On a recent engagement, a client implemented multiple EDR solutions to prevent common ways of obtaining credentials either through Mimikatz or various LSASS memory dumping methods. However, with the access acquired we wanted to demonstrate what could be achieved (credential harvest or token manipulation). I came across Internal Monologue and wanted to give it a try.
“In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack, in which they invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged-on user, after performing an extended NetNTLM downgrade.” – Elad Shamir
The Internal Monologue Attack flow as described by Elad Shamir below:
The Internal Monologue attack can be downloaded from GitHub here otherwise there are options for running it straight up from within PowerShell with this source, which ended up being the route I took for this internal monologue test.
Initially, I downloaded the PS1 script and imported it into my PowerShell session as shown below:
With the example usage displayed, let’s go ahead and run it without downgrading the hash –
Woot! We have obtained the NetNTLMv2hash of the bdewall account. Now we can take this one step further and downgrade the hash (NetNTLMv1) as seen below:
With rainbow tables being available (available at various conferences – 6+ Terabytes) for the NetNTLMv1 space an attacker can obtain the NT hash and utilize it for pass-the-hash attacks to further access within the environments. Additionally, crack.sh could be utilized for cracking these hashes as well.
Attempting to discover any alerting related to the Internal Monologue attack is going to be tough to find. Some areas to look at are – execution of the attack (PowerShell / C# file), and registry modification of the following keys – LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMTraffic.