{"id":13897,"date":"2021-06-29T21:18:23","date_gmt":"2021-06-29T15:48:23","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=13897"},"modified":"2021-06-29T21:18:23","modified_gmt":"2021-06-29T15:48:23","slug":"namedpipepth","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/","title":{"rendered":"NamedPipePTH : Pass The Hash To A Named Pipe For Token Impersonation"},"content":{"rendered":"\n<p><strong>NamedPipePTH<\/strong> project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation. There also is a blog post for explanation:<\/p>\n\n\n\n<p><a href=\"https:\/\/s3cur3th1ssh1t.github.io\/Named-Pipe-PTH\/\">https:\/\/s3cur3th1ssh1t.github.io\/Named-Pipe-PTH\/<\/a><\/p>\n\n\n\n<p>It is heavily based on the code from the projects&nbsp;<a href=\"https:\/\/github.com\/Kevin-Robertson\/Invoke-TheHash\/blob\/master\/Invoke-SMBExec.ps1\">Invoke-SMBExec.ps1<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/github.com\/antonioCoco\/RoguePotato\">RoguePotato<\/a>.<\/p>\n\n\n\n<p>I faced certain Offensive Security project situations in the past, where I already had the NTLM-Hash of a&nbsp;<code><strong>low privileged<\/strong><\/code>&nbsp;user account and needed a shell for that user on the current compromised system &#8211; but that was not possible with the current public tools. Imagine two more facts for a situation like that &#8211; the NTLM Hash could not be cracked&nbsp;<em>and<\/em>&nbsp;there is no process of the victim user to execute shellcode in it or to migrate into that process. This may sound like an absurd edge-case for some of you. I still experienced that multiple times. Not only in one engagement I spend a lot of time searching for the right tool\/technique in that specific situation.<\/p>\n\n\n\n<p>My personal goals for a tool\/technique were:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Fully featured shell or C2-connection as the victim user-account<\/li><li>It must to able to also Impersonate<strong>&nbsp;<code>low privileged<\/code><\/strong>&nbsp;accounts &#8211; depending on engagement goals it might be needed to access a system with a specific user such as the CEO, HR-accounts, SAP-administrators or others<\/li><li>The tool can be used as C2-module<\/li><\/ul>\n\n\n\n<p>The impersonated user unfortunately has&nbsp;<em>no network authentication<\/em>&nbsp;allowed, as the new process is using an Impersonation Token which is restricted. So you can only use this technique for local actions with another user.<\/p>\n\n\n\n<p>There are two ways to use this technique. Either you can compile&nbsp;<code><strong>\\Resources\\PipeServerImpersonate.sln<\/strong><\/code>&nbsp;and drop the executable on the remote host and connect to the Named Pipe via&nbsp;<strong><code>\\Resources\\Invoke-NamedPipePTH.ps1<\/code>:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-SSbNO9iWQ24\/YNF2Y-5qY_I\/AAAAAAAAJr4\/3kHLJetuZ8ABvd6MpZjmgkLJO1zSRrmNACLcBGAsYHQ\/s1498\/1.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<p>Or you can use the standalone script to stay in memory:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-mOv06a-_l4I\/YNF2lvwn-XI\/AAAAAAAAJr8\/owuHDkTtXsEkPD4gph-9saz74HllP7p0QCLcBGAsYHQ\/s868\/2.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<p>If you don&#8217;t want to drop a binary for execution just pass arguments for native Windows binaries such as Powershell<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>Invoke-ImpersonateUser-PTH -Username USERNAME -Hash NTLMHASH -Domain DOMAIN -PipeName mypipe -binary<br>&#8220;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe&#8221; -argument &#8220;-nop -w 1 -sta -enc BASEBLOB&#8221;<\/strong><\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-vivid-cyan-blue-background-color has-background\" href=\"https:\/\/github.com\/S3cur3Th1sSh1t\/NamedPipePTH\"><strong>Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>NamedPipePTH project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation. There also is a blog post for explanation: https:\/\/s3cur3th1ssh1t.github.io\/Named-Pipe-PTH\/ It is heavily based on the code from the projects&nbsp;Invoke-SMBExec.ps1&nbsp;and&nbsp;RoguePotato. I faced certain Offensive Security project situations in the past, where I already had the NTLM-Hash of a&nbsp;low [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":16918,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png","fifu_image_alt":"NamedPipePTH : Pass The Hash To A Named Pipe For Token Impersonation","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[2165,3375],"class_list":["post-13897","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-namedpipepth","tag-token-impersonation"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>NamedPipePTH : Pass The Hash To A Named Pipe<\/title>\n<meta name=\"description\" content=\"NamedPipePTH project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NamedPipePTH : Pass The Hash To A Named Pipe\" \/>\n<meta property=\"og:description\" content=\"NamedPipePTH project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-29T15:48:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"NamedPipePTH : Pass The Hash To A Named Pipe For Token Impersonation\",\"datePublished\":\"2021-06-29T15:48:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/\"},\"wordCount\":368,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png\",\"keywords\":[\"NamedPipePTH\",\"Token Impersonation\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/\",\"name\":\"NamedPipePTH : Pass The Hash To A Named Pipe\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png\",\"datePublished\":\"2021-06-29T15:48:23+00:00\",\"description\":\"NamedPipePTH project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#primaryimage\",\"url\":\"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png\",\"contentUrl\":\"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"NamedPipePTH : Pass The Hash To A Named Pipe","description":"NamedPipePTH project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/","og_locale":"en_US","og_type":"article","og_title":"NamedPipePTH : Pass The Hash To A Named Pipe","og_description":"NamedPipePTH project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation.","og_url":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2021-06-29T15:48:23+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"NamedPipePTH : Pass The Hash To A Named Pipe For Token Impersonation","datePublished":"2021-06-29T15:48:23+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/"},"wordCount":368,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png","keywords":["NamedPipePTH","Token Impersonation"],"articleSection":["Kali Linux"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/","url":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/","name":"NamedPipePTH : Pass The Hash To A Named Pipe","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png","datePublished":"2021-06-29T15:48:23+00:00","description":"NamedPipePTH project is a PoC code to use Pass-the-Hash for authentication on a local Named Pipe user Impersonation.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/namedpipepth\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/namedpipepth\/#primaryimage","url":"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png","contentUrl":"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/1.bp.blogspot.com\/-zFB1I9CKoS4\/YNrwV8OOQ1I\/AAAAAAAAJt4\/E0c25j1zyc4QHDHor46vnlrlU1omwwewQCLcBGAsYHQ\/s728\/NamedPipePTH.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":27351,"url":"https:\/\/kalilinuxtutorials.com\/sharpnamedpipepth\/","url_meta":{"origin":13897,"position":0},"title":"SharpNamedPipePTH : Pass The Hash To A Named Pipe For Token Impersonation","author":"R K","date":"September 29, 2022","format":false,"excerpt":"SharpNamedPipePTH is a C# tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. You need a local administrator or SEImpersonate rights to use this. There is a blog post for explanation: https:\/\/s3cur3th1ssh1t.github.io\/Named-Pipe-PTH\/ It is heavily based on the code from the project\u00a0Sharp-SMBExec. I faced certain\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi89I62ESZQFCXUQ9dDUwP2O-igsvsewNphLe-JEuCyRJRntDnTJNcujn5RrCK2WydKJHolWdlxbP4V1vlEMPV9zd1H7TI7TQ7wxbeDCAETgL2Z3yupg33KxsbKmfm_-ieK6N3sg83Xwz5Xau1LAjqCj_NPXMxryU8DdExM-Pjc_QiVywudikhPAbkV\/s728\/NamedPipePTH_2_Example2-738687.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi89I62ESZQFCXUQ9dDUwP2O-igsvsewNphLe-JEuCyRJRntDnTJNcujn5RrCK2WydKJHolWdlxbP4V1vlEMPV9zd1H7TI7TQ7wxbeDCAETgL2Z3yupg33KxsbKmfm_-ieK6N3sg83Xwz5Xau1LAjqCj_NPXMxryU8DdExM-Pjc_QiVywudikhPAbkV\/s728\/NamedPipePTH_2_Example2-738687.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi89I62ESZQFCXUQ9dDUwP2O-igsvsewNphLe-JEuCyRJRntDnTJNcujn5RrCK2WydKJHolWdlxbP4V1vlEMPV9zd1H7TI7TQ7wxbeDCAETgL2Z3yupg33KxsbKmfm_-ieK6N3sg83Xwz5Xau1LAjqCj_NPXMxryU8DdExM-Pjc_QiVywudikhPAbkV\/s728\/NamedPipePTH_2_Example2-738687.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi89I62ESZQFCXUQ9dDUwP2O-igsvsewNphLe-JEuCyRJRntDnTJNcujn5RrCK2WydKJHolWdlxbP4V1vlEMPV9zd1H7TI7TQ7wxbeDCAETgL2Z3yupg33KxsbKmfm_-ieK6N3sg83Xwz5Xau1LAjqCj_NPXMxryU8DdExM-Pjc_QiVywudikhPAbkV\/s728\/NamedPipePTH_2_Example2-738687.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":11913,"url":"https:\/\/kalilinuxtutorials.com\/pytmipe\/","url_meta":{"origin":13897,"position":1},"title":"Pytmipe : Python Library And Client For Token Manipulations &#038; Impersonations For Privilege Escalation On Windows","author":"R K","date":"December 9, 2020","format":false,"excerpt":"PYTMIPE (PYthon library for Token Manipulation and Impersonation for Privilege Escalation) is a Python 3 library for manipulating Windows tokens and managing impersonations in order to gain more privileges on Windows. TMIPE is the python 3 client which uses the pytmipe library. Content A python client: tmipe (python3 tmipe.py)A python\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":31496,"url":"https:\/\/kalilinuxtutorials.com\/elevation-station\/","url_meta":{"origin":13897,"position":2},"title":"Elevation Station: Mastering Privilege Escalation with Advanced Token Manipulation Techniques","author":"Varshini","date":"December 11, 2023","format":false,"excerpt":"ElevationStation is a privilege escalation tool. It works by borrowing from commonly used escalation techniques involving manipulating\/duplicating process and thread tokens. Why reinvent the wheel with yet another privilege escalation utility? This was a combined effort between avoiding AV alerts using Metasploit and furthering my research into privilege escalation methods\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg0UqVOWbAviiRN1KePdZGerUWQvDYtuuyDT2VQRMH0WcTCeE2VEtWbKIYMPoxqzX6iUVvjjQSAfZ2xiC4K4VekkXX7Ki_yENEj-wfoTdWKAJkQ0XoLaj7uGUVH0yzmzuypNj95M3vWEIWjbFY1oyeN6ZSu4GfgHea_dBhbMGoG7H1cAkeIcDmahyphenhyphen-oHA\/s16000\/Elevation%20Station.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg0UqVOWbAviiRN1KePdZGerUWQvDYtuuyDT2VQRMH0WcTCeE2VEtWbKIYMPoxqzX6iUVvjjQSAfZ2xiC4K4VekkXX7Ki_yENEj-wfoTdWKAJkQ0XoLaj7uGUVH0yzmzuypNj95M3vWEIWjbFY1oyeN6ZSu4GfgHea_dBhbMGoG7H1cAkeIcDmahyphenhyphen-oHA\/s16000\/Elevation%20Station.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg0UqVOWbAviiRN1KePdZGerUWQvDYtuuyDT2VQRMH0WcTCeE2VEtWbKIYMPoxqzX6iUVvjjQSAfZ2xiC4K4VekkXX7Ki_yENEj-wfoTdWKAJkQ0XoLaj7uGUVH0yzmzuypNj95M3vWEIWjbFY1oyeN6ZSu4GfgHea_dBhbMGoG7H1cAkeIcDmahyphenhyphen-oHA\/s16000\/Elevation%20Station.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg0UqVOWbAviiRN1KePdZGerUWQvDYtuuyDT2VQRMH0WcTCeE2VEtWbKIYMPoxqzX6iUVvjjQSAfZ2xiC4K4VekkXX7Ki_yENEj-wfoTdWKAJkQ0XoLaj7uGUVH0yzmzuypNj95M3vWEIWjbFY1oyeN6ZSu4GfgHea_dBhbMGoG7H1cAkeIcDmahyphenhyphen-oHA\/s16000\/Elevation%20Station.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":26997,"url":"https:\/\/kalilinuxtutorials.com\/sharpimpersonation\/","url_meta":{"origin":13897,"position":3},"title":"SharpImpersonation : A User Impersonation Tool &#8211; Via Token Or Shellcode Injection","author":"R K","date":"September 16, 2022","format":false,"excerpt":"SharpImpersonation is a User Impersonation Tool - Via Token Or Shellcode Injection. This was a learning by doing project from my side. Well known techniques are used to built\u00a0just\u00a0another impersonation tool with some improvements in comparison to other public tools. The code base was taken from: https:\/\/github.com\/0xbadjuju\/Tokenvator A blog post\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2VUig_2vLVLfrSRu-jU_7SA2ukFuq2UPFDSt4gUwSdN95LF0pZZKjGXpDdrbrETPC9WFrhOIsoJkzLggYMRqJZTRT7UPo-7T1iXq0rSCsvzUpWuNfLH4QpU2ARAZBghEdu8SFjlBl7NCLaMEySBnjBvbruD6N6dhIBbQhsvd51yHKzC1FvebusmCg\/s728\/v%20%281%29.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2VUig_2vLVLfrSRu-jU_7SA2ukFuq2UPFDSt4gUwSdN95LF0pZZKjGXpDdrbrETPC9WFrhOIsoJkzLggYMRqJZTRT7UPo-7T1iXq0rSCsvzUpWuNfLH4QpU2ARAZBghEdu8SFjlBl7NCLaMEySBnjBvbruD6N6dhIBbQhsvd51yHKzC1FvebusmCg\/s728\/v%20%281%29.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2VUig_2vLVLfrSRu-jU_7SA2ukFuq2UPFDSt4gUwSdN95LF0pZZKjGXpDdrbrETPC9WFrhOIsoJkzLggYMRqJZTRT7UPo-7T1iXq0rSCsvzUpWuNfLH4QpU2ARAZBghEdu8SFjlBl7NCLaMEySBnjBvbruD6N6dhIBbQhsvd51yHKzC1FvebusmCg\/s728\/v%20%281%29.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2VUig_2vLVLfrSRu-jU_7SA2ukFuq2UPFDSt4gUwSdN95LF0pZZKjGXpDdrbrETPC9WFrhOIsoJkzLggYMRqJZTRT7UPo-7T1iXq0rSCsvzUpWuNfLH4QpU2ARAZBghEdu8SFjlBl7NCLaMEySBnjBvbruD6N6dhIBbQhsvd51yHKzC1FvebusmCg\/s728\/v%20%281%29.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":22478,"url":"https:\/\/kalilinuxtutorials.com\/tokenuniverse\/","url_meta":{"origin":13897,"position":4},"title":"Token Universe : An Advanced Tool For Working With Access Tokens And Windows Security Policy","author":"R K","date":"March 7, 2022","format":false,"excerpt":"Token Universe\u00a0is an advanced tool that provides a wide range of possibilities to research\u00a0Windows security mechanisms. It has a convenient interface for creating, viewing, and modifying access tokens, managing Local Security Authority and Security Account Manager's databases. It allows you to obtain and impersonate different security contexts, manage privileges, auditing\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEimmrN2P8QLrwSbLLL8Q2oxMTbXKvIHIkw6I3u1RKriNWNd9LvJ3ivtMtOhHT5uOmfi-eSgzPtZ8Q5hW5Zlq87YiAHl8VoX3fKAODEQHytaNMi2x4N7UEJfVKxYRZDNyTpyVXmN4TXfXNj_aqIEsQHRETmsQAy6Pvx5E4MPn00Glv-gIg9ckh0yE9B4=s728","width":350,"height":200,"srcset":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEimmrN2P8QLrwSbLLL8Q2oxMTbXKvIHIkw6I3u1RKriNWNd9LvJ3ivtMtOhHT5uOmfi-eSgzPtZ8Q5hW5Zlq87YiAHl8VoX3fKAODEQHytaNMi2x4N7UEJfVKxYRZDNyTpyVXmN4TXfXNj_aqIEsQHRETmsQAy6Pvx5E4MPn00Glv-gIg9ckh0yE9B4=s728 1x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEimmrN2P8QLrwSbLLL8Q2oxMTbXKvIHIkw6I3u1RKriNWNd9LvJ3ivtMtOhHT5uOmfi-eSgzPtZ8Q5hW5Zlq87YiAHl8VoX3fKAODEQHytaNMi2x4N7UEJfVKxYRZDNyTpyVXmN4TXfXNj_aqIEsQHRETmsQAy6Pvx5E4MPn00Glv-gIg9ckh0yE9B4=s728 1.5x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEimmrN2P8QLrwSbLLL8Q2oxMTbXKvIHIkw6I3u1RKriNWNd9LvJ3ivtMtOhHT5uOmfi-eSgzPtZ8Q5hW5Zlq87YiAHl8VoX3fKAODEQHytaNMi2x4N7UEJfVKxYRZDNyTpyVXmN4TXfXNj_aqIEsQHRETmsQAy6Pvx5E4MPn00Glv-gIg9ckh0yE9B4=s728 2x"},"classes":[]},{"id":34671,"url":"https:\/\/kalilinuxtutorials.com\/namedpipemaster\/","url_meta":{"origin":13897,"position":5},"title":"NamedPipeMaster &#8211; A Comprehensive Toolkit For Named Pipe Analysis And Interaction","author":"Varshini","date":"August 30, 2024","format":false,"excerpt":"NamedPipeMaster is a versatile tool for analyzing and monitoring in named pipes. It includes Ring3NamedPipeConsumer for direct server interaction, Ring3NamedPipeMonitor for DLL-based API hooking and data collection, and Ring0NamedPipeFilter for comprehensive system-wide monitoring. The tool supports proactive and passive interactions, collects detailed communication data, and features a filter for specific\u2026","rel":"","context":"In &quot;Hacking Tools&quot;","block_context":{"text":"Hacking Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/hacking-tools\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhtaflYl9QEo_f8t96hfFVE-SEdsp42ZWOXJ6sntcxLbol5BMNO55yqzwtVPGJM933o8d1ryN-72WOcWtWUPkrjxRYvCAXVYfSsblewnU82C5JGT7INmvMu2jkaUoi-wHoi7EhQ7N8X_NuuJ1eHaKd3fhTToe1UV-r-P4CBNPebSLaBLEwySpE4Wmp0CbE1\/s16000\/NamedPipeMaster%20.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhtaflYl9QEo_f8t96hfFVE-SEdsp42ZWOXJ6sntcxLbol5BMNO55yqzwtVPGJM933o8d1ryN-72WOcWtWUPkrjxRYvCAXVYfSsblewnU82C5JGT7INmvMu2jkaUoi-wHoi7EhQ7N8X_NuuJ1eHaKd3fhTToe1UV-r-P4CBNPebSLaBLEwySpE4Wmp0CbE1\/s16000\/NamedPipeMaster%20.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhtaflYl9QEo_f8t96hfFVE-SEdsp42ZWOXJ6sntcxLbol5BMNO55yqzwtVPGJM933o8d1ryN-72WOcWtWUPkrjxRYvCAXVYfSsblewnU82C5JGT7INmvMu2jkaUoi-wHoi7EhQ7N8X_NuuJ1eHaKd3fhTToe1UV-r-P4CBNPebSLaBLEwySpE4Wmp0CbE1\/s16000\/NamedPipeMaster%20.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhtaflYl9QEo_f8t96hfFVE-SEdsp42ZWOXJ6sntcxLbol5BMNO55yqzwtVPGJM933o8d1ryN-72WOcWtWUPkrjxRYvCAXVYfSsblewnU82C5JGT7INmvMu2jkaUoi-wHoi7EhQ7N8X_NuuJ1eHaKd3fhTToe1UV-r-P4CBNPebSLaBLEwySpE4Wmp0CbE1\/s16000\/NamedPipeMaster%20.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhtaflYl9QEo_f8t96hfFVE-SEdsp42ZWOXJ6sntcxLbol5BMNO55yqzwtVPGJM933o8d1ryN-72WOcWtWUPkrjxRYvCAXVYfSsblewnU82C5JGT7INmvMu2jkaUoi-wHoi7EhQ7N8X_NuuJ1eHaKd3fhTToe1UV-r-P4CBNPebSLaBLEwySpE4Wmp0CbE1\/s16000\/NamedPipeMaster%20.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhtaflYl9QEo_f8t96hfFVE-SEdsp42ZWOXJ6sntcxLbol5BMNO55yqzwtVPGJM933o8d1ryN-72WOcWtWUPkrjxRYvCAXVYfSsblewnU82C5JGT7INmvMu2jkaUoi-wHoi7EhQ7N8X_NuuJ1eHaKd3fhTToe1UV-r-P4CBNPebSLaBLEwySpE4Wmp0CbE1\/s16000\/NamedPipeMaster%20.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/13897","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=13897"}],"version-history":[{"count":0,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/13897\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/16918"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=13897"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=13897"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=13897"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}