Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation

• Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation Stop attacks, reduce risk, and advance your security. • Written by: Nic Losby Introduction Mandiant ispublicly releasinga comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. • Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades-with cryptanalysis dating back to 1999-Mandiant consultants continue to identify its use in active environments. • This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk. • By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1. • While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys.

Article Summaries:

• Mandiant has publicly released a comprehensive set of Net‑NTLMv1 rainbow tables to hasten the deprecation of this long‑outdated authentication protocol. The tables enable defenders to recover Net‑NTLMv1 keys in under 12 hours on consumer hardware costing less than $600, demonstrating the protocol’s vulnerability without the need for expensive equipment or third‑party services. By making the dataset available through Google Cloud, Mandiant aims to lower the barrier for security teams to prove Net‑NTLMv1’s insecurity and encourage organizations to disable it, thereby preventing credential‑theft and authentication‑coercion attacks that could compromise Active Directory environments.

Sources:

• https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables/