS > [script.ps1]
copy

Invoke a binary on the host from the --executables directory

$ PS > Invoke-Binary [binary.exe]
copy

Help

Evil-WinRM shell v2.4 

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] 
    -S, --ssl                        Enable ssl 
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate 
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate 
    -r, --realm DOMAIN               Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com } 
    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path 
        --spn SPN_PREFIX             SPN prefix for Kerberos auth (default HTTP) 
    -e, --executables EXES_PATH      C# executables local path 
    -i, --ip IP                      Remote host IP or hostname. FQDN for Kerberos auth (required) 
    -U, --url URL                    Remote url endpoint (default /wsman) 
    -u, --user USER                  Username (required if not using kerberos) 
    -p, --password PASS              Password 
    -H, --hash HASH                  NTHash 
    -P, --port PORT                  Remote host port (default 5985) 
    -V, --version                    Show version 
    -n, --no-colors                  Disable colors 
    -h, --help                       Display this help message 

Copied to clipboard
Swissborg