Good Afternoon

Named Pipe Pass-The-Hash | Impersonating lower privilege accounts

Updated: May 4, 2021

Named pipes are used to permit asynchronous or synchronous inter-process communication (IPC) on the same computer or on different computers across the network. With named pipes you can send/receive and share data between processes using the memory. They are very similar to TPC/IP sockets, you have a server which listens for connections and clients which connects to the server in order to request or send data.

Named Pipes are heavily used in Windows, just launch pipelist and you will see many pipes and related info:

Why impersonating lower privilege accounts ?

We can easily access a shell for an administrative account by using DCOM, WinRM PTH tool or WMI. If you have NTLM hash, you can use PTH techniques to get administrative shell.

Now suppose there's a situation where you already have NTLM-hash for low privileged user account and need the shell of that user.

Or a situation where there is not process running of the victim user to execute shellcode in it or migrate into that process.

Impersonating lower privilege accounts

I already have the NTLM hash for the low privilege user named 'user1'.

However you can use mimikatz or ctools to get hashes for testing.