Retrieving NTLM Hashes without touching LSASS: the “Internal Monologue" Attack
A new technique, called "Internal Monologue Attack", allows and attack similar to Mimikatz without dumping memory area of LSASS process, avoiding antivirus and Windows Credential Guard.
Mimikatz is a well-known tool which allows attackers to extract plain text passwords from LSASS process memory for use in post exploitation lateral movement.
Some thought about NetNTLM
In Windows system, NetNTLM is challenge-response protocol used where Kerberos is not supported.
In this protocol the server sends to the client a random 8-byte nonce as a challenge, and the client calculates a response that processes the challenge with the NTLM hash as the key, which is the MD4 hash of the user’s password.
Because the NTLM hash is the key to calculating the response, an adversary does not necessarily need to obtain the victim’s plain text password to authenticate, hence retrieving the hash from LSASS memory using Mimikatz is almost equivalent to stealing a plain text password.
This technique, called “Pass the Hash”, has been discovered by Chris Hummel in 2009.
Luckily Microsoft has introduced Credential Guard in Windows 10 Enterprise and Windows Server 2016, which uses virtualization-based security to isolate secrets, in order to prevent Mimikatz from retrieving hashes directly from memory.
Furthermore, there are two versions of the NetNTLM protocol, both vulnerable to certain attacks: version 1 is obviously weaker than version 2, and on Windows Vista/2008 is disabled by default.
An adversary can also change registry keys, such as LMCompatibilityLevel, which specifies whether the host should negotiate NetNTLMv1 or NetNTLMv2.
The adversary can change the value to 0, 1 or 2, which enable NetNTLMv1 as a client, and then try to authenticate to a rogue SMB server that will capture the client’s response.
This technique is called NetNTLM Downgrade Attack.
In NetNTLMv1, the client receives the 8-byte challenge and calculates the response by encrypting it three times using DES with the different parts of the NTLM hash as the key.
NetNTLMv1 first encrypts the challenge using the first 7 bytes of the NTLM hash as the key, then encrypts the challenge using the next 7 bytes of the NTLM hash as the key, and finally encrypts the challenge using the last 2 bytes of the NTLM hash padded with null-bytes as the key.
This means that to retrieve the NTLM hash given a NetNTLMv1 challenge and response, an adversary must crack two 56-bit DES keys: with a custom hardware an attacker is able to brute-force the entire DES keyspace in less than 24 hours, which guarantees the successful retrieval of the NTLM hash within a reasonable time.
Furthermore, it is feasible to create a complete rainbow table for all the possible NetNTLMv1 responses to a chosen challenge, which allows cracking the NTLM hash for a given response within minutes.
The implication is that capturing a NetNTLMv1 response for the chosen challenge can be translated to the corresponding NTLM hash almost instantly, which is almost the equivalent to obtaining the password from LSASS memory.
The "Internal Monologue Attack"
In secured environments, where Mimikatz should not be executed due to controls such as Credential Guard or resident antivirus, an attacker can invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an NetNTLM downgrade attack.
This technique, disclosed by Elad Shamir, is called "Internal Monologue Attack".
The Internal Monologue Attack flow is described below:
- Disable NetNTLMv1 preventive controls by changing LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic to appropriate values
- Retrieve all non-network logon tokens from currently running processes and impersonate the associated users.
- For each impersonated user, interact with NTLM SSP locally to elicit a NetNTLMv1 response to the chosen challenge in the security context of the impersonated user.
- Restore the original values of LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic.
- Crack the NTLM hash of the captured responses using rainbow tables.
- Pass the Hash.
The Proof of Concept
Elad Shamir published a PoC of this technique, in C# and Powershell, on his GitHub account:
This tool is a proof of concept that implements the Internal Monologue Attack in C#. Porting the code to PowerShell may substitute certain event logs in the audit trail with others. The PoC code is far from perfect. Positive contributions and improvements are welcome.