INTERNAL MONOLOGUE
While performing Red Team Operations, it is possible to come across a scenario where the attacker cannot use Mimikatz. This could be because almost all the antivirus or malware software will detect the presence of Mimikatz as soon as it lands on the target machine. This is the scenario where an attacker can perform Internal Monologue Attack. To perform this, attack, a tool was required that was developed by Elad Shamir of Missing Link Security.
Being in touch with the Windows Security Mechanism, you will be familiar with NetNTLM. It is a challenge response-based protocol that is used wherever Windows cannot apply Kerberos-based Authentication. In this method, the server sends an 8-byte challenge with the NTLM hash as the key to the user. The hash is an MD4 hash of the user’s password. There are two versions of NetNTLM. Both are vulnerable. Version 1 of the NetNTLM has introduced quite a while ago and it is disabled by default currently.
In a general sense, the downgrade attack was performed on the Mimikatz itself. After the exploitation of the target machine, The attacker then, either using Mimikatz or manually, can edit registry keys such as the LMCompatibilityLevel with values such as 0,1,2 that can make the compromised device use the NTLM downgraded or older version to interact with other SMB servers and can lead to pivoting to other users and servers.
However, in this attack that is described in the demonstration, the Mimikatz is not used and the attacker instead invokes a local procedure call from a user-mode application to the NTLM authentication package through the SSPI. This calculates the NetNTLM response that we discussed earlier in the context of the logged-on user. The attack inherently disables the NetNTLMv1 preventive controls, then it moves on to extract all non-network logon tokens from currently running processes and impersonate the associated users. For each impersonated user, NTLM SSP locally invokes an NTLMv1 response to the chosen challenge and then restores the original values of the registry keys discussed earlier. Now the captured hash can be cracked with the tool of your preference, such as John the Ripper or Hash Cat.
Views: 2
