What is the InternalMonologue exploitation technique for Net-NTLMv1 and why is it stealthy?

InternalMonologue is a tool that locally downgrades the client’s NTLM protocol from Net‑NTLMv2 to Net‑NTLMv1 by modifying registry keys (requires admin privileges). It then interacts with the local NTLM Security Support Provider (SSP) to obtain a Net‑NTLMv1 response using a fixed Challenge (`1122334455667788`). Because it never sends network traffic or touches the `lsass.exe` process, it generates no authentication logs. The captured response can then be cracked via free rainbow tables on sites like crack.sh to reveal the user’s NTLM hash. Full details are in the original article.