Evil-Winrm : Winrm Pentesting Framework
In this post, we will discuss the most famous framework for PS Remote shell hacking tool named as “Evil-Winrm”. It is an opensource tool which is available on GitHub for winrm penetration testing.
Table of Content
- Load PowerShell scripts
- Pass the Hash
- Install using its Docker image
This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but most of its features are focused on hacking/pentesting stuff.
- Compatible to Linux and Windows client systems
- Load in memory Powershell scripts
- Load in memory dll files bypassing some AVs
- Load in memory C# (C Sharp) assemblies bypassing some AVs
- Load x64 payloads generated with awesome donut technique
- AMSI Bypass
- Pass-the-hash support
- Kerberos auth support
- SSL and certificates support
- Upload and download files showing a progress bar
- List remote machine services without privileges
- Command History
- WinRM command completion
- Local files completion
- Colorization on prompt and output messages (can be disabled optionally)
- Docker support (prebuilt images available at Dockerhub)
- Trap capturing to avoid accidental shell exit on Ctrl+C
In the post, we have discussed two easy methods to install winrm in your Kali Linux, you will find more method for installation from GitHub.
With the help of Ruby gem, you can directly install the evil-winrm, it will automatically install all dependency in your machine by executing following command.
gem install evil-winrm
once it will get installed you can pull its HELP option by typing ‘evil-winrm’ that will display the syntax and other operators for executing evil-winrm against windows remote management service.
Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. As a result, it will give the access of victim shell by providing its Powershell as given below.
Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’>
evil-winrm -i 192.168.1.105 -u administrator -p '[email protected]'
It will not only provide a shell of the host machine but also provide a menu to load function such as Invoke-Binary, Dll-Loader, Donut-Loader and Bypass-4MSI.
Load PowerShell scripts
So we have some pen testing powershell script in the /root/powershell and we can upload this ps1 script through evil winrm on the host machine.
The .PS1 scripts must be in the path set at -s argument and execute this as given below:
Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’> -s <path>
evil-winrm -i 192.168.1.105 -u administrator -p '[email protected]' -s /root/powershell
Type menu again and see the loaded functions and use Bypass 4MSI then Invoke the script. Here we have tried to upload mimikatz PowerShell script to dump stored credential.
menu Bypass 4MSI Invoke-Mimikatz.ps1 Invoke-Mimikatz
As a result, it has dumped all the credential of the Windows Server. 😈
Pass the Hash
It has one more feature which allows you to conduct Pass the HASH attack and as a result it gives the shell of the host machine.
Install using its Docker image
This is a very easy and convenient method to install winrm on your attacking machine and simultaneously provide the shell of the victim machine by compromising it winrm service. Only you need to execute the following command.
docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p '[email protected]'