The final WinRM shell for hacking/pentesting.
and permissions to make use of it. So we will be able to say that it might be utilized in a hacking/pentesting section. The function of this program is to offer great and simple-to-use options for hacking. It can be utilized with official functions through gadget directors as neatly however essentially the most of its options are fascinated with hacking/pentesting stuff.
- Command History
- WinRM command crowning glory
- Local information crowning glory
- Upload and obtain information
- List far off gadget services and products
- FullLanguage Powershell language mode
- Load Powershell scripts
- Load in reminiscence dll information some AVs
- Load in reminiscence C# (C Sharp) compiled exe information bypassing some AVs
- Colorization on output messages (can also be disabled optionally)
Usage: evil-winrm -i IP -u USER -s SCRIPTS_PATH -e EXES_PATH [-P PORT] [-p PASS] [-U URL]
-i, --ip IP Remote host IP or hostname (required)
-P, --port PORT Remote host port (default 5985)
-u, --user USER Username (required)
-p, --password PASS Password
-s, --scripts PS_SCRIPTS_PATH Powershell scripts trail (required)
-e, --executables EXES_PATH C# executables trail (required)
-U, --url URL Remote url endpoint (default /wsman)
-V, --version Show edition
-h, --help Display this assist message
Ruby 2.3 or upper is wanted. Some ruby gemstones are wanted as neatly:
stringio >=0.0.2 and
~$ sudo gem set up winrm winrm-fs colorize stringio
Installation & Quick Start
- Step 1. Clone the repo:
git clone https://github.com/Hackplayers/evil-winrm.git
- Step 2. Ready. Just release it!
~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'
If you do not need to position the password in transparent textual content, you’ll optionally steer clear of to set
-p argument and the password can be induced fighting to be proven.
To use IPv6, the cope with will have to be added to /and so forth/hosts.
Alternative set up way as ruby gem
- Step 1. Install it:
gem set up evil-winrm
- Step 2. Ready. Just release it!
~$ evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'
- add: native information can also be auto-finished the use of tab key. It isn’t had to put a remote_path if the native record is in the similar listing as evil-winrm.rb record.
add local_path remote_path
- obtain: it’s not had to set local_path if the far off record is within the present listing.
obtain remote_path local_path
- services and products: record all services and products. No administrator permissions wanted.
- menu: load the
l04d3r-LoadDllpurposes that we will be able to provide an explanation for beneath. When a ps1 is loaded all its purposes can be proven up.
- To load a ps1 record you simply must sort the title (auto-crowning glory usnig tab allowed). The scripts will have to be within the trail set at
-sargument. Type menu once more and notice the loaded purposes.
- Invoke-Binary: permits exes compiled from c# to be finished in reminiscence. The title can also be auto-finished the use of tab key and permits as much as 3 parameters. The executables will have to be within the trail set at
- l04d3r-LoadDll: permits loading dll libraries in reminiscence, it’s identical to:
The dll record can also be hosted through smb, http or in the community. Once it’s loaded sort
menu, then it’s imaginable to autocomplete all purposes.
- To disable colours simply adjust on code this variable
$colors_enabled. Set it to false:
$colors_enabled = false
Collaborators, builders, documenters, testers and supporters:
Hat tip to:
- for his authentic code.
- for his superior dll loader.
Disclaimer & License
This script is approved beneath LGPLv3+. Direct hyperlink to .
Evil-WinRM must be used for licensed and/or nonprofit instructional functions handiest. Any misuse of this device is probably not the accountability of the creator or of every other collaborator. Use it at your individual servers and/or with the server proprietor’s permission.