evil-winrm

Manage Windows systems remotely via WinRM

TLDR

Connect to a host

$ evil-winrm --ip [ip] --user [user] --password [password]

Connect to a host, passing the password hash

$ evil-winrm --ip [ip] --user [user] --hash [nt_hash]

Connect to a host, specifying directories for scripts and executables

$ evil-winrm --ip [ip] --user [user] --password [password] --scripts [path/to/scripts] --executables [path/to/executables]

Connect to a host, using SSL

$ evil-winrm --ip [ip] --user [user] --password [password] --ssl --pub-key [path/to/pubkey] --priv-key [path/to/privkey]

Upload a file to the host

$ PS > upload [path/to/local/file] [path/to/remote/file]

List all loaded PowerShell functions

$ PS > menu

Load a PowerShell script from the --scripts directory

$ PS > [script.ps1]

Invoke a binary on the host from the --executables directory

$ PS > Invoke-Binary [binary.exe]

-i
    The IP address of the target Windows system.

-u
    The username to authenticate with.

-p
    The password for the specified username. If not provided, Evil-WinRM will prompt for it.

-s
    Select the shell, powershell or cmd, default powershell

-e
    Specify the entrypoint for WinRM, default /wsman

-k
    Specify SSL private key to use with client authentication

-c
    Specify SSL certificate to use with client authentication

-S
    Use SSL

--no-ssl-verify
    Disable SSL verification, this is dangerous and you should use it only when testing.

-t
    The WinRM connection timeout, default 60

-P
    The WinRM port, default 5985

--codepage
    Use the specified codepage. List available using --list-codepages, use the NUMBER. Default UTF-8

--list-codepages
    List available codepages

-q
    Force the script to not ask for password (usefull for automation)

-U
    Update Evil-WinRM

-h
    Display help message

DESCRIPTION

Evil-WinRM is a ruby script that acts as the ultimate WinRM shell.

It is designed for attacking Windows systems where WinRM is enabled. It provides a command-line interface similar to Metasploit's Meterpreter or Empire's agents, simplifying post-exploitation tasks like file transfer, process management, and privilege escalation.

Evil-WinRM leverages the Windows Remote Management (WinRM) service to execute commands and transfer files, making it a powerful tool for penetration testers and red teamers. It offers features such as colored output, command history, tab completion, and support for multiple sessions. It uses power shell and supports upload and download of files, privilege escalation, and other common post-exploitation tasks. The tool makes use of the ruby WinRM gem.

Due to its powerful functionality and stealth capabilities, Evil-WinRM should only be used for ethical hacking and penetration testing purposes with proper authorization.

CAVEATS

Requires the WinRM service to be enabled and properly configured on the target Windows system. Authentication failures will occur if the provided credentials are invalid. It should be used responsibly and only with proper authorization.

USAGE EXAMPLES

Connecting to a target:
evil-winrm -i 192.168.1.100 -u administrator -p 'P@$$wOrd'

Using SSL:
evil-winrm -i 192.168.1.100 -u administrator -p 'P@$$wOrd' -S

Using SSL with custom key and cert
evil-winrm -i 192.168.1.100 -u administrator -p 'P@$$wOrd' -S -k client.key -c client.crt

HISTORY

Evil-WinRM was developed as a more efficient and user-friendly alternative to existing WinRM clients. It addresses the limitations of standard WinRM tools by providing a streamlined command-line interface and a range of post-exploitation features. Its development is ongoing with regular updates to improve functionality and address potential security vulnerabilities. It has become a popular tool for penetration testers and red teamers.