Evil-WinRM is a powerful post-exploitation tool used in penetration testing to interact with Windows systems via Windows Remote Management (WinRM). Here’s a breakdown of what it is and how it works:

🧠 What Is Evil-WinRM?

Evil-WinRM is a Ruby-based shell designed for ethical hacking and red team operations. It leverages PowerShell Remoting Protocol (PSRP) over WinRM to provide remote access to Windows machines.

• Developed by the Hackplayers team
• Commonly used during post-exploitation phases
• Requires valid credentials or hashes to connect

🔧 Key Features

Evil-WinRM offers a wide range of capabilities:

• Remote PowerShell shell access
• File upload/download with progress bars
• Pass-the-Hash and Kerberos authentication support
• AMSI bypass to evade antivirus detection
• In-memory execution of PowerShell scripts, DLLs, and C# assemblies
• SSL and certificate support
• Command history and auto-completion

🖥️ Typical Usage

To connect to a remote Windows host:

evil-winrm -i 192.168.1.100 -u Administrator -p 'Password123!'

Or using a hash:

evil-winrm -i 192.168.1.100 -u Administrator -H NTLM_HASH

Once connected, you get a PowerShell prompt on the remote machine, allowing you to execute commands, run scripts, and explore the system.

🔐 Ports and Requirements

• Default ports: 5985 (HTTP) and 5986 (HTTPS)
• WinRM must be enabled on the target system
• Requires valid credentials or hashes

🎓 Learn More

You can watch this practical tutorial on Evil-WinRM or explore its GitHub repository for installation and advanced usage.