On an increasingly frequent basis during internal infrastructure penetration testing engagements, the Triskele Labs Ethical Hacking Team is finding that protections for traditional extraction of credentials from host memory are maturing. Gone are the days where a Mimikatz binary could be dropped to perform this task, and going are the days where these attacks can be executed remotely from memory, thanks to inbuilt Windows protections and security product protections. As such, new methods are required to achieve this goal while bypassing these protections. In this blog post, we discuss a relatively new technique discovered by Elad Shamir called the Internal Monologue attack. Elad has also published a tool written in C# to provide a Proof of Concept for how this attack can be utilised. The attack allows NTLMv1 challenge response hashes to be obtained from the victim’s system, without injecting code in the memory or interacting with protected services such as the Local Security Authority Subsystem Service (LSASS). These hashes can then be cracked or subsequently used in a Pass-The-Hash (PTH) attack.
During an internal penetration test, after gaining privileged access to an internal system, a penetration tester will generally proceed to extract passwords from memory. The most common method of achieving this will be to target the LSASS process which stores local security policy information including domain users’ credentials. There are many ways a tester can dump the memory of this process to a file from an internal host and then pass it to Mimikatz, a tool developed by Benjamin Delpy, to extract the users’ credentials stored in the LSASS file.
In the past few years, with the advancement of endpoint protection tools and utilisation of multiple security solutions in an organisation’s internal network, it is close to impossible to run Mimikatz on a client system without being detected. To overcome this, a tester who has gained privileged access on a victim host can simply dump the LSASS file from the system either directly from memory or by running a trusted Microsoft tool such as ProcDump. This memory dump can then be exfiltrated to the attacker’s machine to parse the memory dump and extract the credentials using Mimikatz.
Nowadays many organisations are deploying solutions to detect and restrict the dumping of LSASS process or execution of the ProcDump tool. One such example is Credential Guard introduced by Microsoft in Windows 10 and Windows Server 2016. These solutions are becoming more common in organisations and as such, pose significant obstacles during penetration testing engagements.
Here lies the motivation for the Internal Monologue attack. This creative technique allows a tester to obtain credentials from the system without touching the LSASS process. The attack takes advantage of the NetNTLMv1 challenge-response protocol. The NetNTLMv1 protocol is insecure due to the way it calculates the challenge-response allowing an attacker to retrieve the NTLM hash by easily cracking the response. Furthermore, retrieving the NTLM hash of a user is almost synonymous to retrieving the plaintext password of a user, since it can be used for a ‘Pass the Hash’ attack technique or can be cracked to obtain the plaintext password.
Although most modern systems are configured by default to avoid using NetNTLMv1, because the attacked is a local administrator of the system, a NetNTLM Downgrade attack can be performed to enable this weaker authentication scheme. This will disable preventive controls for NetNTLMv1. The attacker can then retrieve the non-network logon tokens from the running processes and impersonate the associated user.
Using the impersonated user privilege, the attacker can invoke a local procedure call to the NTLM authentication package called MSV1_0 to encrypt a known challenge using SSPI - secure single sign-on technology in Windows. This will generate a NetNTLMv1 response for that challenge using the impersonated user’s NTLM hash as a key. Now, due to the weakness in the NetNTLMv1 challenge-response protocol, the tester can easily extract the NTLM hash by cracking this response and perform a ‘Pass the Hash’ attack.
The primary benefit of this attack is that it can be executed to evade detection since there is no interaction with any protected process and no network traffic is generated. The Triskele Labs Ethical Hacking Team used this technique to obtain domain user hashes during an internal penetration test engagement without being detected or blocked. Notably, however, this attack requires registry modification when performing the NTLM downgrade attack. With the right security tools, this can process and the subsequent token extraction may trigger alerts, however, Triskele Labs has concluded that the likelihood of this occurring is far below that of being detected when executing Mimikatz, or even using ProcDump to dump the memory of LSASS. As such, Triskele Labs recommends that an internal penetration tester should always consider this particular tool an integral component of their arsenal!