HomemetasploitSMB EnumerationHow to find pipes name over SMB in Metasploit

How to find pipes name over SMB in Metasploit

Find pipes name – Helow guy’s in this article I’m going to teach you how to find windows pipes name over SMB with PIPE_AUDITOR module in Metasploit.

What is PIPES?

Named pipe spoofing is a technique used by the Metasploit framework to escalate these privileges. The officially named pipe technology is built into the Windows operating system to facilitate communication between processes. Pipe uses a file to exchange messages between two processes.

How to find pipes name over SMB?

We find pipes’ names with a pipe_auditor module. The pipe_auditor scanner will determine which named pipes are available in SMB. During the scan phase, this can give you an idea of some of the services running on the remote system.

Step 1: Choose pipe_auditor module

1. First, we need to open the Metasploit framework tool, so enter the following command in your terminal.

				
					msfconsole -q
				
			

2. Now type the below command to select the pipe_auditor module

				
					use auxiliary/scanner/smb/pipe_auditor 
				
			

Step 2: Find pipes name over SMB

1. Then enter the command “show options“, it will help you display the required parameter

				
					show options
				
			
How to find pipes name over SMB in Metasploit

2. Now start the scanner, just pass at least the RHOSTS value to the module and start it

				
					msf6 auxiliary(pipe_auditor) > set RHOSTS 192.168.1.140-160
RHOSTS => 192.168.1.150-160
msf6 auxiliary(pipe_auditor) > set THREADS 11
THREADS => 11
msf6 auxiliary(pipe_auditor) > run

[*] 192.168.1.150 - Pipes: \browser
[*] 192.168.1.160 - Pipes: \browser
[*] Scanned 02 of 11 hosts (018% complete)
[*] Scanned 10 of 11 hosts (090% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/pipe_auditor) >
				
			

We can see that launching the scanner without credentials does not return a lot of information. However, if you were provided with credentials as part of a penetration test, you will find that the pipe_auditor scanner returns more information.

				
					msf6 auxiliary(pipe_auditor) > set RHOSTS 192.168.1.140-160
RHOSTS => 192.168.1.150-160
msf6 auxiliary(pipe_auditor) > set THREADS 11
THREADS => 11
msf6 auxiliary(pipe_auditor) > run

[*] 192.168.1.150 - Pipes: \browser
[*] 192.168.1.160 - Pipes: \browser
[*] Scanned 02 of 11 hosts (018% complete)
[*] Scanned 10 of 11 hosts (090% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(pipe_auditor) > set SMBPass Errorsfind
SMBPass => Errorsfind
msf6 auxiliary(pipe_auditor) > set SMBUser admin
SMBUser => admin
msf6 auxiliary(pipe_auditor) > run

[*] 192.168.1.150 - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \DAV RPC SERVICE, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \ntsvcs, \protected_storage, \scerpc, \srvsvc, \trkwks, \wkssvc
[*] Scanned 02 of 11 hosts (018% complete)
[*] 192.168.1.160 - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \DAV RPC SERVICE, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \ntsvcs, \protected_storage, \router, \scerpc, \srvsvc, \trkwks, \wkssvc
[*] Scanned 04 of 11 hosts (036% complete)
[*] Scanned 08 of 11 hosts (072% complete)
[*] Scanned 09 of 11 hosts (081% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(pipe_auditor) >
				
			
RELATED ARTICLES

Leave A Reply

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular