• Stars
    star
    139
  • Rank 262,954 (Top 6 %)
  • Language
    PowerShell
  • License
    BSD 3-Clause "New...
  • Created over 3 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Pass the Hash to a named pipe for token Impersonation

NamedPipePTH

This project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation. There also is a blog post for explanation:

https://s3cur3th1ssh1t.github.io/Named-Pipe-PTH/

It is heavily based on the code from the projects Invoke-SMBExec.ps1 and RoguePotato.

I faced certain Offensive Security project situations in the past, where I already had the NTLM-Hash of a low privileged user account and needed a shell for that user on the current compromised system - but that was not possible with the current public tools. Imagine two more facts for a situation like that - the NTLM Hash could not be cracked and there is no process of the victim user to execute shellcode in it or to migrate into that process. This may sound like an absurd edge-case for some of you. I still experienced that multiple times. Not only in one engagement I spend a lot of time searching for the right tool/technique in that specific situation.

My personal goals for a tool/technique were:

  • Fully featured shell or C2-connection as the victim user-account
  • It must to able to also Impersonate low privileged accounts - depending on engagement goals it might be needed to access a system with a specific user such as the CEO, HR-accounts, SAP-administrators or others
  • The tool can be used as C2-module

The impersonated user unfortunately has no network authentication allowed, as the new process is using an Impersonation Token which is restricted. So you can only use this technique for local actions with another user.

There are two ways to use this technique. Either you can compile \Resources\PipeServerImpersonate.sln and drop the executable on the remote host and connect to the Named Pipe via \Resources\Invoke-NamedPipePTH.ps1:

alt text

Or you can use the standalone script to stay in memory:

alt text

If you don't want to drop a binary for execution just pass arguments for native Windows binaries such as Powershell

Invoke-ImpersonateUser-PTH -Username USERNAME -Hash NTLMHASH -Domain DOMAIN -PipeName mypipe -binary "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -argument "-nop -w 1 -sta -enc BASEBLOB"

More Repositories

1

WinPwn

Automation for internal Windows Penetrationtest / AD-Security
PowerShell
3,153
star
2

Pentest-Tools

2,063
star
3

Amsi-Bypass-Powershell

This repo contains some Amsi Bypass methods i found on different Blog Posts.
1,465
star
4

PowerSharpPack

PowerShell
1,380
star
5

OffensiveVBA

This repo covers some code execution and AV Evasion methods for Macros in Office documents
VBA
1,131
star
6

Creds

Some usefull Scripts and Executables for Pentest & Forensics
PowerShell
1,007
star
7

MultiPotato

C++
493
star
8

SharpImpersonation

A User Impersonation tool - via Token or Shellcode injection
C#
391
star
9

Invoke-SharpLoader

PowerShell
333
star
10

Caro-Kann

Encrypted shellcode Injection to avoid Kernel triggered memory scans
C
294
star
11

Ruy-Lopez

C
288
star
12

SharpNamedPipePTH

Pass the Hash to a named pipe for token Impersonation
C#
286
star
13

Nim-RunPE

A Nim implementation of reflective PE-Loading from memory
Nim
253
star
14

NimGetSyscallStub

Get fresh Syscalls from a fresh ntdll.dll copy
Nim
215
star
15

SharpVeeamDecryptor

Decrypt Veeam database passwords
C#
150
star
16

SyscallAmsiScanBufferBypass

AmsiScanBufferBypass using D/Invoke
C#
129
star
17

Nim_DInvoke

D/Invoke implementation in Nim
Nim
97
star
18

Excel-Phish

Phish password protected Excel-Files
VBA
93
star
19

Sharp-HackBrowserData

C# binary with embeded golang hack-browser-data
C#
93
star
20

Get-System-Techniques

PowerShell
85
star
21

NimShellcodeFluctuation

ShellcodeFluctuation PoC ported to Nim
Nim
74
star
22

RDPThiefInject

RDPThief donut shellcode inject into mstsc
C#
70
star
23

Invoke-Sharpcradle

Load C# Code straight to memory
PowerShell
54
star
24

Nim_CBT_Shellcode

CallBack-Techniques for Shellcode execution ported to Nim
Nim
53
star
25

LDAP-Signing-Scanner

A little scanner to check the LDAP Signing state
46
star
26

BitwardenDecryptBrute

Wordlist attacks on Bitwarden data.json files
Python
44
star
27

SharpOxidResolver

IOXIDResolver from AirBus Security/PingCastle
C#
40
star
28

SharpPolarBear

Privesc through import of Sheduled tasks + Hardlinks - CVE-2019-1069
C#
36
star
29

SharpByeBear

AppXSVC Service race condition - privilege escalation
C#
26
star
30

S3cur3Th1sSh1t

23
star
31

TeamViewerDecrypt

PowerShell
17
star
32

SharpLigolo

C# wrapper for ligolo
C#
16
star
33

Invoke-WMI-Information

Straight forward script for WMI information gathering (local or remote)
13
star
34

EmpEISDecrypt

Decrypt Matrix42 Empirum /EIS Passwords
C#
11
star
35

NimWinstaEveryoneAccess

Nim
10
star
36

darkamour_clone

Objective-C
9
star
37

WinFor

Powershell script to execute different forensic Powershell functions / tools on a compromised host
PowerShell
7
star
38

ssdp-poisoning

Python
7
star
39

MimiMisc

C
6
star
40

SSJI---JSGen

Just a copy from here: https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
Python
5
star
41

Hosts-File---AD-Tracking-Blocker

Hosts File for Blocking Advertising & Tracking Domains
3
star
42

nim-strenc

string encryption in Nim
Nim
2
star