Execute commands interactively on remote Windows machines using the WinRM protocol
Project description
evil-winrm-py
evil-winrm-py is a python-based tool for executing commands on remote Windows machines using the WinRM (Windows Remote Management) protocol. It provides an interactive shell with enhanced features like file upload/download, command history, and colorized output. It supports various authentication methods including NTLM, Pass-the-Hash, Certificate, and Kerberos.
[!NOTE] This tool is designed strictly for educational, ethical use, and authorized penetration testing. Always ensure you have explicit authorization before accessing any system. Unauthorized access or misuse of this tool is both illegal and unethical.
Motivation
The original evil-winrm is written in Ruby, which can be a hurdle for some users. Rewriting it in Python makes it more accessible and easier to use, while also allowing us to leverage Python’s rich ecosystem for added features and flexibility.
I also wanted to learn more about winrm and its internals, so this project will also serve as a learning experience for me.
Features
- Execute commands on remote Windows machines via an interactive shell.
- Download files from the remote host to the local machine.
- Upload files from the local machine to the remote host.
- Progress bar for file transfers with speed and time estimation.
- Stable and reliable file transfer including support for large files with MD5 checksum verification.
- Auto-complete local and remote file paths (even those with spaces) with
Tabcompletion. - Auto-complete PowerShell cmdlets/helpers with
Tabcompletion. 🆕 - Load PowerShell functions from local scripts into the interactive shell. 🆕
- Run local PowerShell scripts on the remote host. 🆕
- Load local DLLs (in-memory) as PowerShell modules on the remote host. 🆕
- Upload and execute local EXEs (in-memory) on the remote host. 🆕
- List the running services (except system services) on the remote host. 🆕
- Enable logging and debugging for better traceability.
- Navigate command history using
up/downarrow keys. - Display colorized output for improved readability.
- Lightweight and Python-based for ease of use.
- Keyboard Interrupt (Ctrl+C / Ctrl+D) support to terminate long-running commands gracefully.
Includes support for:
- NTLM authentication.
- Pass-the-Hash authentication.
- Certificate authentication.
- Kerberos authentication with custom SPN prefix and hostname options.
- SSL to secure communication with the remote host.
- custom WSMan URIs.
- custom user agent for the WinRM client.
Detailed documentation can be found in the docs directory.
Installation (Windows/Linux)
Installation of Kerberos prerequisites on Linux
sudo apt install gcc python3-dev libkrb5-dev krb5-pkinit
# Optional: krb5-user
Install evil-winrm-py
You may use pipx or uv instead of pip to install evil-winrm-py.
pipx/uvis a tool to install and run Python applications in isolated environments, which helps prevent dependency conflicts by keeping the tool's dependencies separate from your system's Python packages.
pip install evil-winrm-py
pip install evil-winrm-py[kerberos] # for kerberos support on Linux
# Note: building gssapi and krb5 packages may take some time, so be patient.
or if you want to install with latest commit from the main branch you can do so by cloning the repository and installing it with pip/pipx/uv:
git clone https://github.com/adityatelange/evil-winrm-py
cd evil-winrm-py
pip install .
Update
pip install --upgrade evil-winrm-py
Uninstall
pip uninstall evil-winrm-py
Check Installation Guide for more details.
Availability on Unix distributions
For above mentioned distributions, you can install evil-winrm-py directly from their package managers. Thanks to the package maintainers for packaging and maintaining evil-winrm-py in their respective distributions.
Usage
Details on how to use evil-winrm-py can be found in the Usage Guide.
usage: evil-winrm-py [-h] -i IP [-u USER] [-p PASSWORD] [-H HASH]
[--priv-key-pem PRIV_KEY_PEM] [--cert-pem CERT_PEM] [--uri URI]
[--ua UA] [--port PORT] [--spn-prefix SPN_PREFIX]
[--spn-hostname SPN_HOSTNAME] [-k] [--no-pass] [--ssl] [--log]
[--debug] [--no-colors] [--version]
options:
-h, --help show this help message and exit
-i, --ip IP remote host IP or hostname
-u, --user USER username
-p, --password PASSWORD
password
-H, --hash HASH nthash
--priv-key-pem PRIV_KEY_PEM
local path to private key PEM file
--cert-pem CERT_PEM local path to certificate PEM file
--uri URI wsman URI (default: /wsman)
--ua UA user agent for the WinRM client (default: "Microsoft WinRM Client")
--port PORT remote host port (default 5985)
--spn-prefix SPN_PREFIX
specify spn prefix
--spn-hostname SPN_HOSTNAME
specify spn hostname
-k, --kerberos use kerberos authentication
--no-pass do not prompt for password
--ssl use ssl
--log log session to file
--debug enable debug logging
--no-colors disable colors
--version show version
For more information about this project, visit https://github.com/adityatelange/evil-winrm-py
For user guide, visit https://github.com/adityatelange/evil-winrm-py/blob/main/docs/usage.md
Example:
evil-winrm-py -i 192.168.1.100 -u Administrator -p P@ssw0rd --ssl
Menu Commands (inside evil-winrm-py shell)
Menu:
[+] services - Show the running services (except system services)
[+] upload <local_path> <remote_path> - Upload a file
[+] download <remote_path> <local_path> - Download a file
[+] loadps <local_path>.ps1 - Load PowerShell functions from a local script
[+] runps <local_path>.ps1 - Run a local PowerShell script on the remote host
[+] loaddll <local_path>.dll - Load a local DLL (in-memory) as a module on the remote host
[+] runexe <local_path>.exe [args] - Upload and execute (in-memory) a local EXE on the remote host
[+] menu - Show this menu
[+] clear, cls - Clear the screen
[+] exit - Exit the shell
Note: Use absolute paths for upload/download for reliability.
Credits
- Original evil-winrm project - https://github.com/Hackplayers/evil-winrm
- PowerShell Remoting Protocol for Python - https://github.com/jborean93/pypsrp
- Prompt Toolkit - https://github.com/prompt-toolkit/python-prompt-toolkit
- tqdm - https://github.com/tqdm/tqdm
- Thanks to Github Coplilot and Google Gemini for code suggestions and improvements.
Stargazers over time
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file evil_winrm_py-1.6.0.tar.gz.
File metadata
- Download URL: evil_winrm_py-1.6.0.tar.gz
- Upload date:
- Size: 30.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
042246af0651b7adb00e8f9fb0b0e2d966f73b85a21d5f1c92775d72fff457ea
|
|
| MD5 |
ff1f9132533d990319c1b4ea44a6bbca
|
|
| BLAKE2b-256 |
44105731c231e9686663e081641f7be18be869464fecc662fe54358fad8e962f
|
File details
Details for the file evil_winrm_py-1.6.0-py3-none-any.whl.
File metadata
- Download URL: evil_winrm_py-1.6.0-py3-none-any.whl
- Upload date:
- Size: 29.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b51816e11881182d8cd0ed5ece3efcf6904110b6f64981323a746008cb3a16e5
|
|
| MD5 |
3e944de27d005bfec2538b3cf4454f95
|
|
| BLAKE2b-256 |
9ae3374c5d4b281f04dbcc1c25207ba590adecaae088fb526ba98aeef1e63979
|
