___ __ __ ____ _
/ _] | || || |
/ [_| | | | | | |
| _] | | | | | |___
| [_| : | | | | |
| | / | | | |
|_____| _/ |____||_____|
__ __ ____ ____ ____ ___ ___
| |__| || || | | | |
| | | | | | | _ || D )| _ _ |
| | | | | | | | || / | _/ |
| ` ' | | | | | || | | |
/ | | | | || . | | |
By: [email protected]
Description & Purpose
This shell is without equal WinRM shell for hacking/pentesting.
WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. An ordinary SOAP based totally protocol that permits and working methods from other distributors to interoperate. Microsoft incorporated it of their Operating Systems to be able to make existence more uncomplicated to gadget adminsitrators.
This program can be utilized on any Microsoft Windows Servers with this option enabled (most often at port 5985), in fact handiest when you have credentials and permissions to make use of it. So we will be able to say that it might be utilized in a put up-exploitation hacking/pentesting section. The function of this program is to offer great and simple-to-use options for hacking. It can be utilized with official functions through gadget directors as neatly however essentially the most of its options are fascinated with hacking/pentesting stuff.
- Command History
- WinRM command crowning glory
- Local information crowning glory
- Upload and obtain information
- List far off gadget services and products
- FullLanguage Powershell language mode
- Load Powershell scripts
- Load in reminiscence dll information bypassing some AVs
- Load in reminiscence C# (C Sharp) compiled exe information bypassing some AVs
- Colorization on output messages (can also be disabled optionally)
Usage: evil-winrm -i IP -u USER -s SCRIPTS_PATH -e EXES_PATH [-P PORT] [-p PASS] [-U URL]
-i, --ip IP Remote host IP or hostname (required)
-P, --port PORT Remote host port (default 5985)
-u, --user USER Username (required)
-p, --password PASS Password
-s, --scripts PS_SCRIPTS_PATH Powershell scripts trail (required)
-e, --executables EXES_PATH C# executables trail (required)
-U, --url URL Remote url endpoint (default /wsman)
-V, --version Show edition
-h, --help Display this assist message
Ruby 2.3 or upper is wanted. Some ruby gemstones are wanted as neatly:
stringio >=0.0.2 and
~$ sudo gem set up winrm winrm-fs colorize stringio
Installation & Quick Start
- Step 1. Clone the repo:
git clone https://github.com/Hackplayers/evil-winrm.git
- Step 2. Ready. Just release it!
~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'
If you do not need to position the password in transparent textual content, you’ll optionally steer clear of to set
-p argument and the password can be induced fighting to be proven.
To use IPv6, the cope with will have to be added to /and so forth/hosts.
Alternative set up way as ruby gem
- Step 1. Install it:
gem set up evil-winrm
- Step 2. Ready. Just release it!
~$ evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'
- add: native information can also be auto-finished the use of tab key. It isn’t had to put a remote_path if the native record is in the similar listing as evil-winrm.rb record.
add local_path remote_path
- obtain: it’s not had to set local_path if the far off record is within the present listing.
obtain remote_path local_path
- services and products: record all services and products. No administrator permissions wanted.
- menu: load the
l04d3r-LoadDllpurposes that we will be able to provide an explanation for beneath. When a ps1 is loaded all its purposes can be proven up.
Load powershell scripts
- To load a ps1 record you simply must sort the title (auto-crowning glory usnig tab allowed). The scripts will have to be within the trail set at
-sargument. Type menu once more and notice the loaded purposes.
- Invoke-Binary: permits exes compiled from c# to be finished in reminiscence. The title can also be auto-finished the use of tab key and permits as much as 3 parameters. The executables will have to be within the trail set at
- l04d3r-LoadDll: permits loading dll libraries in reminiscence, it’s identical to:
The dll record can also be hosted through smb, http or in the community. Once it’s loaded sort
menu, then it’s imaginable to autocomplete all purposes.
- To disable colours simply adjust on code this variable
$colors_enabled. Set it to false:
$colors_enabled = false
Collaborators, builders, documenters, testers and supporters:
Hat tip to:
Disclaimer & License
This script is approved beneath LGPLv3+. Direct hyperlink to License.
Evil-WinRM must be used for licensed penetration trying out and/or nonprofit instructional functions handiest. Any misuse of this device is probably not the accountability of the creator or of every other collaborator. Use it at your individual servers and/or with the server proprietor’s permission.