Evil-WinRM shell

Hi there, I'm collaborating in a project that probably is a thing you'll like if you like Windows hacking. Is a WinRM shell with some extra features like:

  • Command history
  • Tab autocompletion
  • Ability to load C# exes, dlls and powershell scripts directly into memory
  • List remote services
  • FullLanguage Powershell language mode
    And many more....

Here is the link:

https://github.com/Hackplayers/evil-winrm

Remember to place a star on github if you want to support the project. I hope it will help you for some hackings and I wanted to share it with you.

Cheers!!

«1

Comments

  • Great! Thanx!

  • Very nice tool honestly, used it very recently.

    OSCP | TMHC CTF

  • Great tool! Thnx for sharing!

  • Yeah, new version was released yesterday. Now supporting ssl and certificates to connect.

  • Thank you for sharing. A very useful tool.

  • Any idea what's wrong with my Ruby install. Had this message using your script and the other one in mentioned in the heist thread

    /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated
    /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated

    All ruby newly installed added the winrm gem and the others colorizer etc

    CurioCT

  • I always get this error:

    ruby evil-winrm.rb -i 10.10.10.x -u -p

    Info: Starting Evil-WinRM shell v1.6

    Info: Establishing connection to remote endpoint

    Error: Can't establish connection. Check connection params

    Error: Exiting with code 1

    Hack The Box
    Follow me on Twitter: @C_3PJoe

  • awesome tool tbh :) also used it recently :B

    SiV4rPent3st

  • Worked out the kink, thanks!

    Hack The Box
    Follow me on Twitter: @C_3PJoe

  • Really nice. thanks!

  • New release (v1.7). For "git cloners" just git pull to update. for ruby gem users just "gem install evil-winrm" <- yes, same command as the first time again.

    New feature added... now compatibility to load donut payloads . I bet you know what is. Read the documentation at Readme. Cheers!

  • Had the same problem on some scripts:

    When I loaded the v2 (main branch) PowerView script, it worked fine
    When I loaded the v3 (dev branch) PowerView script, it gives me connection issues.

    Debugging - you can debug the ruby script with the -rdebug switch - this gave me:

    Error: Can't establish connection. Check connection params

    Error: Exiting with code 1

    evil-winrm.rb:270: Bad HTTP response returned from server. Body(if present): (413).' (WinRM::WinRMHTTPTransportError) from evil-winrm.rb:433:inrescue in main'
    from evil-winrm.rb:328:in main' from evil-winrm.rb:449:in

    '
    evil-winrm.rb:270: exit(exit_code)

    However: updating your evil-winrm to the latest version - today this is v1.9 - fixes this. Check your CHANGELOG.md file to make sure you have the latest version

  • edited November 2019

    I'm getting
    7: from /usr/local/bin/evil-winrm:23:in <main>' 6: from /usr/local/bin/evil-winrm:23:inload'
    5: from /var/lib/gems/2.5.0/gems/evil-winrm-1.9/bin/evil-winrm:3:in <top (required)>' 4: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:inrequire'
    3: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in require' 2: from /var/lib/gems/2.5.0/gems/evil-winrm-1.9/lib/evil-winrm.rb:556:in'
    1: from /var/lib/gems/2.5.0/gems/evil-winrm-1.9/lib/evil-winrm.rb:380:in main' /var/lib/gems/2.5.0/gems/evil-winrm-1.9/lib/evil-winrm.rb:524:inrescue in main': uninitialized constant EvilWinRM::GSSAPI (NameError)
    error and i dont really understand where's that coming from anyone knows what to do?
    edit:fixed after changing to dev branch

  • Thank you for sharing.

  • Thanks for sharing!!!

  • Thank you for this! It actually works where as the alamot's kept failing on me. I'm going to have to work through the errors on Alamot's as well it's probably just some dependency I failed to install

    Available to help when I can and know how to help. However do not expect responses right away on these days. Sunday - Wednesday between 7am-8pm EST (USA, Orlando, Fl) as I work those days from 7a-7p and then the ride home. Just a forewarning is all :) Other than that I'll answer ASAP, or when I get home from work.

    CompTIA A+ | Network+ | Security+ | CySA+ (pending beta Results) | PenTest+ (In Progress) | C|EH (in Progress)
  • Nice, really nice tools, git cloned then installed gem dependencies and worked like a charm. Used recently, thanks for sharing !!!!

    =======================================================================

    If what i send is helpful please consider clicking the 'give respect' button :-)

  • Recently had an issue where some zip-related dependency was broken and had to gem install evil-winrm to fix it

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • please send me pm with hint to get root. i manage to get user.txt flag, thanks for above comments.

  • I think you were wrong about the forum. This is to talk about Evil-WinRM. By the way, thanks to all who use it and give us back your opinions.

  • Thank you for this tool. I used it for one of the machines.

    When I use control c out of a command on the remote machinethe whole shell dies. Not sure if this is something you can fix just like SSH? I think this would be quite helpful as well. If not, all good.

  • edited January 12

    what causes error on upload feature? I got
    Error: Upload failed. Check filenames or paths
    Trying on local autocomplete path and full path from source file but still fail

    Succeed on downloading files tho

  • @rmn0x01 said:

    what causes error on upload feature? I got
    Error: Upload failed. Check filenames or paths
    Trying on local autocomplete path and full path from source file but still fail

    Succeed on downloading files tho

    Maybe you don't have write permissions

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Type your comment> @clubby789 said:

    @rmn0x01 said:

    what causes error on upload feature? I got
    Error: Upload failed. Check filenames or paths
    Trying on local autocomplete path and full path from source file but still fail

    Succeed on downloading files tho

    Maybe you don't have write permissions

    make sense. Thanks

  • menu -> Bypass-4MSI -> then try to upload again

  • Thanks for sharing! Using it on daily basis. One of the most used tools from my toolbox.

    t13nn3s
    You can find write-ups and walkthroughs on my personal blog: https://binsec.nl

  • edited February 11

    Type your comment> @CurioCT said:

    Any idea what's wrong with my Ruby install. Had this message using your script and the other one in mentioned in the heist thread

    /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated
    /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated

    All ruby newly installed added the winrm gem and the others colorizer etc

    in case anyone is seeing this same annoyance it is fixed by updating the ntlm gem

    gem install rubyntlm

    :D thanks for this fantastic script

    CurioCT

  • For who faced error just run this two-line (root*)

    sudo gem install evil-winrm

    sudo gem install rubyntlm

    Enjoy

  • Am i the only one getting this with my evil-winrm ?
    NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
    Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/gyoku-1.3.1.gemspec:17.
    NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
    Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/logging-2.2.2.gemspec:18.
    NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
    Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/little-plugger-1.1.4.gemspec:18.
    NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
    Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/nori-2.6.0.gemspec:17.
    NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
    Gem::Specification#rubyforge_project= called from /usr/share/rubygems-integration/all/specifications/erubis-2.7.0.gemspec:16.

    Evil-WinRM shell v2.3

    Info: Establishing connection to remote endpoint

    *Evil-WinRM* PS C:\Users\

    System already updated

    Hack The Box

Sign In to comment.