Mandiant Releases Rainbow Tables for Outdated Windows NTLMv1

Mandiant, a cybersecurity firm and subsidiary of Google, has released a rainbow table for the outdated Windows NTLMv1 authentication protocol, allowing attackers to crack administrator passwords in under 12 hours using consumer hardware that costs less than $600.

NTLM is used in Windows to authenticate users on a network. It uses hashes of passwords stored on a server in order to verify that your password is correct. A hashing algorithm is a one-way function that takes text as an input and spits out what looks like junk data, but the same input will always render the same output, so you can use it to authenticate passwords. An attacker that breaches the server will have hashes of passwords, but they will need to somehow reverse the hashing algorithm to the original password.

That’s where rainbow tables come in: you can precompute these hashes for a large number of inputs and then compare the hashes in the table to find the original plaintext. Because NTLMv1 uses a weak hashing algorithm, the total number of possible values is quite small, so with modern hardware, it’s possible to iterate through to find the password quite quickly.

By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1. While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys.

NTLMv1 is decades old and has been known to be insecure since 1999. Despite this, Mandiant says they still see deployments of it in the wild to this day.

Their aims to eliminate the use of NTLMv1 align with Microsoft, who plan on finally deprecating NTLMv1 in the near future. They plan to deprecate NTLM as a whole in the future as well in favor of the much more secure Kerberos authentication.

A big reason why many organizations don’t upgrade is compatibility: many of them still use legacy software that requires NTLMv1. A lot of important infrastructure still runs on outdated versions of Windows.

This points I think to a wider problem in software. How do we make sure systems we have in place today can be upgraded to supported operating systems?

Even if you’re running the latest version of Windows, there’s still a lot of old stuff left over for compatibility reasons, such as the Internet Explorer compatibility mode in Edge (needed for some older technologies like ActiveX and Flash). Even NTLM existing on the system is a danger.

There’s a tension between pushing users to use modern and secure software and providing support for older systems. Windows seems to take the gentle hand approach: disabling old features by default, then requiring you to manually enable them, before finally deprecating them properly.

With the release of the rainbow table, perhaps this will be the final push to perform a much-needed upgrade for systems still relying on legacy software. I think Mandiant put it best:

Organizations should immediately disable the use of Net-NTLMv1.