Evil-Winrm - The Ultimate Winrm Trounce For Hacking/Pentesting
The ultimate WinRM trounce for hacking/pentesting.
___ __ __ ____ _ / _] | || || | / [_| | | | | | | | _] | | | | | |___ | [_| : | | | | | | |\ / | | | | |_____| \_/ |____||_____| __ __ ____ ____ ____ ___ ___ | |__| || || \ | \ | | | | | | | | | | _ || D )| _ _ | | | | | | | | | || / | \_/ | | ` ' | | | | | || \ | | | \ / | | | | || . \| | | \_/\_/ |____||__|__||__|\_||___|___| By: CyberVaca@HackPlayers
Description & Purpose
This trounce is the ultimate WinRM trounce for hacking/pentesting.
WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. H5N1 touchstone SOAP based protocol that allows hardware as well as operating systems from unlike vendors to interoperate. Microsoft included it inwards their Operating Systems inwards social club to brand life easier to arrangement adminsitrators.
This plan tin give the sack move used on whatsoever Microsoft Windows Servers amongst this characteristic enabled (usually at port 5985), of course of report exclusively if y'all convey credentials as well as permissions to work it. So nosotros tin give the sack say that it could move used inwards a post-exploitation hacking/pentesting phase. The purpose of this plan is to supply overnice as well as easy-to-use features for hacking. It tin give the sack move used amongst legitimate purposes yesteryear arrangement administrators besides but the nearly of its features are focused on hacking/pentesting stuff.
Features
- Command History
- WinRM dominance completion
- Local files completion
- Upload as well as download files
- List remote machine services
- FullLanguage Powershell linguistic communication mode
- Load Powershell scripts
- Load inwards retentiveness dll files bypassing to a greater extent than or less AVs
- Load inwards retentiveness C# (C Sharp) compiled exe files bypassing to a greater extent than or less AVs
- Colorization on output messages (can move disabled optionally)
Help
Usage: evil-winrm -i IP -u USER -s SCRIPTS_PATH -e EXES_PATH [-P PORT] [-p PASS] [-U URL] -i, --ip IP Remote host IP or hostname (required) -P, --port PORT Remote host port (default 5985) -u, --user USER Username (required) -p, --password PASS Password -s, --scripts PS_SCRIPTS_PATH Powershell scripts path (required) -e, --executables EXES_PATH C# executables path (required) -U, --url URL Remote url endpoint (default /wsman) -V, --version Show version -h, --help Display this assist message
Requirements
Ruby 2.3 or higher is needed. Some ruby gems are needed every bit well:
winrm >=2.3.2
, winrm-fs >=1.3.2
, stringio >=0.0.2
as well as colorize >=0.8.1
. $ sudo precious rock install winrm winrm-fs colorize stringio
Installation & Quick Start
- Step 1. Clone the repo:
git clone https://github.com/Hackplayers/evil-winrm.git
- Step 2. Ready. Just launch it!
$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
-p
declaration as well as the password volition move prompted preventing to move shown.To work IPv6, the address must move added to /etc/hosts.
Alternative installation method every bit ruby gem
- Step 1. Install it:
gem install evil-winrm
- Step 2. Ready. Just launch it!
$ evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
Documentation
Basic commands
- upload: local files tin give the sack move auto-completed using tab key. It is non needed to seat a remote_path if the local file is inwards the same directory every bit evil-winrm.rb file.
- usage:
upload local_path remote_path
- usage:
- download: it is non needed to fix local_path if the remote file is inwards the electrical current directory.
- usage:
download remote_path local_path
- usage:
- services: listing all services. No administrator permissions needed.
- menu: charge the
Invoke-Binary
as well asl04d3r-LoadDll
functions that nosotros volition explicate below. When a ps1 is loaded all its functions volition move shown up.
- To charge a ps1 file y'all only convey to type the refer (auto-completion usnig tab allowed). The scripts must move inwards the path fix at
-s
argument. Type carte 1 time again as well as run across the loaded functions.
- Invoke-Binary: allows exes compiled from c# to move executed inwards memory. The refer tin give the sack move auto-completed using tab fundamental as well as allows upwards to iii parameters. The executables must move inwards the path fix at
-e
argument.
- l04d3r-LoadDll: allows loading dll libraries inwards memory, it is equivalent to:
[Reflection.Assembly]::Load([IO.File]::ReadAllBytes("pwn.dll"))
The dll file tin give the sack move hosted yesteryear smb, http or locally. Once it is loaded typemenu
, as well as thus it is possible to autocomplete all functions.
Extra features
- To disable colors only alter on code this variable
$colors_enabled
. Set it to false:$colors_enabled = false
Credits:
Main author:
Collaborators, developers, documenters, testers as well as supporters:
Hat tip to:
Disclaimer & License
This script is licensed nether LGPLv3+. Direct link to License.
Evil-WinRM should move used for authorized penetration testing and/or nonprofit educational purposes only. Any misuse of this software volition non move the responsibleness of the writer or of whatsoever other collaborator. Use it at your ain servers and/or amongst the server owner's permission.