LinuxCommandLibrary

evil-winrm

Manage Windows systems remotely via WinRM

TLDR

Connect to a host and start an interactive session

$ evil-winrm [[-i|--ip]] [ip_address] [[-u|--user]] [user] [[-p|--password]] [password]
copy

Connect to a host using pass-the-hash authentication instead of a password
$ evil-winrm [[-i|--ip]] [ip_address] [[-u|--user]] [user] [[-H|--hash]] [nt_hash]
copy

Connect to a host, specifying directories for PowerShell scripts and executables
$ evil-winrm [[-i|--ip]] [ip_address] [[-u|--user]] [user] [[-p|--password]] [password] [[-s|--scripts]] [path/to/scripts] [[-e|--executables]] [path/to/executables]
copy

Connect to a host, using SSL
$ evil-winrm [[-i|--ip]] [ip_address] [[-u|--user]] [user] [[-p|--password]] [password] [[-S|--ssl]] [[-c|--pub-key]] [path/to/pubkey] [[-k|--priv-key]] [path/to/privkey]
copy

[Interactive] Upload a file to the host
$ upload [path/to/local_file] [path/to/remote_file]
copy

[Interactive] List all loaded PowerShell functions
$ menu
copy

[Interactive] Load a PowerShell script from the --scripts directory
$ [script.ps1]
copy

[Interactive] Invoke a binary on the host from the --executables directory
$ Invoke-Binary [binary.exe]
copy

SYNOPSIS

evil-winrm [options]

PARAMETERS

-i, --ip IP
    Target IP address or hostname

-u, --user USER
    Username for authentication

-p, --password PASS
    Password for authentication

-H, --hash HASH
    NTLM hash for pass-the-hash

-P, --port PORT
    WinRM port (default: 5985)

-S, --ssl
    Enable SSL/TLS (default: HTTP)

-s, --shell SHELL
    Custom shell (default: powershell)

-c, --command COMMAND
    Execute single command and exit

-x, --x509-cert CERT
    Path to X.509 certificate PEM

-r, --basic-auth
    Force basic authentication

-V, --version
    Display version information

-h, --help
    Show help message

DESCRIPTION

Evil-WinRM is a Ruby-based command-line tool designed for penetration testers to establish interactive shells on Windows systems via the WinRM (Windows Remote Management) protocol. It bypasses limitations of native tools like winrs.exe by providing full shell access, file upload/download, and command execution without PowerShell restrictions. Commonly used in Kali Linux environments, it supports authentication via password, NTLM hash, certificates, or Kerberos. The tool enables uploading payloads, running Meterpreter, or executing post-exploitation commands remotely. It requires WinRM service enabled on the target (often via winrm quickconfig) and appropriate credentials, typically administrative. Developed for ethical hacking, it handles SSL/TLS, custom ports, and basic auth, making it versatile for red teaming. Note: Use only on authorized systems to avoid legal issues.

Key features include interactive PS1 or CMD sessions, inline command execution, and seamless file transfers using the WinRM transport.

CAVEATS

Requires Ruby <gem> installed; WinRM must be configured on target; HTTP (5985) or HTTPS (5986) ports open; admin privileges often needed; not for unauthorized access.

INSTALLATION

gem install evil-winrm
Or on Kali: apt install evil-winrm

EXAMPLE USAGE

evil-winrm -i 192.168.1.100 -u Administrator -p 'Pass123!'
Establishes interactive shell.

HISTORY

Created by HackerFantastic in 2017 as a Ruby gem to improve WinRM shell access for pentesters over clunky native tools. Actively maintained on GitHub, integrated into Kali Linux repos since 2018.

SEE ALSO

ssh(1), nc(1), winrs(1)

Copied to clipboard