evil-winrm: Windows Remote Management (WinRM) shell for pentesting

evil-winrm is a tool used for penetration testing and security assessments on Windows systems. It provides a Windows Remote Management (WinRM) shell, which allows remote administration and control of Windows hosts. When successfully connected, evil-winrm grants the user a PowerShell prompt on the target host, enabling them to execute commands and perform various actions.

Here are some key points about evil-winrm:

  • WinRM shell: WinRM is a Windows service that allows remote management and administration of Windows machines. evil-winrm leverages WinRM to establish a secure remote connection to the target host.
  • Penetration testing: evil-winrm is primarily designed for penetration testing purposes, specifically in scenarios where the tester has valid credentials or has gained unauthorized access to a Windows system. It provides a shell interface that allows testers to explore and assess the security of the target system.
  • PowerShell prompt: Upon successful connection, evil-winrm provides a PowerShell prompt on the target host. PowerShell is a powerful scripting and command-line environment for Windows systems, offering extensive capabilities for executing commands, scripting, and interacting with the operating system.
  • Command execution: With the PowerShell prompt, users can execute commands and PowerShell scripts on the target host. This allows for various activities such as reconnaissance, privilege escalation, lateral movement, and data exfiltration, depending on the goals of the penetration testing engagement.
  • Remote administration: evil-winrm facilitates remote administration of Windows systems by providing a convenient and secure channel for managing remote hosts. It allows administrators or security professionals to perform tasks such as configuration changes, software installations, and system monitoring without needing direct physical access to the machines.
  • Security assessments: evil-winrm is commonly used during security assessments to evaluate the security posture of Windows systems. By gaining a PowerShell prompt through evil-winrm, testers can analyze system configurations, identify vulnerabilities, and assess the effectiveness of security controls on the target host.
  • Caution and responsible usage: It is essential to note that evil-winrm should only be used in authorized and ethical security testing engagements. Unauthorized or malicious use can have severe consequences and violate legal and ethical boundaries. It is crucial to obtain proper permissions and adhere to legal and ethical guidelines before using evil-winrm or any other penetration testing tool.

evil-winrm Command Examples

1. Connect to a host:

# evil-winrm --ip ip --user user --password password

2. Connect to a host, passing the password hash:

# evil-winrm --ip ip --user user --hash nt_hash

3. Connect to a host, specifying directories for scripts and executables:

# evil-winrm --ip ip --user user --password password --scripts /path/to/scripts --executables /path/to/executables

4. Connect to a host, using SSL:

# evil-winrm --ip ip --user user --password password --ssl --pub-key /path/to/pubkey --priv-key /path/to/privkey

5. Upload a file to the host:

PS > upload /path/to/local/file /path/to/remote/file

6. Get a list of loaded PowerShell functions:

PS > menu

7. Load a PowerShell script from the –scripts directory:

PS > script.ps1

8. Invoke a binary on the host from the –executables directory:

PS > Invoke-Binary binary.exe

Summary

In summary, evil-winrm provides a convenient WinRM shell with a PowerShell prompt for penetration testers to perform security assessments on Windows systems. It allows remote administration, command execution, and exploration of the target host to identify potential vulnerabilities and assess the overall security posture of the Windows environment.

Related Post