How to Use the Command 'Evil-WinRM' (with Examples)
Evil-WinRM is a powerful tool designed specifically for penetration testing on Windows environments. It leverages Windows Remote Management (WinRM) to provide an interactive PowerShell shell on the target host. This functionality allows penetration testers and security professionals to execute commands, upload and download files, and perform additional functions on the remote system. Evil-WinRM is typically used during security assessments to test and verify the security posture of Windows hosts by simulating attacks and evaluating vulnerabilities.
Use Case 1: Connect to a Host
Code:
evil-winrm --ip ip --user user --password password
Motivation:
The primary motivation for connecting to a target host via Evil-WinRM is to establish a remote session that facilitates executing commands and scripts on the target machine. This capability is essential during penetration tests for scanning vulnerabilities, checking configurations, and gathering sensitive information, thereby allowing testers to understand the security posture of the system.
Explanation:
--ip ip
: This argument specifies the IP address of the target Windows machine you intend to connect to. It directs the Evil-WinRM tool to a specific host within the network environment.--user user
: This argument provides the username for authenticating the session. The user account should have the necessary permissions for logon via PowerShell.--password password
: The password argument is required to authenticate and authorize access to the host. This is essential for establishing a secure connection.
Example Output:
Upon successful connection, you will receive a PowerShell command prompt from the remote system, indicating you have remote access to execute further commands.
*Evil-WinRM* PS >
Use Case 2: Connect to a Host, Passing the Password Hash
Code:
evil-winrm --ip ip --user user --hash nt_hash
Motivation:
In situations where a plaintext password is unavailable but a password hash is accessible (e.g., from previous penetration activities or compromised systems), Evil-WinRM allows authentication using NTLM hashes. This facilitates access without cracking the password, making the process efficient for ethical hackers.
Explanation:
--ip ip
: Similar to the previous example, this specifies the target host’s IP address.--user user
: Indicates the username for which the hash is being used to authenticate.--hash nt_hash
: Represents the NTLM hash of the password. This hash allows Evil-WinRM to authenticate without needing the plaintext password.
Example Output:
A PowerShell command prompt indicating a successful connection using the password hash will appear.
*Evil-WinRM* PS >
Use Case 3: Connect to a Host, Specifying Directories for Scripts and Executables
Code:
evil-winrm --ip ip --user user --password password --scripts path/to/scripts --executables path/to/executables
Motivation:
Custom scripts and executables can be crucial in security assessments. Providing directories for scripts and executables streamlines executing predefined tools and tasks, enhancing the efficiency and effectiveness of the penetration test.
Explanation:
--ip ip
,--user user
,--password password
: As discussed in previous examples, these are standard parameters for connecting to the host.--scripts path/to/scripts
: This directory argument lets users specify a path where their custom or preferred scripts are stored, enabling convenient execution once connected.--executables path/to/executables
: Allows users to specify a directory containing executables they may wish to run on the target host during their session.
Example Output:
After connection, users can directly call scripts and executables from specified directories within the PowerShell prompt.
*Evil-WinRM* PS > script-example.ps1
Use Case 4: Connect to a Host, Using SSL
Code:
evil-winrm --ip ip --user user --password password --ssl --pub-key path/to/pubkey --priv-key path/to/privkey
Motivation:
Using SSL to connect to a host ensures that the communication between authentication processes and command executions is encrypted, enhancing security by protecting against eavesdropping and other interception attacks. This is particularly important in environments requiring stringent data protection measures.
Explanation:
--ip ip
,--user user
,--password password
: These standard parameters are necessary for initiating a connection.--ssl
: Activates SSL encryption for the session.--pub-key path/to/pubkey
: Specifies the public key used in the SSL handshake for establishing a secure connection.--priv-key path/to/privkey
: Needs to be paired with the public key, serving in the SSL protocol for secure communication.
Example Output:
A secure PowerShell prompt will be available following the successful encryption and handshake process.
*Evil-WinRM* PS >
Use Case 5: Upload a File to the Host
Code:
PS > upload path/to/local/file path/to/remote/file
Motivation:
Uploading files to a host can be a necessary step during penetration testing. Testers might need to upload scripts, tools, or other resources needed for further exploration or testing on the target system.
Explanation:
upload
: The command used within the PowerShell prompt to initiate the file transfer.path/to/local/file
: Specifies the location of the file on the local machine that is to be uploaded.path/to/remote/file
: Indicates the intended file path on the remote host where the file will be stored.
Example Output:
Upon successful execution, a status message confirming the file upload will be displayed.
Info: Uploaded 'file' to 'remote location'.
Use Case 6: List All Loaded PowerShell Functions
Code:
PS > menu
Motivation:
Listing all loaded PowerShell functions helps users to quickly understand and utilize the available commands and scripts within the current session. This can be particularly useful for users navigating complex tasks.
Explanation:
menu
: This command lists the functions accessible in the current Evil-WinRM session.
Example Output:
A list of all available PowerShell functions will populate the session terminal.
Functions available:
- ...
- ...
Use Case 7: Load a PowerShell Script from the --scripts
Directory
Code:
PS > script.ps1
Motivation:
Quickly executing custom scripts tailored for specific conditions or checks during penetration tests can be essential. By loading them from a pre-defined directory, one ensures that the right tools are easily accessible without needing manual uploads.
Explanation:
script.ps1
: The name of the script already present in the designated scripts directory. No path is needed since it was defined during the initial connection.
Example Output:
Running the script results in the script’s intended actions and outputs being executed directly within the session.
Output from script actions...
Use Case 8: Invoke a Binary on the Host from the --executables
Directory
Code:
PS > Invoke-Binary binary.exe
Motivation:
Aimed at facilitating the execution of specific executables needed for penetration testing processes, this function saves time by directly calling binaries stored in pre-set directories, streamlining the workflow significantly.
Explanation:
Invoke-Binary
: This command is used to run executables.binary.exe
: Represents the binary file chosen for execution from the executable directory, as defined in the session startup.
Example Output:
The corresponding executable runs, displaying any resultant outputs within the session terminal.
Execution output...
Conclusion:
Evil-WinRM provides a robust platform for conducting Windows penetration testing by enabling remote PowerShell sessions. Each of the use cases allows ethical hackers and security testers to streamline and automate elements of their testing process, facilitating comprehensive audits of target systems. By thoroughly understanding and applying these commands, security professionals can ensure they are effectively identifying and mitigating Windows vulnerabilities.