nimrm
Native WinRM shell client with NTLM, Kerberos, file transfers, in-memory operations, and multi-session support
Summary
| Latest Version | Unknown |
|---|---|
| License | MIT |
| CI Status | Unknown |
| Downloads | 0 |
| Last Indexed | 2026-07-17 18:29 |
Tags
Installation
nimble install nimrm
choosenim install nimrm
git clone https://github.com/blue0x1/nimrm
OS Compatibility
| Platform | Linux | macOS | Windows | FreeBSD | OpenBSD | NetBSD | Android | iOS | WASM | Embedded |
|---|---|---|---|---|---|---|---|---|---|---|
| nimrm | — | — | — | — | — | — | — | — | — | — |
Source
| Repository | https://github.com/blue0x1/nimrm |
|---|---|
| Homepage | https://github.com/blue0x1/nimrm |
| Registry Source | nimble_official |
README
nimrm
Native WinRM shell client written in Nim
Version 1.2.0 · Author Chokri Hammedi (blue0x1) · License MIT
Legal Notice
nimrm is intended for lawful administration, security testing, and research on systems you own or have explicit permission to access. The author is not responsible for misuse or damage caused by this tool.
Table of Contents
- Overview
- Features
- Requirements
- Installation
- Build
- Performance
- Usage
- Options
- Interactive Commands
- Session Management
- Examples
- Notes
- License
Overview
nimrm provides a compact and fast WinRM shell with practical authentication, command execution, transfer, and reporting helpers. It is built as a native Nim binary with no Nim package dependencies.
Features
| Area | Support |
|---|---|
| Authentication | NTLM password, NTLM hash, Kerberos via KRB5CCNAME |
| WinRM transport | HTTP, HTTPS/TLS, custom port |
| Shell | Interactive PowerShell, CMD prefix, one-shot command mode, command and local path autocomplete |
| Transfers | File upload/download, recursive directory transfer, remote session-to-session file and directory relay |
| In-memory | PowerShell script import, managed .NET assembly execution |
| Reporting | AD/domain context, logging and auditing posture |
| Reliability | Kerberos message wrapping, transport reset/retry handling |
Requirements
| Component | Requirement |
|---|---|
| Build | Nim >= 1.6.0 |
| Kerberos | libgssapi_krb5.so.2 on Linux or libgssapi_krb5.dylib on macOS |
| TLS build | OpenSSL and -d:ssl |
| Target | WinRM reachable on the selected port |
Installation
Nimble:
nimble install nimrm
Download the latest release:
curl -L -o nimrm https://github.com/blue0x1/nimrm/releases/latest/download/nimrm
chmod +x nimrm
Windows release binary:
Invoke-WebRequest -Uri https://github.com/blue0x1/nimrm/releases/latest/download/nimrm.exe -OutFile nimrm.exe
Debian package:
curl -L -o nimrm_1.2.0_amd64.deb https://github.com/blue0x1/nimrm/releases/latest/download/nimrm_1.2.0_amd64.deb
sudo dpkg -i nimrm_1.2.0_amd64.deb
BlackArch:
sudo pacman -S nimrm
The BlackArch PKGBUILD tracks the latest upstream git commit, so new releases reach BlackArch users on their next system update. If nimrm is already installed, upgrade it with:
sudo pacman -Syu nimrm
Build from source:
git clone https://github.com/blue0x1/nimrm.git
cd nimrm
make linux
Build
make linux
make ssl
make windows
Manual build:
nim c -d:release --opt:speed -o:nimrm nimrm.nim
Performance
nimrm is designed to stay fast by using a native Nim binary, persistent WinRM runspace, chunked transfer logic, and compact progress rendering.
| Operation | Implementation |
|---|---|
| Upload | Chunked Base64 writes with adaptive retry on large envelopes |
| Download | Streamed Base64 chunks with progress tracking and a fast path for small files |
| Remote session relay | Reads from one WinRM session and writes to another through controller memory without writing the file to local disk |
| Directory transfer | Recursive file enumeration using the same chunked transfer path |
| Command execution | Reuses the active WinRM shell/runspace instead of reconnecting per command |
Usage
NTLM password:
./nimrm -T 192.168.1.10 -A 'CORP\administrator' -P 'Password123'
NTLM pass-the-hash:
./nimrm -T 192.168.1.10 -A 'CORP\user' -N aad3b435b51404eeaad3b435b51404ee:0123456789abcdef0123456789abcdef
Kerberos:
KRB5CCNAME=FILE:/tmp/user.ccache ./nimrm -k -T dc01.corp.local -Z CORP.LOCAL
Force NTLM message encryption over HTTP:
./nimrm -T 192.168.1.10 -A 'CORP\user' -P 'Password123' --seal
Custom port:
./nimrm -T 192.168.1.10 -A 'CORP\user' -P 'Password123' -p 5985
One-shot command:
./nimrm -T 192.168.1.10 -A 'CORP\user' -P 'Password123' -c 'whoami'
Skip TLS certificate verification (self-signed certs):
./nimrm -T 192.168.1.10 -A 'CORP\user' -P 'Password123' --tls --insecure
Options
| Option | Description |
|---|---|
-T, --target |
Target IP or hostname |
-A, --account |
Username: user, user@domain, or DOMAIN\user |
-P, --secret |
NTLM password |
-p, --port |
WinRM port |
-N, --nt-proof |
NT hash or LM:NT hash |
-Z, --krb-zone |
Kerberos realm override |
-K, --kerb-spn |
Kerberos SPN override |
-k, --kerb |
Use Kerberos authentication |
-c, --command |
Execute one command and exit |
--tls |
Use HTTPS/TLS |
--insecure |
Skip TLS certificate verification |
-h, --help |
Show help |
Interactive Commands
| Command | Description |
|---|---|
/help |
Show help |
exit, quit |
Close shell |
!<cmd> |
Run through cmd.exe |
upload <local> [remote] |
Upload one file |
download <remote> [local] |
Download one file |
rupload <remote> <session> [dest] |
Copy a remote file from the active session to another session through memory |
rdownload <session> <remote> [dest] |
Copy a remote file from another session to the active session through memory |
rupload-dir <remote> <session> [dest] |
Copy a remote directory from the active session to another session through memory |
rdownload-dir <session> <remote> [dest] |
Copy a remote directory from another session to the active session through memory |
upload-dir <local> [remote] |
Upload a directory |
download-dir <remote> [local] |
Download a directory |
invoke-script <ps1> [args] |
Import local PowerShell from memory |
execute-assembly <exe> [args] |
Run managed .NET from memory |
ad-info |
Show AD/domain context |
opsec-check |
Show logging and auditing posture |
sessions |
List all active sessions |
session <opts> |
Create a new session |
use <name\|id> |
Switch to a session |
kill <name\|id> |
Close and remove a session |
Session Management
nimrm supports multiple concurrent WinRM sessions. You can pivot between different hosts and users without leaving the shell.
Create a new session from inside an existing one:
PS C:\Users\Administrator> session -T 10.0.0.5 -A 'CORP\user2' -P 'Pass123'
PS C:\Users\Administrator> session -T dc02.corp.local -A user@corp.local -N aad3b435:0123456789abcdef -n dc02
PS C:\Users\Administrator> session -T dc03.corp.local -k -Z CORP.LOCAL -n dc03
List active sessions:
PS C:\Users\Administrator> sessions
ID Name Target User Auth
-- ---- ------ ---- ----
* 1 session-1 dc01.corp.local:5985 administrator Kerberos
2 session-2 10.0.0.5:5985 user2 NTLM
3 dc02 dc02.corp.local:5985 user NTLM
Switch between sessions:
[session-2] PS C:\Users\user2> use 1
[*] Switched to session: session-1 (dc01.corp.local:5985)
[session-1] PS C:\Users\Administrator> use dc02
[*] Switched to session: dc02 (dc02.corp.local:5985)
Close a session:
[dc02] PS C:\Users\user> kill 2
[*] Killed session: session-2
Copy files between active sessions:
[session-1] PS C:\Users\user1> rupload C:\Users\user1\tool.exe session-2 C:\Users\user2\Desktop\tool.exe
[*] Download mode: WinRS binary stream
✔ rupload-read [━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━] 100% 442.0 KB/442.0 KB done in 0.7s
[*] Upload mode: WinRS stream
✔ rupload-write [━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━] 100% 442.0 KB/442.0 KB done in 0.4s
[+] Remote uploaded 452608 bytes from session-1:C:\Users\user1\tool.exe to session-2:C:\Users\user2\Desktop\tool.exe
[session-1] PS C:\Users\user1> rdownload session-2 C:\Users\user2\Desktop\out.txt C:\Users\user1\out.txt
[+] Remote downloaded 1024 bytes from session-2:C:\Users\user2\Desktop\out.txt to session-1:C:\Users\user1\out.txt
rupload and rupload-dir use the active session as the source and the named session as the destination. rdownload and rdownload-dir use the named session as the source and the active session as the destination. These commands relay bytes through nimrm memory, so the controller host does not write a temporary copy to disk.
Session options:
| Option | Description |
|---|---|
-T |
Target host |
-A |
Username |
-P |
Password |
-N |
NT hash |
-k |
Kerberos auth |
-Z |
Kerberos realm |
-K |
SPN override |
-p |
Port |
--tls |
Use HTTPS |
-n |
Custom session name |
Examples
PowerShell and CMD:
PS> hostname
PS> Get-Process
PS> !ipconfig /all
Transfers:
PS> upload ./tool.exe C:\Temp\tool.exe
PS> download C:\Temp\out.txt ./out.txt
PS> rupload C:\Temp\tool.exe session-2 C:\Temp\tool.exe
PS> rdownload session-2 C:\Temp\out.txt C:\Temp\out.txt
PS> rupload-dir C:\Temp\logs session-2 C:\Temp\logs
PS> rdownload-dir session-2 C:\Temp\loot C:\Temp\loot
PS> upload-dir ./payloads C:\Temp\payloads
PS> download-dir C:\Temp\logs ./logs
Remote session relay direction:
# Active session -> another session
PS> rupload C:\Temp\payload.exe session-2 C:\Users\Public\payload.exe
# Another session -> active session
PS> rdownload session-2 C:\Users\Public\loot.zip C:\Temp\loot.zip
Autocomplete:
PS> upl<Tab>
PS> upload ./pay<Tab>
The interactive prompt completes command names and local filesystem paths for local-source commands such as upload, upload-dir, invoke-script, and execute-assembly.
In-memory helpers:
PS> invoke-script ./AdminTools.ps1
PS> execute-assembly ./tool.exe arg1 arg2
Reporting:
PS> ad-info
PS> opsec-check
Notes
execute-assemblysupports managed .NET assemblies only.invoke-scriptimports into the current remote runspace.rupload,rdownload,rupload-dir, andrdownload-dirdo not write temporary files on the controller host, but the bytes still pass through controller memory and use two WinRM transfer legs.ad-infoandopsec-checkare read-only reporting commands.- Some reporting data requires sufficient remote privileges.
License
MIT. See LICENSE.
