Evil-WinRM Exploitation Guide
Posted in: Penetration Testing Tools

Evil-WinRM: Full Exploitation Guide

Features

  • Compatible with Linux and Windows client systems
  • Load in memory Powershell scripts
  • Load in memory dll files bypassing some AVs
  • Load in memory C# (C Sharp) assemblies bypassing some AVs
  • Load x64 payloads generated with an excellent donut technique
  • Dynamic AMSI Bypass to avoid AV signatures
  • Pass-the-hash support
  • Kerberos auth support
  • SSL and certificates support
  • Upload and download files showing a progress bar
  • List remote machine services without privileges
  • Command History
  • WinRM command completion
  • Local files/directories completion
  • Remote path (files/directories) completion (can be disabled optionally)
  • Colorization on prompt and output messages (can be disabled optionally)
  • Optional logging feature
  • Docker support (prebuilt images available at Dockerhub)
  • Trap capturing to avoid accidental shell exit on Ctrl+C

How to Install Evil-WinRM

sudo gem install winrm winrm-fs stringio logger fileutils
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
ruby evil-winrm.rb -h

Evil-WinRM Command Arguments

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] 
[-e EXES_PATH] [-P PORT] 
[-p PASS] [-H HASH] [-U URL] [-S] 
[-c PUBLIC_KEY_PATH ] 
[-k PRIVATE_KEY_PATH ] [-r REALM] 
[--spn SPN_PREFIX] [-l]
    -S, --ssl                        Enable ssl
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate
    -r, --realm DOMAIN               Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path
        --spn SPN_PREFIX             SPN prefix for Kerberos auth (default HTTP)
    -e, --executables EXES_PATH      C# executables local path
    -i, --ip IP                      Remote host IP or hostname. FQDN for Kerberos auth (required)
    -U, --url URL                    Remote url endpoint (default /wsman)
    -u, --user USER                  Username (required if not using kerberos)
    -p, --password PASS              Password
    -H, --hash HASH                  NTHash
    -P, --port PORT                  Remote host port (default 5985)
    -V, --version                    Show version
    -n, --no-colors                  Disable colors
    -N, --no-rpath-completion        Disable remote path completion
    -l, --log                        Log the WinRM session
    -h, --help                       Display this help message

Leave a Reply

Back to Top