How to use the command 'evil-winrm' (with examples)

How to use the command 'evil-winrm' (with examples)

Windows Remote Management (WinRM) is a powerful tool for remotely managing Windows systems. However, it can also be used for malicious purposes such as penetration testing. Evil-winrm is a WinRM shell specifically designed for pentesting, providing a PowerShell prompt on the target host.

Use case 1: Connect to a host

Code:

evil-winrm --ip ip --user user --password password

Motivation: In order to establish a connection with a remote host, you can use the evil-winrm command along with the required parameters like IP address, username, and password.

Explanation:

  • --ip: Specifies the IP address of the remote host you want to connect to.
  • --user: Specifies the username to authenticate with on the remote host.
  • --password: Specifies the password to authenticate with on the remote host.

Example output:

[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS >

Use case 2: Connect to a host, passing the password hash

Code:

evil-winrm --ip ip --user user --hash nt_hash

Motivation: If you have the NT hash of the password, you can bypass the need to provide the actual password. This can be useful if you have obtained the NT hash through other means.

Explanation:

  • --hash: Specifies the NT hash of the password. The NT hash is a hashed representation of the user’s password.

Example output:

[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS >

Use case 3: Connect to a host, specifying directories for scripts and executables

Code:

evil-winrm --ip ip --user user --password password --scripts path/to/scripts --executables path/to/executables

Motivation: By specifying directories for scripts and executables, you can easily access and execute them on the remote host, without having to provide the full path each time.

Explanation:

  • --scripts: Specifies the directory where your PowerShell scripts are located. This allows you to easily load and execute scripts on the remote host.
  • --executables: Specifies the directory where your binary executables are located. This allows you to easily invoke binaries on the remote host.

Example output:

[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS >

Use case 4: Connect to a host, using SSL

Code:

evil-winrm --ip ip --user user --password password --ssl --pub-key path/to/pubkey --priv-key path/to/privkey

Motivation: If you want to establish a secure connection with the remote host, you can use SSL (Secure Sockets Layer). This encrypts the communication between you and the host, providing an additional layer of security.

Explanation:

  • --ssl: Enables SSL mode for the connection.
  • --pub-key: Specifies the path to the public key file, which is used for encryption.
  • --priv-key: Specifies the path to the private key file, which is used for decryption.

Example output:

[*] Opening SSL connection to ip:5986...
[*] Authenticated as user
[*] CMD shell session opened (ip:5986 -> ip:5986)
PS >

Use case 5: Upload a file to the host

Code:

PS > upload path/to/local/file path/to/remote/file

Motivation: If you need to transfer a file from your local system to the remote host, you can use the upload command within the evil-winrm shell.

Explanation:

  • upload: This command is used to upload a file from your local system to the remote host.
  • path/to/local/file: Specifies the path to the file on your local system that you want to upload.
  • path/to/remote/file: Specifies the path on the remote host where you want to save the uploaded file.

Example output:

[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] Uploading file 'path/to/local/file' to 'path/to/remote/file'...
[*] File uploaded successfully

Use case 6: Get a list of loaded PowerShell functions

Code:

PS > menu

Motivation: Sometimes, it is useful to see a list of all the currently loaded PowerShell functions on the remote host. The menu command provides this information.

Explanation:

  • menu: This command lists all the loaded PowerShell functions available for use on the remote host.

Example output:

Name                           Description
----                           -----------
Function1                       Description1
Function2                       Description2
...

Use case 7: Load a PowerShell script from the --scripts directory

Code:

PS > script.ps1

Motivation: If you have a PowerShell script located in the --scripts directory on the remote host, you can easily load and execute it using this command.

Explanation:

  • script.ps1: Specifies the name of the PowerShell script you want to load and execute. This assumes that the script exists in the --scripts directory specified during the connection.

Example output:

[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS > . C:\path\to\script.ps1

Use case 8: Invoke a binary on the host from the --executables directory

Code:

PS > Invoke-Binary binary.exe

Motivation: If you have a binary executable located in the --executables directory on the remote host, you can invoke it using this command.

Explanation:

  • Invoke-Binary: This command is used to execute a binary on the remote host.
  • binary.exe: Specifies the name of the binary executable you want to invoke. This assumes that the executable exists in the --executables directory specified during the connection.

Example output:

[*] Opening connection to ip:5985...
[*] Authenticated as user
[*] CMD shell session opened (ip:5985 -> ip:5985)
PS > Invoke-Binary C:\path\to\binary.exe

Conclusion:

The evil-winrm command provides a powerful and convenient way to perform penetration testing using Windows Remote Management. By using the various options and commands available, you can establish connections, upload files, execute scripts and binaries, and perform other actions on the target host. This makes evil-winrm an essential tool for any pentester working on Windows systems.

Related Posts

How to use the command "gum" (with examples)

How to use the command "gum" (with examples)

“Gum” is a command-line tool that allows you to create glamorous shell scripts.

Read More
How to use the command 'podman image' (with examples)

How to use the command 'podman image' (with examples)

This article provides examples and explanations for using the ‘podman image’ command to manage Docker images.

Read More
How to use the command pnmtoddif (with examples)

How to use the command pnmtoddif (with examples)

The pnmtoddif command is a tool that allows you to convert a PNM (Portable Any Map) image to a DDIF (DirectDraw Surface for Intermediary Files) image file.

Read More