 Good morning. My name is Bill Cohen. I'm a serial comsack and welcome to my lecture called the plumber you have a leak in your name pipe. This lecture was also presented in the last DEFCOM Las Vegas. Some of you might have seen it. If you don't, please stay tuned. So my lecture will focus on a forgotten interface that is largely unfamiliar even by veteran penetration testers and information security consultants and I'm going to show you what what can be done with name pipes and how you can exploit it in order to hack into cold windows application and stuff. So we'll start with some present I'm going to present to talk about some key terms if you're not familiar with windows name pipes and remote protocol and many other key terms. Then I'm going to show you the basics how to connect the name type pipe, what are name pipe ACLs and the many cool tools that we found during the research that we were doing. Then I'm going to show you some exploitation and fuzzing and we'll end with a demo of three vulnerable windows application that we found and you might heard of some of it. I'm going to show you how I'm performing denial of service and remote command injection using name pipes. So let's start. A little bit about myself. I'm in the business for around 13 years and now I started in 2005 in the IDF and currently I'm in Comsec for about two years. I'm the CEO of Comsec for two years now. I was a developer before I went into information security and as a developer I knew absolutely nothing about security. In 2005 I made the shift and ever since I'm a hacker mostly focused on application. This is what all skills are about but not only. I was so hacked into networks and internet of things. Some of you might see me in channel two article about hacking into smart homes and so hacking is my passion. I don't think there's anyone in here that is not familiar with Comsec but just in case there is a single person Comsec is the most veteran and biggest company in Israel information security consultant company. We are celebrating our 30 years birthday this year and we have multiple clients in multiple countries. So this is about Comsec. So let's begin with some key terms of what name pipes is. Let's start with inter-process communication or IPC. Inter-process communication is a technique that allows multiple processes and application to share the event with one which each other and communicate. There are clients and servers and each application can act as both clients and servers at the same time. The server listens, the clients connect to it and sends information. Very similar to web based architecture. And Windows native pipes is a form of inter-process communication. This is the Windows implementation, the Microsoft implementation of inter-process communication and it allows you to connect between applications. Some of you might know it from SQL server. If you ever went to an SQL server administrative interface the configuration manager you would see that you can enable name pipe communication. Mostly you use TCP IP regular communication to connect to your SQL database but you can also enable name pipe communication. This is when I mentioned name pipes and I mentioned this example. Everybody are like oh yeah now I remember there is something that is called name pipe. So this is probably the most common usage of name pipe or at least the common place to see. So Windows name pipes is a communication interface. It can either be a half duplex or full duplex meaning you can connect from mostly it's a full duplex and it utilizes a unique file system that is called unsurprisingly NPFS, name pipes file system. Any processor can access name pipes as long as you have the proper permissions. I'm going to discuss it later on about name pipes ACLs and all instances are sharing the same pipe name. If you have a pipe that is called GIL everyone that wants to connect to it will access GIL and will have a pipe instance called GIL. So it's basically similar to sockets TCP IP communication but it is based on a unique file system instead. So there are many configurations of name pipes, half duplex or full duplex, byte oriented local or network and this is something that is largely unfamiliar by information security consultants. If you do know name pipes you would probably think of it as local only inter-process communication suggesting this is a local only interface but this is not the case. You can in fact connect to a name pipe remotely and this is what this lecture is all about. Name pipe uses if you want to connect remotely to a name pipe you can do it with either these two ports either the SMB port which is used for file sharing usually or remote project call RPC port for 135. So if you are not familiar with these services RPC remote project call this is a protocol that allows one program to involve services from other programs that is located in another computer. This is usually used by Windows to Windows itself to communicate between two computers or for example to communicate to your domain controller and it uses port 135 TCP or UDP. There is another variant of RPC which is called DCE RPC which is distributed computing environment remote procedure call. This is just a variant of RPC that mimics local protocol the programmer that uses DCE RPC addresses a function as if it is a local function but in fact it is a remote one. So this is a DCE RPC and this is what remote name pipe connection actually uses DCE RPC variation. SMB you're probably all familiar with SMB even if you don't know what it is because you use it for file sharing if you ever use just plain file sharing slash slash server name slash share name fine name etc you use SMB. So SMB is server message block it can be used for other purposes in fact not many know it but you can use it for printers, communication, serial ports and others and it uses port 445 TCP only. So this is the two ports you're probably most of you are familiar with it. There are other types of name pipes which is called unnamed pipes or anonymous pipes. Name pipes are pipes with actual names you can connect to it using names unnamed pipes are local pipes that are allocated dynamically if you want just one application to connect to another one as a temporary connection you can use unnamed pipes and this is actually a name pipe with random name as soon as the connection is closed unlike regular name pipes the unnamed pipes is also closed but this is not something I found interesting during our research because these are local only and we focused on name pipes which are remotely accessible. So how would you connect to a name pipe let's see a few interesting tools but first the technique itself you cannot mount a name pipe using a regular SMB connection you cannot just write slash slash server name slash pipe and name pipe in your windows run and run command interface you need to do it using specialized tools or using program but you basically use it very similar in a very similar way to a remote SMB share so you can see that you can you need to write the IP address slash pipe and the pipe name and this is the way you connect to a name pipe if you want to connect to a local name pipe you can do it with 127.01 or simply dot very simple and the most common or the most advanced tool that is working with name pipes is IO Ninja using our during our research we found this tool and we found it to be the first very first tool that also allow sniffing name pipes content I'm going to show it to you live later on so this is a very useful tool is Swiss Army knife of communication it also allows you to open sockets and many other features but name pipes it's is the real strength of this tool because this is the only tool that allows you things that usually only proxy or a wire shop allows but for name pipes this is not a free tool by the way you can download it for free for evaluation purposes but eventually if you want to use it for on a long term you would have to buy it but you can in fact see name pipes communication in wire shop if you connect remotely to an end pipe you would see the communication in wire shop you can see that this is in fact presented as SMB2 communication