TLDR#
I’ve built an alternative to Evil-WinRM called Devious-WinRM. It’s available for download now.
Intro#
When hacking into Windows environments, the use of Powershell Remoting (PSRP) is indispensable. It’s the Microsoft version of SSH, built on top of Windows Remote Management (WinRM). Despite its ubiquity, few tools exist for interacting with it from Linux.
The most obvious option is using Powershell direct from Microsoft along with the Enter-PSSession cmdlet. Unfortunately configuring it is tricky and I’ve never gotten it to work personally. More importantly though, being an official tool, it does not support many useful pentesting features such as pass the hash or AV bypass.
Luckily, someone filled the void in this regard. The folks at Hackplayers developed Evil-WinRM, a PSRP (often just referred to as WinRM) client for Linux. It’s what I and countless of others use every day when needing to connect to a Windows box. Despite its usefulness however, much remains to be desired in the form of stability and maintenance. As of writing, it has been 8 months since the last commit was made to the project. Much to my dismay, the entirety of the project is written inside a singular .rb file. The combination of an unfamiliar language to me (Ruby) and a goliath of a script made contributing improvements a more frustrating endevor than one I hoped to take on. And so, I decided to write my own alternative in Python.
Devious-WinRM#
In the spirit of the original, I kept a similar name structure and named my project Devious-WinRM. At this point, I had zero clue how to even start working on this project. Thankfully, I ran into the pypsrp library by @jborean93. It is a tremendously well-featured library for Powershell Remoting. It turns out that Ruby and Python (thanks to Borean’s project) are the only languages that have robust PSRP libraries (that I could find!).
I started work on Devious-WinRM as my university finals began. Rather than studying for those, I decided a better use of my time was to sit in my dorm room at 3AM coding away, and I’m glad I did! Today, Devious-WinRM has a stable release! Interestingly enough, @adityatelange had the same idea I did only a couple of days before I started work on DWRM. His project, evil-winrm-py, is also available on GitHub. We both more or less used the same libraries resulting in a very similar project. I found out about his only recently, but decided to keep working on DWRM to contribute something of my own to the hacking community and so that more options exist.
Conclusion#
And so, Devious-WinRM is available on PyPi and GitHub right now. More features are definitely to come, the biggest few I want to implement are an AMSI bypass and an in-memory .NET/Powershell loader. A big thank you to @jborean93 for being so helpful and for developing pysrp. This project would not be here without him!