psquat

psquat v1.0.1 A Windows named pipe recon and squatting tool for security auditing and local privilege escalation (LPE) testing with thick client pentesting in mind.

Developed by zizkill. © December 2025

Overview

psquat is a C# console application designed to:

• Enumerate named pipes on a Windows system, including details like server status, owning process PID, and owner account.
• Filter results by owner or PID.
• "Squat" a specified pipe name by creating a server instance, impersonating connecting clients, and spawning a shell (e.g., cmd.exe) with the client's token. This is useful for auditing misconfigured named pipes that could lead to privilege escalation.

This tool leverages Windows APIs for pipe management, impersonation, and process creation. It requires administrative privileges for full functionality, especially in squat mode.

╔════════════════════════════════════════════════════════════════╗
║::::::::::.  .::::::.  .::::::.    ...    :::  :::. ::::::::::::║
║ `;;;```.;;;;;;`    ` ,;;'```';;,  ;;     ;;;  ;;`;;;;;;;;;;''''║
║  `]]nnn]]' '[==/[[[[,[[[     [[[\[['     [[[ ,[[ '[[,   [[     ║
║   $$$               $ $$c  cc$$$ $$      $$$c$$$cc$$$c  $$     ║
║   888o      88b    dP  *8bo,Y88b,88    .d888 888   888, 88,    ║
║   YMMMb       'YMmMY'    '*YP' 'M' 'YmmMMMM' YMM   ''`  MMM    ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║     v1.0.1 by zizkill [c] December 2025 \\ for dc38338.org     ║
╚════════════════════════════════════════════════════════════════╝

[*] Starting persistent pipe squat on: \\.\pipe\MyPipe
[*] Waiting for clients to connect...

[+] Someone's here!

[*] New client connected on pipe: MyPipe
[+] Client PID: 17496
[+] Client Process: VulnerableProcess.exe
[*] Read 1 bytes from client.
[+] Successfully impersonated client!
[+] Impersonated User: NT AUTHORITY\SYSTEM
[+] Impersonation level: SecurityImpersonation
[+] Token Elevated: YES
[*] Spawning cmd.exe with impersonated token...
[*] Calling CreateProcessWithTokenW...
[+] Shell spawned successfully! PID: 18012
[*] Client handled and pipe instance closed.

CVE Examples

• CVE-2025-46014 (Honor PC Manager)
• CVE-2022-24139 (IOBit Advanced System Care)
• CVE-2021-41065 (Listary)
• CVE-2021-34998 (Panda Security)
• CVE-2020-11492 (Docker)

Requirements

• Windows operating system (tested on Windows 10+).
• .NET Framework or .NET Core runtime (the code uses .NET features compatible with .NET 6+).
• Administrative privileges recommended for pipe creation and impersonation.
• Compile the C# source code into an executable (e.g., using Visual Studio or dotnet build).

Compilation

To build the executable:

1. Save the provided C# code as Program.cs.
2. Use the .NET CLI:

   dotnet new console -o psquat
   cd psquat
   # Replace Program.cs with the provided code
   dotnet build
   

3. The executable will be in bin/Debug/net6.0/psquat.exe (adjust for your .NET version).

Usage

psquat.exe [MODE] [OPTIONS]

Modes

• -s, --servers: Only show pipes with reachable servers.
• -a, --all: Show all pipes (including those without servers).
• -q, --squat <NAME>: Squat a pipe name (LPE audit mode). This mode creates a persistent server on the specified pipe, waits for clients, impersonates them, and spawns a shell with their token.

Note: You must specify either -s/--servers or -a/--all for enumeration modes. Squat mode is exclusive.

Options

• -u, --owned-by <ACCOUNT>: Filter by owner (e.g., "NT AUTHORITY\SYSTEM").
• -p, --pid <PID>: Filter by server PID.
• -h, --help: Show help message.

Examples

1. Enumerate all pipes with servers:

   psquat.exe -s
   

2. Show all pipes (including those without servers):

   psquat.exe -a
   

3. Filter by owner:

   psquat.exe -s --owned-by "NT AUTHORITY\SYSTEM"
   

4. Filter by PID:

   psquat.exe -s --pid 1234
   

5. Squat a pipe (e.g., for auditing):

   psquat.exe -q mypipename
   

   This will create a server on \\.\pipe\mypipename, wait for connections, impersonate the client, display token info (user, impersonation level, elevation), and spawn cmd.exe with the impersonated token.

Output Explanation

Enumeration Mode

• Lists pipes with details like:
  • Status: OK (if server reachable) or No server.
  • Server PID: PID and process name (if available).
  • Owner: Account owning the pipe (e.g., NT AUTHORITY\SYSTEM).

Squat Mode

• Creates pipe instances and waits for clients.
• On connection:
  • Reads initial data.
  • Impersonates the client.
  • Displays impersonated user, impersonation level, and elevation status.
  • Spawns cmd.exe using the duplicated primary token.
• Handles errors like access denied (if pipe is secured) or busy instances.

Technical Details

• Enumeration: Uses FindFirstFile/FindNextFile on \\.\pipe\* to list pipes, WaitNamedPipe to check server availability, GetNamedPipeServerProcessId for PID, and GetSecurityInfo for owner.
• Squatting: Creates pipes with CreateNamedPipe, connects with ConnectNamedPipe, impersonates via ImpersonateNamedPipeClient, duplicates token, and spawns processes with CreateProcessWithTokenW.
• Error handling includes retries for busy pipes and access issues.

Limitations

• Works only on Windows.
• Squatting may fail on secured pipes (e.g., with ACLs denying access).
• No support for remote pipes; local only.
• Token elevation checks assume UAC context.