In this article, it’s time to explore the scenario where the attacker wants to extract the hash or credentials of the target user but cannot use Mimikatz or any other noisy tool. This attack is called a Downgrade Attack because the attacker downgrades the version of NTLM to extract the hash.
Table of Content
·
Introduction
·
Exploitation
·
PowerShell Empire
Exploitation
·
Decryption of Hash
·
Conclusion
Introduction
While performing Red Team Operations, it is
possible to come across a scenario where the attacker cannot use Mimikatz. This
can be because almost all the Antivirus or Malware software are going to detect
the presence of Mimikatz as soon as it lands on the Target Machine. This is the
scenario where an attacker can perform Internal Monologue Attack. To perform this,
attack a tool is required that was developed by Elad Shamir from Missing
Link Security.
Being in touch with the Windows Security
Mechanism, you will be familiar with the NetNTLM. It is a challenge
response-based protocol that is used wherever Windows cannot apply Kerberos-based
Authentication. In this method, the server sends an 8-byte challenge with the
NTLM hash as the key to the user. The hash is an MD4 hash of the user’s
password. There are two versions of NetNTLM. Both are vulnerable. Version 1 of
the NetNTLM has introduced quite a while ago and it is disabled by default
currently.
In a general sense, the downgrade attack
was performed with the Mimikatz itself. After the exploitation of the target
machine. The attacker then either using Mimikatz or manually can edit Registry
Keys such as the LMCompatibilityLevel with values such as 0,1,2 that can make
the compromised device use the NTLM downgraded or older version to interact
with other SMB servers and can lead to pivoting to other users and servers.
However, in this attack that is described
in the demonstration, the Mimikatz is not used and the attacker instead invokes
a local procedure call from a user-mode application to the NTLM authentication
package through the SSPI. This calculates the NetNTLM response that we
discussed earlier in the context of the logged-on user. The attack inherently
disables the NetNTLMv1 preventive controls, then it moves on to extract all non-network
logon tokens from currently running processes and impersonate the associated
users. For each impersonated user, NTLM SSP locally invokes an NTLMv1 response
to the chosen challenge and then restores the original values of the Registry
keys discussed earlier. Now the captured hash can be cracked with the tool of
your preference such as John the Ripper or Hash Cat.
Exploitation
You have the option to compile the
executable by yourself by getting the binaries from GitHub. However, for this
demonstration, we will be downloading the executable itself.
Download
InternalMonologue.exe
After downloading the executable, assuming
the attacker holds the initial foothold of the target machine. It is required
to transfer the executable to the target machine and run it with certain
parameters. The Downgrade parameter should have the value true to downgrade the
version. Then the Threads parameter should also hold the true value and finally
to perform the Impersonation, the Impersonate parameter value should also be true.
Upon successfully running the executable, the attacker is successfully able to
extract the downgraded v1 hash of the target user as demonstrated.
InternalMonologue.exe -Downgrade true
-Threads true -Impersonate true
PowerShell Empire Exploitation
In case, the attacker decided to compromise
the target machine through the PowerShell Empire and has an agent active, then
they can perform a downgrade attack directly from PowerShell Empire. Inside the
Credentials, the PowerShell Empire has a module by the name of
invoke_internal_monologue that essentially performs the same attacker as the
executable that was discussed earlier. This method doesn’t involve transferring
an executable and running it on the target machine is much stealthier.
usemodule credentials/invoke_internal_monologue
execute
Decryption of Hash
In both variants of attacks that were
performed earlier. The hash for the raj user was found to be the same and now
there are two ways in which this has can be used. Firstly, the attacker can
directly use the hash to log in by performing a Pass the Hash. But if the
attacker wants, they can crack the hash using John the Ripper. Store the
extracted hash of the raj user in a file on the Desktop of our Kali Linux and
named its hash. Then using John the Ripper with describing the format to be NetNTLM
as demonstrated below. It can be observed that the hash can be cracked. The
hash was found to be the password “123”.
john –format=netntlm hash --show
Conclusion
Sometimes, ideas as simple as downgrading
the version of the authentication mechanism can serve to be dangerous. As this
attack doesn’t require any tools that are on the target of various Defensive
Mechanisms it can fly under the radar and get those credentials. This is a
testament that Security is ever-evolving and the only way to get ahead of an
attacker is to think like one.
0 comments:
Post a Comment