How to use the command 'evil-winrm' (with examples)
Windows Remote Management (WinRM) is a powerful tool for remotely managing Windows systems. However, it can also be used for malicious purposes such as penetration testing. Evil-winrm is a WinRM shell specifically designed for pentesting, providing a PowerShell prompt on the target host.
Use case 1: Connect to a host
Code:
evil-winrm --ip ip --user user --password password
Motivation: In order to establish a connection with a remote host, you can use the evil-winrm command along with the required parameters like IP address, username, and password.
Explanation:
--ip: Specifies the IP address of the remote host you want to connect to.--user: Specifies the username to authenticate with on the remote host.--password: Specifies the password to authenticate with on the remote host.
Example output:
[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS >
Use case 2: Connect to a host, passing the password hash
Code:
evil-winrm --ip ip --user user --hash nt_hash
Motivation: If you have the NT hash of the password, you can bypass the need to provide the actual password. This can be useful if you have obtained the NT hash through other means.
Explanation:
--hash: Specifies the NT hash of the password. The NT hash is a hashed representation of the user’s password.
Example output:
[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS >
Use case 3: Connect to a host, specifying directories for scripts and executables
Code:
evil-winrm --ip ip --user user --password password --scripts path/to/scripts --executables path/to/executables
Motivation: By specifying directories for scripts and executables, you can easily access and execute them on the remote host, without having to provide the full path each time.
Explanation:
--scripts: Specifies the directory where your PowerShell scripts are located. This allows you to easily load and execute scripts on the remote host.--executables: Specifies the directory where your binary executables are located. This allows you to easily invoke binaries on the remote host.
Example output:
[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS >
Use case 4: Connect to a host, using SSL
Code:
evil-winrm --ip ip --user user --password password --ssl --pub-key path/to/pubkey --priv-key path/to/privkey
Motivation: If you want to establish a secure connection with the remote host, you can use SSL (Secure Sockets Layer). This encrypts the communication between you and the host, providing an additional layer of security.
Explanation:
--ssl: Enables SSL mode for the connection.--pub-key: Specifies the path to the public key file, which is used for encryption.--priv-key: Specifies the path to the private key file, which is used for decryption.
Example output:
[*] Opening SSL connection to ip:5986...
[*] Authenticated as user
[*] CMD shell session opened (ip:5986 -> ip:5986)
PS >
Use case 5: Upload a file to the host
Code:
PS > upload path/to/local/file path/to/remote/file
Motivation: If you need to transfer a file from your local system to the remote host, you can use the upload command within the evil-winrm shell.
Explanation:
upload: This command is used to upload a file from your local system to the remote host.path/to/local/file: Specifies the path to the file on your local system that you want to upload.path/to/remote/file: Specifies the path on the remote host where you want to save the uploaded file.
Example output:
[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] Uploading file 'path/to/local/file' to 'path/to/remote/file'...
[*] File uploaded successfully
Use case 6: Get a list of loaded PowerShell functions
Code:
PS > menu
Motivation: Sometimes, it is useful to see a list of all the currently loaded PowerShell functions on the remote host. The menu command provides this information.
Explanation:
menu: This command lists all the loaded PowerShell functions available for use on the remote host.
Example output:
Name Description
---- -----------
Function1 Description1
Function2 Description2
...
Use case 7: Load a PowerShell script from the --scripts directory
Code:
PS > script.ps1
Motivation: If you have a PowerShell script located in the --scripts directory on the remote host, you can easily load and execute it using this command.
Explanation:
script.ps1: Specifies the name of the PowerShell script you want to load and execute. This assumes that the script exists in the--scriptsdirectory specified during the connection.
Example output:
[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS > . C:\path\to\script.ps1
Use case 8: Invoke a binary on the host from the --executables directory
Code:
PS > Invoke-Binary binary.exe
Motivation: If you have a binary executable located in the --executables directory on the remote host, you can invoke it using this command.
Explanation:
Invoke-Binary: This command is used to execute a binary on the remote host.binary.exe: Specifies the name of the binary executable you want to invoke. This assumes that the executable exists in the--executablesdirectory specified during the connection.
Example output:
[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS > Invoke-Binary C:\path\to\binary.exe
Conclusion:
The evil-winrm command provides a powerful and convenient way to perform penetration testing using Windows Remote Management. By using the various options and commands available, you can establish connections, upload files, execute scripts and binaries, and perform other actions on the target host. This makes evil-winrm an essential tool for any pentester working on Windows systems.
