Installing evil-winrm on Ubuntu 20.04

On By DanielIn CTF, pentesting, windows

For the impatient:

apt install ruby-dev
gem install evil-winrm
evil-winrm -u USER -p PASSWORD -i IP_ADDRESS_HERE

About evil-winrm

evil-winrm is a WinRM client with several useful penetration testing features that works well on Linux. It provides shell sessions on Windows hosts with a user experience similar to using an ssh client.

Help Menu

daniel@wildcat ~ % evil-winrm -h

Evil-WinRM shell v2.3

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
    -S, --ssl                        Enable ssl
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate
    -r, --realm DOMAIN               Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path
    -e, --executables EXES_PATH      C# executables local path
    -i, --ip IP                      Remote host IP or hostname. FQDN for Kerberos auth (required)
    -U, --url URL                    Remote url endpoint (default /wsman)
    -u, --user USER                  Username (required)
    -p, --password PASS              Password
    -H, --hash HASH                  NTHash
    -P, --port PORT                  Remote host port (default 5985)
    -V, --version                    Show version
    -n, --no-colors                  Disable colors
    -h, --help                       Display this help message

Features

This was copy pasted directly from the evil-winrm project’s GitHub repository:

  • Compatible to Linux and Windows client systems
  • Load in memory Powershell scripts
  • Load in memory dll files bypassing some AVs
  • Load in memory C# (C Sharp) assemblies bypassing some AVs
  • Load x64 payloads generated with awesome donut technique
  • AMSI Bypass
  • Pass-the-hash support
  • Kerberos auth support
  • SSL and certificates support
  • Upload and download files showing progress bar
  • List remote machine services without privileges
  • Command History
  • WinRM command completion
  • Local files completion
  • Colorization on prompt and output messages (can be disabled optionally)
  • Docker support (prebuilt images available at Dockerhub)
  • Trap capturing to avoid accidental shell exit on Ctrl+C

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s