4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

Evil-WinRM shell
hacking, windows, evil-winrm, shell, winrm

OscarAkaElvis 1 July 13, 2019, 12:24pm

Hi there, I’m collaborating in a project that probably is a thing you’ll like if you like Windows hacking. Is a
WinRM shell with some extra features like:

Command history
Tab autocompletion
Ability to load C# exes, dlls and powershell scripts directly into memory
List remote services
FullLanguage Powershell language mode
And many more…

Here is the link:

GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for

hacking/pentesting
The ultimate WinRM shell for hacking/pentesting. Contribute to
Hackplayers/evil-winrm development by creating an account on GitHub.

Remember to place a star on github if you want to support the project. I hope it will help you for some hackings
and I wanted to share it with you.

Cheers!!

1 Like

chivato 3 July 13, 2019, 12:29pm

Very nice tool honestly, used it very recently.

DaChef 4 July 14, 2019, 7:10am

Great tool! Thnx for sharing!

OscarAkaElvis 5 August 16, 2019, 5:27pm

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 1/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

Yeah, new version was released yesterday. Now supporting ssl and certificates to connect.

OldProgrammer 6 August 16, 2019, 6:45pm

Thank you for sharing. A very useful tool.

CurioCT 7 August 18, 2019, 3:16am

Any idea what’s wrong with my Ruby install. Had this message using your script and the other one in
mentioned in the heist thread

/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is

deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is
deprecated

All ruby newly installed added the winrm gem and the others colorizer etc

C3PJoe 8 September 3, 2019, 8:04pm

I always get this error:

ruby evil-winrm.rb -i 10.10.10.x -u -p

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

Error: Can’t establish connection. Check connection params

Error: Exiting with code 1

SiV4rPent3st 9 September 3, 2019, 9:11pm

awesome tool tbh also used it recently :B

C3PJoe 10 September 4, 2019, 12:34am

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 2/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

Worked out the kink, thanks!

ml19 11 September 4, 2019, 9:22am

Really nice. thanks!

OscarAkaElvis 12 September 30, 2019, 9:42pm

New release (v1.7). For “git cloners” just git pull to update. for ruby gem users just “gem install evil-winrm” ←
yes, same command as the first time again.

New feature added… now compatibility to load donut payloads . I bet you know what is. Read the
documentation at Readme. Cheers!

wwingcomm 13 November 15, 2019, 7:19am

Had the same problem on some scripts:

When I loaded the v2 (main branch) PowerView script, it worked fine

When I loaded the v3 (dev branch) PowerView script, it gives me connection issues.

Debugging - you can debug the ruby script with the -rdebug switch - this gave me:

Error: Can’t establish connection. Check connection params

Error: Exiting with code 1

evil-winrm.rb:270: Bad HTTP response returned from server. Body(if present): (413).'
(WinRM::WinRMHTTPTransportError) from evil-winrm.rb:433:in rescue in main’
from evil-winrm.rb:328:in main' from evil-winrm.rb:449:in ’
evil-winrm.rb:270: exit(exit_code)

However: updating your evil-winrm to the latest version - today this is v1.9 - fixes this. Check your
CHANGELOG.md file to make sure you have the latest version

hubi277 14 November 16, 2019, 5:13pm

I’m getting
7: from /usr/local/bin/evil-winrm:23:in <main>' 6: from /usr/local/bin/evil-winrm:23:in load’
5: from /var/lib/gems/2.5.0/gems/evil-winrm-1.9/bin/evil-winrm:3:in <top (required)>' 4: from

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 3/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

/usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in require’
3: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in require' 2: from
/var/lib/gems/2.5.0/gems/evil-winrm-1.9/lib/evil-winrm.rb:556:in <top (required)>’
1: from /var/lib/gems/2.5.0/gems/evil-winrm-1.9/lib/evil-winrm.rb:380:in main'
/var/lib/gems/2.5.0/gems/evil-winrm-1.9/lib/evil-winrm.rb:524:in rescue in main’:
uninitialized constant EvilWinRM::GSSAPI (NameError)
error and i dont really understand where’s that coming from anyone knows what to do?
edit:fixed after changing to dev branch

frankiexiao 15 December 2, 2019, 12:00pm

Thank you for sharing.

arcy24 16 December 2, 2019, 12:02pm

Thanks for sharing!!!

SnarkyWolf 17 December 6, 2019, 12:34am

Thank you for this! It actually works where as the alamot’s kept failing on me. I’m going to have to work
through the errors on Alamot’s as well it’s probably just some dependency I failed to install

jenco 18 December 10, 2019, 9:19am

Nice, really nice tools, git cloned then installed gem dependencies and worked like a charm. Used recently,
thanks for sharing !!!

clubby789 19 December 10, 2019, 9:07pm

Recently had an issue where some zip-related dependency was broken and had to gem install evil-
winrm to fix it

skippypeanut 20 December 18, 2019, 5:54pm

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 4/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

please send me pm with hint to get root. i manage to get user.txt flag, thanks for above comments.

CyberVaca 21 December 18, 2019, 6:46pm

I think you were wrong about the forum. This is to talk about Evil-WinRM. By the way, thanks to all who use it
and give us back your opinions.

argenestel 22 December 19, 2019, 11:33am

Great tool

OddRabbit 23 January 3, 2020, 10:16am

Thank you for this tool. I used it for one of the machines.

When I use control c out of a command on the remote machinethe whole shell dies. Not sure if this is
something you can fix just like SSH? I think this would be quite helpful as well. If not, all good.

rmn0x01 24 January 12, 2020, 2:12pm

what causes error on upload feature? I got

Error: Upload failed. Check filenames or paths
Trying on local autocomplete path and full path from source file but still fail

Succeed on downloading files tho

clubby789 25 January 12, 2020, 2:54pm

@rmn0x01 said:

what causes error on upload feature? I got

Error: Upload failed. Check filenames or paths
Trying on local autocomplete path and full path from source file but still fail

Succeed on downloading files tho

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 5/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

Maybe you don’t have write permissions

rmn0x01 26 January 12, 2020, 2:59pm

Type your comment> @clubby789 said:

@rmn0x01 said:

what causes error on upload feature? I got

Error: Upload failed. Check filenames or paths
Trying on local autocomplete path and full path from source file but still fail

Succeed on downloading files tho

Maybe you don’t have write permissions

make sense. Thanks

Sk1ppy 27 January 22, 2020, 8:03pm

menu → Bypass-4MSI → then try to upload again

T13nn3s 28 January 22, 2020, 9:39pm

Thanks for sharing! Using it on daily basis. One of the most used tools from my toolbox.

CurioCT 29 February 11, 2020, 1:12am

Type your comment> @CurioCT said:

Any idea what’s wrong with my Ruby install. Had this message using your script and the other one in
mentioned in the heist thread

/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is

deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is
deprecated

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 6/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

All ruby newly installed added the winrm gem and the others colorizer etc

in case anyone is seeing this same annoyance it is fixed by updating the ntlm gem

gem install rubyntlm

thanks for this fantastic script

iven 30 March 28, 2020, 2:09pm

For who faced error just run this two-line (root*)

sudo gem install evil-winrm

sudo gem install rubyntlm

Enjoy

cyberafro 31 March 28, 2020, 2:32pm

Am i the only one getting this with my evil-winrm ?

NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or
after 2019-12-01.
Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/gyoku-
1.3.1.gemspec:17.
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or
after 2019-12-01.
Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/logging-
2.2.2.gemspec:18.
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or
after 2019-12-01.
Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/little-plugger-
1.1.4.gemspec:18.
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or
after 2019-12-01.
Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/nori-2.6.0.gemspec:17.
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or
after 2019-12-01.
Gem::Specification#rubyforge_project= called from /usr/share/rubygems-integration/all/specifications/erubis-
2.7.0.gemspec:16.

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Evil-WinRM PS C:\Users\

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 7/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

System already updated

spicybyte 32 May 5, 2020, 12:21am

Is it possible to load powershell modules? For example, rather than loading each script for powersploit, we
could just load in powersploit. I could see how with the current way the menu works, that could easily clutter
things up though. But overall, I really like the tool!

JeffDgreat 33 May 9, 2020, 5:17pm

Perfect. Thanks @spicybyte

alamot 34 May 13, 2020, 7:22am

gunroot 35 May 15, 2020, 2:13am

Hey. @clubby789 I need some technical help with thie Evil-WinRM tool. I’m recently encountering an issue
when i run evil-winrm
"Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired

Error: Exiting with code 1"

This error I got when I try to get user shell in Multimaster.

I can ping that machine from my side.
I tried to rebuild the dependecy tools and reinstalled this gem.
I connected to fresh vpn keys also.
Yet sam problem, later i tried to access other HTB machines using this tool with valid creds, same problem
rises there too.
I dont know how to fix it.
I tagged you because of your activeness in this forum.
I really worked on this machine to get valid creds, it took a week. But a last moment for user flag is very
depressing me.
Please help me out.

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 8/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

gunroot 36 May 15, 2020, 2:14am

If anyone have solution for my above statement, please share me. I’m feeling helpless.

cyberafro 37 May 15, 2020, 5:36am

As you are having the same error on other boxes, I suggest you reinstall it.

gunroot 38 May 15, 2020, 7:14am

I did reinstalled it from scratch. Yet same result. It is really frustrating. I installed Parrot sec OS on my
VMWare and tried in that also, same issue happening. I don’t know why it happening.

gunroot 39 May 15, 2020, 7:14am

I worked 8 days to get user creds of the machine, but this error really annoying me to the edge.

elearning 40 May 16, 2020, 10:30pm

Guys, have anyone worked out solution for that issue?

Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired

Error: Exiting with code 1"

I got Evil-WinRM shell 2.3 running on Kali in VirtualBox, can ping the machine, credentials are correct but
still get this error every time.

nebula555 41 July 2, 2020, 4:34pm

Type your comment> @elearning said:

Guys, have anyone worked out solution for that issue?

Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired

Error: Exiting with code 1"

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 9/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

I got Evil-WinRM shell 2.3 running on Kali in VirtualBox, can ping the machine, credentials are correct
but still get this error every time.

hi to all !
anyone solve this problem ?

edit: solution is regenerate vpn connection to hackthebox or alternate tcp connection

namikaze 42 April 30, 2021, 3:25pm

gem install not working

always giving not a valid gem error

TazWake 43 April 30, 2021, 3:53pm

@namikaze said:

gem install not working

always giving not a valid gem error

Are you following the steps on GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for
hacking/pentesting ?

Banta 44 September 3, 2021, 5:19am

Hello, anyone who can hack grades WhatsApp me on +254776370285

sunnyhez2013 45 October 28, 2022, 9:02pm

Can I email you please?

deltapi17 46 December 31, 2022, 7:33am

Was successful in uploading a file from Kali to Windows (after exploitation) using evil-winrm.
But where is the destination of the download file in Kali from Windows. Unable to ‘locate’ or ‘find’ the same in

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 10/11
4/16/24, 3:13 PM Evil-WinRM shell - Tools - Hack The Box :: Forums

Kali.

https://forum.hackthebox.com/t/evil-winrm-shell/1707/print 11/11