Introduction
Namedpipes is a proof of concept tool that allows to impersonate remote clients,
after their connect to a network pipe, and execute code with their own credentials.
If delegation is enable, the new shell can be used to access network resources.
This is for example the default scenario on a fileserver that allows files to be
ciphered.
This tool was originally released at the NoConName Security congress
(Spanish paper)

Namedpipes waits for incomming connections. Once the client is connected a new shell
can be executed. You can force clients to connect to the network pipe with
payload generator tool.
Details:
Namedpipes calls the api CreateProcessAsUser() against an impersonated user token
gathered with ImpersonateNamedPipeClient(). The privilege of the new shell depends
of the domain delegation configuration. Delegation is not enable by default but
network admins are not g00r00s.

You can browse online the
source code.
Usage Information:
C:\Web\namedpipes>NamedPipe.exe /?
Impersonation attack Proof of concept Exploit
Author: Andres Tarasco ( atarasco_@_gmail_._com)
URL: http://www.tarasco.org/tools.html
Usage: 1st is recomended to execute a shell with NT AUTHORITY\SYSTEM privileges
Example: psexec.exe -i -s -c namedpipe.exe [parameters]
Parameters:
-e <command> Application to execute, default is "nc.exe -l -p 51477 -e cmd.exe"
-n <namedpipe> Named of the pipe. Default is "0day"
-r <network share> Fun with smbreplay
Download (Windows executable + Source code)