LinuxCommandLibrary
GitHubF-DroidGoogle Play Store

evil-winrm

penetration testing shell for WinRM

TLDR

Connect to target
$ evil-winrm -i [target_ip] -u [username] -p [password]
copy
Connect with hash
$ evil-winrm -i [target_ip] -u [username] -H [NTLM_hash]
copy
Use SSL
$ evil-winrm -i [target_ip] -u [user] -p [pass] -S
copy
Upload file
$ upload [local_file] [remote_path]
copy
Download file
$ download [remote_file] [local_path]
copy
Load PowerShell scripts from directory
$ evil-winrm -i [ip] -u [user] -p [pass] -s [scripts/]
copy
Connect with SSL and custom port
$ evil-winrm -i [target_ip] -u [user] -p [pass] -S -P [5986]
copy
Connect using Kerberos authentication
$ evil-winrm -i [target_ip] -u [user] -p [pass] -r [DOMAIN.LOCAL]
copy
Connect with certificate-based authentication
$ evil-winrm -i [target_ip] -c [cert.pem] -k [key.pem] -S
copy

SYNOPSIS

evil-winrm [options]

DESCRIPTION

Evil-WinRM is a penetration testing shell for Windows Remote Management (WinRM). It provides an interactive PowerShell session with additional features for pentest activities.The tool supports pass-the-hash authentication, Kerberos authentication, certificate-based authentication, file upload/download, and loading custom PowerShell scripts and C# executables. It is designed for red team operations and authorized security testing.Built-in commands available within the shell include upload and download for file transfer, Invoke-Binary for executing C# assemblies in memory, and Dll-Loader for loading DLLs. The menu command lists all available built-in commands.

PARAMETERS

-i IP

Target IP address.
-u USER
Username.
-p PASSWORD
Password.
-H HASH
NTLM hash for pass-the-hash.
-S, --ssl
Enable SSL encrypted connection.
-c PATH, --pub-key PATH
Local path to public key certificate.
-k PATH, --priv-key PATH
Local path to private key certificate.
-s PATH, --scripts PATH
PowerShell scripts local path.
-e PATH, --executables PATH
C# executables local path.
-P PORT, --port PORT
Remote host port (default 5985).
-U URL, --url URL
Remote URL endpoint (default /wsman).
-r DOMAIN, --realm DOMAIN
Kerberos auth realm/domain.
--spn PREFIX
SPN prefix for Kerberos auth (default HTTP).
-l, --log
Log the WinRM session.
-n, --no-colors
Disable colored output.
-N, --no-rpath-completion
Disable remote path completion.
-a USERAGENT, --user-agent USERAGENT
Specify connection user-agent (default Microsoft WinRM Client).
-V, --version
Show version.
-h, --help
Display help information.

CAVEATS

Only use with explicit authorization. WinRM must be enabled on the target (ports 5985 for HTTP, 5986 for HTTPS). May trigger security alerts and endpoint detection. AMSI bypass may be needed for some PowerShell scripts. Kerberos authentication requires proper /etc/krb5.conf configuration.

HISTORY

Evil-WinRM was created by Hackplayers for the security research community, providing a feature-rich alternative to standard WinRM tools for penetration testing.

SEE ALSO

winrm(1), impacket(1), sshpass(1)

Copied to clipboard
Kai