Namedpipes is a proof of concept tool that allows to impersonate remote clients,
after their connect to a network pipe, and execute code with their own credentials.
If delegation is enable, the new shell can be used to access network resources.
This is for example the default scenario on a fileserver that allows files to be
This tool was originally released at the NoConName Security congress
Namedpipes waits for incomming connections. Once the client is connected a new shell
can be executed. You can force clients to connect to the network pipe with
payload generator tool
Namedpipes calls the api CreateProcessAsUser() against an impersonated user token
gathered with ImpersonateNamedPipeClient(). The privilege of the new shell depends
of the domain delegation configuration. Delegation is not enable by default but
network admins are not g00r00s.
You can browse online the source code
Impersonation attack Proof of concept Exploit
Author: Andres Tarasco ( atarasco_@_gmail_._com)
Usage: 1st is recomended to execute a shell with NT AUTHORITY\SYSTEM privileges
Example: psexec.exe -i -s -c namedpipe.exe [parameters]
-e <command> Application to execute, default is "nc.exe -l -p 51477 -e cmd.exe"
-n <namedpipe> Named of the pipe. Default is "0day"
-r <network share> Fun with smbreplay
(Windows executable + Source code)