Named Pipes
Pipes are used for communication between two applications or processes using shared memory. There are two types of pipes, named pipes and anonymous pipes. An example of a named pipe is \\.\PipeName\\ExampleNamedPipeServer.
Windows systems use a client-server implementation for pipe communication. In this type of implementation, the process that creates a named pipe is the server, and the process communicating with the named pipe is the client.
Named pipes can communicate using half-duplex, or a one-way channel with the client only being able to write data to the server, or duplex, which is a two-way communication channel that allows the client to write data over the pipe, and the server to respond back with data over that pipe.
We can use the tool PipeList from the Sysinternals Suite to enumerate instances of named pipes.
Pipes are essentially files stored in memory that get cleared out after being read.
Additionally, we can use PowerShell to list named pipes using gci (Get-ChildItem).
After obtaining a listing of named pipes, we can use Accesschk to enumerate the permissions assigned to a specific named pipe by reviewing the Discretionary Access List (DACL)), which shows us who has the permissions to modify, write, read, or execute a resource.
Attack example
Let's walk through an example of taking advantage of an exposed named pipe to escalate privileges.
Using accesschk we can search for all named pipes that allow write access:
Note in the output if there is any named pipe that allows READ and WRITE access to the Everyone group, meaning all authenticated users. For instance, let's say WindscribeService does.
Check WindscribeService Named Pipe Permissions:
Output:
From here, we could leverage these lax permissions to escalate privileges on the host to SYSTEM.
Check if the service is running as SYSTEM:
If StartName is LocalSystem, we have a potential privilege escalation vector.
Craft a Malicious Named Pipe Server
Last update: 2025-03-15 Created: February 23, 2025 21:12:05