Tag Archives: winrm

Evil-Winrm – The Ultimate WinRM Shell For Hacking/Pentesting

The final WinRM shell for hacking/pentesting.
credentials and permissions to make use of it. So we will be able to say that it might be utilized in a put up-exploitation hacking/pentesting section. The function of this program is to offer great and simple-to-use options for hacking. It can be utilized with official functions through gadget directors as neatly however essentially the most of its options are fascinated with hacking/pentesting stuff.


  • Command History
  • WinRM command crowning glory
  • Local information crowning glory
  • Upload and obtain information
  • List far off gadget services and products
  • FullLanguage Powershell language mode
  • Load Powershell scripts
  • Load in reminiscence dll information bypassing some AVs
  • Load in reminiscence C# (C Sharp) compiled exe information bypassing some AVs
  • Colorization on output messages (can also be disabled optionally)


Usage: evil-winrm -i IP -u USER -s SCRIPTS_PATH -e EXES_PATH [-P PORT] [-p PASS] [-U URL]
-i, --ip IP Remote host IP or hostname (required)
-P, --port PORT Remote host port (default 5985)
-u, --user USER Username (required)
-p, --password PASS Password
-s, --scripts PS_SCRIPTS_PATH Powershell scripts trail (required)
-e, --executables EXES_PATH C# executables trail (required)
-U, --url URL Remote url endpoint (default /wsman)
-V, --version Show edition
-h, --help Display this assist message

Ruby 2.3 or upper is wanted. Some ruby gemstones are wanted as neatly: winrm >=2.3.2, winrm-fs >=1.3.2, stringio >=0.0.2 and colorize >=0.8.1.
~$ sudo gem set up winrm winrm-fs colorize stringio

Installation & Quick Start

  • Step 1. Clone the repo: git clone https://github.com/Hackplayers/evil-winrm.git
  • Step 2. Ready. Just release it! ~$ cd evil-winrm && ruby evil-winrm.rb -i -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'

If you do not need to position the password in transparent textual content, you’ll optionally steer clear of to set -p argument and the password can be induced fighting to be proven.
To use IPv6, the cope with will have to be added to /and so forth/hosts.

Alternative set up way as ruby gem

  • Step 1. Install it: gem set up evil-winrm
  • Step 2. Ready. Just release it! ~$ evil-winrm -i -u Administrator -p 'MySuperSecr3tPass123!' -s '/house/foo/ps1_scripts/' -e '/house/foo/exe_files/'


Basic instructions

  • add: native information can also be auto-finished the use of tab key. It isn’t had to put a remote_path if the native record is in the similar listing as evil-winrm.rb record.
    • utilization: add local_path remote_path
  • obtain: it’s not had to set local_path if the far off record is within the present listing.
    • utilization: obtain remote_path local_path
  • services and products: record all services and products. No administrator permissions wanted.
  • menu: load the Invoke-Binary and l04d3r-LoadDll purposes that we will be able to provide an explanation for beneath. When a ps1 is loaded all its purposes can be proven up.

Load powershell scripts

  • To load a ps1 record you simply must sort the title (auto-crowning glory usnig tab allowed). The scripts will have to be within the trail set at -s argument. Type menu once more and notice the loaded purposes.

Advanced instructions

  • Invoke-Binary: permits exes compiled from c# to be finished in reminiscence. The title can also be auto-finished the use of tab key and permits as much as 3 parameters. The executables will have to be within the trail set at -e argument.
  • l04d3r-LoadDll: permits loading dll libraries in reminiscence, it’s identical to: [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("pwn.dll"))
    The dll record can also be hosted through smb, http or in the community. Once it’s loaded sort menu, then it’s imaginable to autocomplete all purposes. 

Extra options

  • To disable colours simply adjust on code this variable $colors_enabled. Set it to false: $colors_enabled = false

Main creator:

  • cybervaca

Collaborators, builders, documenters, testers and supporters:

  • OscarAkaElvis
  • jarilaos
  • vis0r

Hat tip to:

  • Alamot for his authentic code.
  • 3v4Si0N for his superior dll loader.

Disclaimer & License
This script is approved beneath LGPLv3+. Direct hyperlink to License.
Evil-WinRM must be used for licensed penetration trying out and/or nonprofit instructional functions handiest. Any misuse of this device is probably not the accountability of the creator or of every other collaborator. Use it at your individual servers and/or with the server proprietor’s permission.

Download Evil-Winrm