Evil-Winrm – The Ultimate WinRM Shell For Hacking/Pentesting

The final WinRM shell for hacking/pentesting.
credentials and permissions to make use of it. So we will be able to say that it might be utilized in a put up-exploitation hacking/pentesting section. The function of this program is to offer great and simple-to-use options for hacking. It can be utilized with official functions through gadget directors as neatly however essentially the most of its options are fascinated with hacking/pentesting stuff.


  • Command History
  • WinRM command crowning glory
  • Local information crowning glory
  • Upload and obtain information
  • List far off gadget services and products
  • FullLanguage Powershell language mode
  • Load Powershell scripts
  • Load in reminiscence dll information bypassing some AVs
  • Load in reminiscence C# (C Sharp) compiled exe information bypassing some AVs
  • Colorization on output messages (can also be disabled optionally)


Usage: evil-winrm -i IP -u USER -s SCRIPTS_PATH -e EXES_PATH [-P PORT] [-p PASS] [-U URL]
-i, --ip IP Remote host IP or hostname (required)
-P, --port PORT Remote host port (default 5985)
-u, --user USER Username (required)
-p, --password PASS Password
-s, --scripts PS_SCRIPTS_PATH Powershell scripts trail (required)
-e, --executables EXES_PATH C# executables trail (required)
-U, --url URL Remote url endpoint (default /wsman)
-V, --version Show edition
-h, --help Display this assist message

Ruby 2.3 or upper is wanted. Some ruby gemstones are wanted as neatly: winrm >=2.3.2, winrm-fs >=1.3.2, stringio >=0.0.2 and colorize >=0.8.1.
~$ sudo gem set up winrm winrm-fs colorize stringio

Installation & Quick Start

  • Step 1. Clone the repo: git clone https://github.com/Hackplayers/evil-winrm.git
  • Step 2. Ready. Just release it! ~$ cd evil-winrm && ruby evil-winrm.rb -i -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'

If you do not need to position the password in transparent textual content, you’ll optionally steer clear of to set -p argument and the password can be induced fighting to be proven.
To use IPv6, the cope with will have to be added to /and so forth/hosts.

Alternative set up way as ruby gem

  • Step 1. Install it: gem set up evil-winrm
  • Step 2. Ready. Just release it! ~$ evil-winrm -i -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'


Basic instructions

  • add: native information can also be auto-finished the use of tab key. It isn’t had to put a remote_path if the native record is in the similar listing as evil-winrm.rb record.
    • utilization: add local_path remote_path
  • obtain: it’s not had to set local_path if the far off record is within the present listing.
    • utilization: obtain remote_path local_path
  • services and products: record all services and products. No administrator permissions wanted.
  • menu: load the Invoke-Binary and l04d3r-LoadDll purposes that we will be able to provide an explanation for beneath. When a ps1 is loaded all its purposes can be proven up.

Load powershell scripts

  • To load a ps1 record you simply must sort the title (auto-crowning glory usnig tab allowed). The scripts will have to be within the trail set at -s argument. Type menu once more and notice the loaded purposes.

Advanced instructions

  • Invoke-Binary: permits exes compiled from c# to be finished in reminiscence. The title can also be auto-finished the use of tab key and permits as much as 3 parameters. The executables will have to be within the trail set at -e argument.
  • l04d3r-LoadDll: permits loading dll libraries in reminiscence, it’s identical to: [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("pwn.dll"))
    The dll record can also be hosted through smb, http or in the community. Once it’s loaded sort menu, then it’s imaginable to autocomplete all purposes. 

Extra options

  • To disable colours simply adjust on code this variable $colors_enabled. Set it to false: $colors_enabled = false

Main creator:

  • cybervaca

Collaborators, builders, documenters, testers and supporters:

  • OscarAkaElvis
  • jarilaos
  • vis0r

Hat tip to:

  • Alamot for his authentic code.
  • 3v4Si0N for his superior dll loader.

Disclaimer & License
This script is approved beneath LGPLv3+. Direct hyperlink to License.
Evil-WinRM must be used for licensed penetration trying out and/or nonprofit instructional functions handiest. Any misuse of this device is probably not the accountability of the creator or of every other collaborator. Use it at your individual servers and/or with the server proprietor’s permission.

Download Evil-Winrm

Published by Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).