Evil-Winrm – The Ultimate WinRM Shell For Hacking/Pentesting

The final WinRM shell for hacking/pentesting.

   ___ __ __  ____  _                  
/ _] | || || |
/ [_| | | | | | |
| _] | | | | | |___
| [_| : | | | | |
| | / | | | |
|_____| _/ |____||_____|

__ __ ____ ____ ____ ___ ___
| |__| || || | | | |
| | | | | | | _ || D )| _ _ |
| | | | | | | | || / | _/ |
| ` ' | | | | | || | | |
/ | | | | || . | | |
_/_/ |____||__|__||__|_||___|___|

By: [email protected]

Description & Purpose
This shell is without equal WinRM shell for hacking/pentesting.
WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. An ordinary SOAP based totally protocol that permits and working methods from other distributors to interoperate. Microsoft incorporated it of their Operating Systems to be able to make existence more uncomplicated to gadget adminsitrators.
This program can be utilized on any Microsoft Windows Servers with this option enabled (most often at port 5985), in fact handiest when you have credentials and permissions to make use of it. So we will be able to say that it might be utilized in a put up-exploitation hacking/pentesting section. The function of this program is to offer great and simple-to-use options for hacking. It can be utilized with official functions through gadget directors as neatly however essentially the most of its options are fascinated with hacking/pentesting stuff.


  • Command History
  • WinRM command crowning glory
  • Local information crowning glory
  • Upload and obtain information
  • List far off gadget services and products
  • FullLanguage Powershell language mode
  • Load Powershell scripts
  • Load in reminiscence dll information bypassing some AVs
  • Load in reminiscence C# (C Sharp) compiled exe information bypassing some AVs
  • Colorization on output messages (can also be disabled optionally)


Usage: evil-winrm -i IP -u USER -s SCRIPTS_PATH -e EXES_PATH [-P PORT] [-p PASS] [-U URL]
-i, --ip IP Remote host IP or hostname (required)
-P, --port PORT Remote host port (default 5985)
-u, --user USER Username (required)
-p, --password PASS Password
-s, --scripts PS_SCRIPTS_PATH Powershell scripts trail (required)
-e, --executables EXES_PATH C# executables trail (required)
-U, --url URL Remote url endpoint (default /wsman)
-V, --version Show edition
-h, --help Display this assist message

Ruby 2.3 or upper is wanted. Some ruby gemstones are wanted as neatly: winrm >=2.3.2, winrm-fs >=1.3.2, stringio >=0.0.2 and colorize >=0.8.1.
~$ sudo gem set up winrm winrm-fs colorize stringio

Installation & Quick Start

  • Step 1. Clone the repo: git clone https://github.com/Hackplayers/evil-winrm.git
  • Step 2. Ready. Just release it! ~$ cd evil-winrm && ruby evil-winrm.rb -i -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'

If you do not need to position the password in transparent textual content, you’ll optionally steer clear of to set -p argument and the password can be induced fighting to be proven.
To use IPv6, the cope with will have to be added to /and so forth/hosts.

Alternative set up way as ruby gem

  • Step 1. Install it: gem set up evil-winrm
  • Step 2. Ready. Just release it! ~$ evil-winrm -i -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'


Basic instructions

  • add: native information can also be auto-finished the use of tab key. It isn’t had to put a remote_path if the native record is in the similar listing as evil-winrm.rb record.
    • utilization: add local_path remote_path
  • obtain: it’s not had to set local_path if the far off record is within the present listing.
    • utilization: obtain remote_path local_path
  • services and products: record all services and products. No administrator permissions wanted.
  • menu: load the Invoke-Binary and l04d3r-LoadDll purposes that we will be able to provide an explanation for beneath. When a ps1 is loaded all its purposes can be proven up.

Load powershell scripts

  • To load a ps1 record you simply must sort the title (auto-crowning glory usnig tab allowed). The scripts will have to be within the trail set at -s argument. Type menu once more and notice the loaded purposes.

Advanced instructions

  • Invoke-Binary: permits exes compiled from c# to be finished in reminiscence. The title can also be auto-finished the use of tab key and permits as much as 3 parameters. The executables will have to be within the trail set at -e argument.
  • l04d3r-LoadDll: permits loading dll libraries in reminiscence, it’s identical to: [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("pwn.dll"))
    The dll record can also be hosted through smb, http or in the community. Once it’s loaded sort menu, then it’s imaginable to autocomplete all purposes. 

Extra options

  • To disable colours simply adjust on code this variable $colors_enabled. Set it to false: $colors_enabled = false

Main creator:

Collaborators, builders, documenters, testers and supporters:

Hat tip to:

  • Alamot for his authentic code.
  • 3v4Si0N for his superior dll loader.

Disclaimer & License
This script is approved beneath LGPLv3+. Direct hyperlink to License.
Evil-WinRM must be used for licensed penetration trying out and/or nonprofit instructional functions handiest. Any misuse of this device is probably not the accountability of the creator or of every other collaborator. Use it at your individual servers and/or with the server proprietor’s permission.