Post Exploitationwinrmpowershellremote managementpentestinghackingkerberos

Evil-WinRM

Ultimate WinRM shell for hacking and pentesting. Provides interactive shell access to Windows systems via WinRM with features tailored for post-exploitation.

Description

Evil-winrm is the ultimate WinRM shell designed for hacking and pentesting. It can be used on Microsoft Windows Servers with WinRM enabled (usually at port 5985), provided credentials and permissions are available. Primarily intended for post-exploitation phases, it offers user-friendly features focused on hacking and pentesting, though system administrators can use it for legitimate purposes.

WinRM (Windows Remote Management) is Microsoft's implementation of the WS-Management Protocol, a SOAP-based standard for interoperability between hardware and operating systems from different vendors. Evil-winrm leverages this to provide shell access and execute commands remotely.

The tool supports various authentication methods including password, hash, and Kerberos, making it versatile for different pentesting scenarios.

How It Works

Evil-winrm uses PSRP (Powershell Remoting Protocol) for initializing runspace pools as well as creating and processing pipelines. It connects to WinRM services over HTTP/HTTPS (default port 5985) and provides an interactive shell for command execution on target Windows systems.

Installation

bash

sudo apt install evil-winrm

Flags

-iTarget IP address

-uUsername

-sPowershell scripts local path

-eC# executables local path

-PPort (default 5985)

-aSpecify connection user-agent (default Microsoft WinRM Client)

-pPassword

-HHash for authentication

-UURL

-SEnable SSL

-cLocal path to public key certificate

-kLocal path to private key certificate

-rKerberos auth realm (must be set in /etc/krb5.conf)

--spnSPN prefix for Kerberos auth (default HTTP)

-lList available options

Examples

Display help and usage information for evil-winrm

evil-winrm -h

Connect to target IP with username and password authentication

evil-winrm -i IP -u USER -p PASS

Connect using NTLM hash for authentication

evil-winrm -i IP -u USER -H HASH

Connect with SSL enabled

evil-winrm -i IP -u USER -S

Connect and specify path to local Powershell scripts

evil-winrm -i IP -u USER -s SCRIPTS_PATH

Connect using Kerberos authentication with realm

evil-winrm -i IP -u USER -r DOMAIN

Connect using public/private key certificate authentication

evil-winrm -i IP -u USER -c PUBKEY -k PRIVKEY

Updated 2026-04-16kali.org ↗