NamedPipePTH project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation. There also is a blog post for explanation:
https://s3cur3th1ssh1t.github.io/Named-Pipe-PTH/
It is heavily based on the code from the projects Invoke-SMBExec.ps1 and RoguePotato.
I faced certain Offensive Security project situations in the past, where I already had the NTLM-Hash of a low privileged
user account and needed a shell for that user on the current compromised system – but that was not possible with the current public tools. Imagine two more facts for a situation like that – the NTLM Hash could not be cracked and there is no process of the victim user to execute shellcode in it or to migrate into that process. This may sound like an absurd edge-case for some of you. I still experienced that multiple times. Not only in one engagement I spend a lot of time searching for the right tool/technique in that specific situation.
My personal goals for a tool/technique were:
low privileged
accounts – depending on engagement goals it might be needed to access a system with a specific user such as the CEO, HR-accounts, SAP-administrators or othersThe impersonated user unfortunately has no network authentication allowed, as the new process is using an Impersonation Token which is restricted. So you can only use this technique for local actions with another user.
There are two ways to use this technique. Either you can compile \Resources\PipeServerImpersonate.sln
and drop the executable on the remote host and connect to the Named Pipe via \Resources\Invoke-NamedPipePTH.ps1
:
Or you can use the standalone script to stay in memory:
If you don’t want to drop a binary for execution just pass arguments for native Windows binaries such as Powershell
Invoke-ImpersonateUser-PTH -Username USERNAME -Hash NTLMHASH -Domain DOMAIN -PipeName mypipe -binary
“C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe” -argument “-nop -w 1 -sta -enc BASEBLOB”
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…