Evil-WinRM provides penetration testers with a powerful command-line tool for remotely managing Windows systems through WinRM (Windows Remote Management).
Getting Started with Evil-WinRM
Installation is straightforward using Ruby’s package manager: gem install evil-winrm.
Basic Connection Syntax
evil-winrm -i TARGET_IP -u USERNAME -p PASSWORD
Key Features
- Upload/download functionality
- PowerShell script loading
- Built-in menu system
- SSL/TLS support
- Pass-the-hash capability
Common Usage Examples
| Action | Command |
|---|---|
| Basic Connection | evil-winrm -i 10.10.10.10 -u Administrator -p 'Password123' |
| Pass-the-Hash | evil-winrm -i 10.10.10.10 -u Administrator -H 'hash_here' |
| SSL Connection | evil-winrm -i 10.10.10.10 -u Administrator -p 'Password123' -S |
Useful Tips
- Use
menucommand to access built-in scripts - Upload files with
upload local_file remote_destination - Download files using
download remote_file local_destination - Load PowerShell scripts with
load script.ps1
Security Considerations
- Always use SSL/TLS when possible
- Change default WinRM ports for better security
- Monitor WinRM connections in logs
- Use strong passwords and rotate them regularly
For updates and documentation, visit the official GitHub repository at https://github.com/Hackplayers/evil-winrm.
Report bugs or security issues to the project maintainers through GitHub Issues.
Compatibility
- Works with Windows 7/Server 2008 R2 and later
- Requires Ruby 2.3+
- Supports most Linux distributions
Note: Evil-WinRM should only be used on systems and networks where you have explicit permission to conduct security testing.
Advanced Features
Evil-WinRM extends beyond basic remote management with advanced capabilities for security testing and system administration.
Script Integration
- Custom PowerShell scripts can be loaded on-demand
- Support for both local and remote script execution
- Donut integration for .NET assemblies
- Memory injection capabilities
Session Management
Multiple connection options provide flexibility for different scenarios:
- Session persistence across reconnections
- Command history preservation
- Custom timeout configurations
- Proxy support for complex networks
Troubleshooting
Common Issues and Solutions
| Issue | Solution |
|---|---|
| Connection Refused | Verify WinRM service is running and ports are open |
| Authentication Failed | Check credentials and ensure proper formatting |
| SSL Certificate Errors | Use proper certificate or disable SSL verification for testing |
Conclusion
Evil-WinRM stands as a robust tool for Windows remote management, particularly valuable for security professionals and system administrators. Its combination of built-in features, security options, and ease of use makes it essential for authorized security testing and system administration tasks.
Success with Evil-WinRM requires:
- Understanding of Windows remote management concepts
- Proper security precautions and authorization
- Regular updates and documentation review
- Compliance with security policies and regulations
FAQs
- What is Evil-WinRM and what is its primary purpose?
Evil-WinRM is a penetration testing tool that uses Windows Remote Management (WinRM) protocol to remotely connect to Windows machines. It provides a command-line interface for performing post-exploitation activities on Windows systems. - What are the prerequisites for using Evil-WinRM?
Evil-WinRM requires Ruby to be installed on the attacking machine, WinRM service to be enabled on the target Windows system (typically port 5985 for HTTP or 5986 for HTTPS), and valid credentials or a hash for authentication. - How do I install Evil-WinRM?
Evil-WinRM can be installed using the command: gem install evil-winrm. It comes pre-installed on Kali Linux and can also be installed through git clone from the official repository. - What is the basic syntax for connecting to a target using Evil-WinRM?
The basic syntax is: evil-winrm -i [TARGET_IP] -u [USERNAME] -p [PASSWORD]. For hash-based authentication, use -H flag instead of -p. - Can Evil-WinRM bypass Windows Defender and other antivirus solutions?
Evil-WinRM includes built-in AMSI bypass and other evasion techniques, but success depends on the target’s security configuration and antivirus solutions in place. - How can I upload and download files using Evil-WinRM?
Use the upload command to transfer files from attacker to target: upload local_file remote_destination. Use download for the reverse: download remote_file local_destination. - What are Evil-WinRM’s menu and services commands used for?
The menu command displays available built-in scripts and tools. The services command lists Windows services on the target machine and can be used for privilege escalation reconnaissance. - How can I execute PowerShell scripts through Evil-WinRM?
Scripts can be executed using -e for encoded commands, or by loading scripts into memory using the -s flag during connection. Local scripts can also be executed using the upload command followed by PowerShell execution. - What should I do if I encounter SSL/TLS certificate errors?
Use the -S flag to force SSL/TLS encryption, and -k to ignore SSL certificate validation if you encounter certificate-related errors. - How can I maintain persistence using Evil-WinRM?
Evil-WinRM can be used to create scheduled tasks, modify registry keys, or create new user accounts, but these actions should be performed only with proper authorization during penetration testing.
