impacket-sambapipe

View documentation for the original command

$ tldr sambaPipe.py

impacket-sambapipe [[domain/]username[:password]@] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hexkey] [-dc-ip ip address] [-kdcHost hostname] [-keytab file]

[[domain/]username[:password]@]
    Specifies the target system's IP address or hostname, and optionally authentication credentials. Credentials (domain, username, password) can be provided directly within this argument, or via specific authentication options for hashes or Kerberos.


    The name of the SMB named pipe to connect to on the target system (e.g., `netlogon`, `lsarpc`, `svcctl`).

-debug
    Enables verbose debug output for detailed operational information and troubleshooting.

-hashes LMHASH:NTHASH
    Provides NTLM hashes for authentication, in the format `LMHASH:NTHASH`.

-no-pass
    Instructs the script not to ask for a password, using an empty password for authentication. Particularly useful when performing Kerberos authentication (with -k).

-k
    Uses Kerberos authentication. Credentials are typically sourced from a ccache file (`KRB5CCNAME`) or requested if not found, then saved to the ccache file.

-aesKey hexkey
    Specifies the AES key (128 or 256 bits, in hexadecimal format) to be used for Kerberos authentication.

-dc-ip ip address
    The IP address of the Domain Controller. If omitted, the domain part of the target parameter (if available) or the target server itself will be used.

-kdcHost hostname
    The KDC's hostname or IP address to use for Kerberos authentication. If empty, the domain part of the target parameter is used to locate the KDC.

-keytab file
    Reads Kerberos keys from the specified keytab file for authentication.

impacket-sambapipe is a powerful command-line tool, part of the widely-used Impacket Python library, designed for low-level interaction with SMB (Server Message Block) named pipes on remote Windows systems. Unlike higher-level Impacket tools that perform specific tasks like remote command execution, impacket-sambapipe serves as a fundamental utility to establish a direct connection to a specified named pipe and facilitate interactive communication.

It is commonly used by security professionals and developers for reconnaissance, analysis, and demonstrating how to interact with various Windows services exposed over named pipes, such as `netlogon`, `lsarpc`, `samr`, or `svcctl`. By connecting to a named pipe, users can send raw data and receive responses, which is crucial for understanding service behavior, testing custom exploits, or performing advanced protocol-level operations. This tool emphasizes the programmatic capabilities of the Impacket library for MSRPC (Microsoft Remote Procedure Call) over SMB, providing a foundation for building more complex network attacks or diagnostic utilities.

Using impacket-sambapipe requires the Impacket Python library to be installed. Successful interaction with remote named pipes depends on network connectivity to the SMB port (445) on the target, as well as appropriate user permissions on the target system for the specified named pipe. It is a low-level interaction tool, meaning effective use often requires a strong understanding of SMB, MSRPC, and the specific named pipe's protocol being targeted.

Upon successful connection to a named pipe, impacket-sambapipe typically provides an interactive prompt (or simply opens the pipe for read/write operations depending on context). This allows users to manually send data to the pipe and observe the responses, facilitating real-time investigation and protocol interaction.

While impacket-sambapipe provides the raw named pipe connection, its primary utility often lies in serving as the transport for MSRPC communications. Many Windows services expose their functionality over named pipes using MSRPC interfaces. This tool allows direct interaction with these underlying communication channels, enabling exploration of service functions and potential vulnerabilities.

impacket-sambapipe is an integral part of the Impacket library, a collection of Python classes for working with network protocols. Developed by Core Security Technologies (now Fortra), Impacket has been a staple in network security for interacting with protocols like SMB, MSRPC, and Kerberos. sambapipe.py has existed as an example script within the Impacket project for many years, showcasing the library's capabilities for direct, low-level named pipe communication and serving as a foundational component for more complex MSRPC-based tools and exploits.

smbclient(1), smbexec.py (Impacket), psexec.py (Impacket), wmiexec.py (Impacket), rpcdump.py (Impacket)