Full Report
Written by: Nic Losby Introduction Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments. This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk. By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1. While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys. The release of this dataset allows defenders and researchers to recover keys in under 12 hours using consumer hardware costing less than $600 USD. This initiative highlights the amplified impact of combining Mandiant's frontline expertise with Google Cloud's resources to eliminate entire classes of attacks. This post details the generation of the tables, provides access to the dataset for community use, and outlines critical remediation steps to disable Net-NTLMv1 and prevent authentication coercion attacks. Background Net-NTLMv1 has been widely known to be insecure since at least 2012, following presentations at DEFCON 20, with cryptanalysis of the underlying protocol dating back to at least 1999. On Aug. 30, 2016, Hashcat added support for cracking Data Encryption Standard (DES) keys using known plaintext, further democratizing the ability to attack this protocol. Rainbow tables are almost as old, with the initial paper on rainbow tables published in 2003 by Philippe Oechslin, citing an earlier iteration of a time-memory trade-off from 1980 by Martin Hellman. Essentially, if an attacker can obtain a Net-NTLMv1 hash without Extended Session Security (ESS) for the known plaintext of 1122334455667788, a cryptographic attack, referred to as a known plaintext attack (KPA), can be applied. This guarantees recovery of the key material used. Since the key material is the password hash of the authenticating Active Directory (AD) object—user or computer—the attack results can quickly be used to compromise the object, often leading to privilege escalation. A common chain attackers use is authentication coercion from a highly privileged object, such as a domain controller (DC). Recovering the password hash of the DC machine account allows for DCSync privileges to compromise any other account in AD. Dataset Release The unsorted dataset can be downloaded using gsutil -m cp gs://net-ntlmv1-tables/tables . or through the Google Cloud Research Dataset portal. The SHA512 hashes of the tables can be checked by first downloading the checksums gsutil -m cp gs://net-ntlmv1-tables/tables.sha512 . then checked by sha512sum -c tables.sha512. The password cracking community has already created derivative work and is also hosting the ready to use tables. Use of the Tables Once a Net-NTLMv1 hash has been obtained, the tables can be used with historical or modern reinventions of rainbow table searching software such as rainbowcrack (rcrack), or RainbowCrack-NG on central processing units (CPUs) or a fork of rainbowcrackalack on graphics processing units (GPUs). The Net-NTLMv1 hash needs to be preprocessed to the DES components using ntlmv1-multi as shown in Obtaining a Net-NTLMv1 Hash. Obtaining a Net-NTLMv1 Hash Most attackers will use Responder with the --lm and --disable-ess flags and set the authentication to a static value of 1122334455667788 to only allow for connections with Net-NTLMv1 as a possibility. Attackers can then wait for incoming connections or coerce authentication using a tool such as PetitPotam or DFSCoerce to generate incoming connections from DCs or lower privilege hosts that are useful for objective completion. Responses can be cracked to retrieve password hashes of either users or computer machine accounts. A sample workflow for an attacker is shown below in Figure 1, Figure 2, and Figure 3. Figure 1: DFSCoerce against a DC Figure 2: Net-NTLMv1 hash obtained for DC machine account Figure 3: Parse Net-NTLMv1 hash to DES parts Figure 4 illustrates the processing of the Net-NTLMv1 hash to the DES ciphertexts. Figure 4: Net-NTLMv1 hash to DES ciphertexts An attacker then takes the split-out ciphertexts to crack the keys used based on the known plaintext of 1122334455667788 with the steps of loading the tables shown in Figure 5 and cracking results in Figure 6 and Figure 7. Figure 5: Loading DES components for cracking Figure 6: First hash cracked Figure 7: Second hash cracked and run statistics An attacker can then calculate the last remaining key with ntlmv1-multi once again, or look it up with twobytes, to recreate the full NT hash for the DC account with the last key part shown in Figure 8. Figure 8: Calculate remaining key The result can be checked with hashcat's NT hash shucking mode, -m 27000, as shown in Figure 9. Figure 9: Keys checked with hash shucking An attacker can then use the hash to perform a DCSync attack targeting a DC and authenticating as the now compromised machine account. The attack flow uses secretsdump.py from the Impacket toolsuite and is shown in Figure 10. Figure 10: DCSync attack performed Remediation Organizations should immediately disable the use of Net-NTLMv1. Local Computer Policy "Local Security Settings" > "Local Policies" > "Security Options" > “Network security: LAN Manager authentication level" > "Send NTLMv2 response only". Group Policy "Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings" > "Local Policies" > "Security Options" > "Network Security: LAN Manager authentication level" > "Send NTLMv2 response only" As these are local to the computer configurations, attackers can and have set the configuration to a vulnerable state to then fix the configuration after their attacks have completed with local administrative access. Monitoring and alerting of when and where Net-NTLMv1 is used is needed in addition to catching these edge cases. Filter Event Logs for Event ID 4624: "An Account was successfully logged on." > "Detailed Authentication Information" > "Authentication Package" > "Package Name (NTLM only)", if "LM" or "NTLMv1" is the value of this attribute, LAN Manager or Net-NTLMv1 was used. Related Reading This project was inspired by and referenced the following research published to blogs, social media, and code repositories. https://www.youtube.com/watch?v=gkPvZDcrLFk https://crack.sh/netntlm/ https://hashcat.net/forum/thread-9009.html https://swisskyrepo.github.io/InternalAllTheThings/active-directory/hash-capture/#capturing-and-cracking-net-ntlmv1ntlmv1-hashestokens https://en.hackndo.com/ntlm-relay/#stop-using-ntlmv1 https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/ https://trustedsec.com/blog/practical-attacks-against-ntlmv1 https://github.com/NotMedic/NetNTLMtoSilverTicket https://x.com/jeffmcjunkin/status/1575515827880665088 https://shuck.sh/get-shucking.php Acknowledgements Thank you to everyone who helped make this blog post possible, including but not limited to Chris King and Max Gruenberg.
Analysis Summary
# Tool/Technique: Net-NTLMv1 Protocol Authentication Hash Theft and Cracking
## Overview
This entry summarizes the use of the insecure Net-NTLMv1 authentication protocol, the methods for capturing its hashes (often via authentication coercion), and the subsequent use of pre-computed rainbow tables to rapidly recover underlying credentials via a Known Plaintext Attack (KPA). The ultimate goal is typically privilege escalation, such as achieving Domain Controller (DC) compromise via DCSync.
## Technical Details
- Type: Technique
- Platform: Windows (Active Directory environments utilizing insecure NTLM authentication).
- Capabilities: Enables credential theft via hash recovery using pre-computed tables, allowing attackers to reconstruct the NT hash of the authenticating object (user or computer) when the protocol is used without Extended Session Security (ESS).
- First Seen: Cryptanalysis dates back to at least 1999; known insecurity widely discussed since at least 2012 (DEFCON 20).
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.006 - Domain Accounts (Implied, as recovery of machine account hash leads to DCSync)
- **TA0011 - Persistence** (If used by an established threat actor)
- **TA0010 - Lateral Movement** (If compromised hash is used to move to other systems)
## Functionality
### Core Capabilities
- **Hash Capture:** Attacker uses tools like Responder in specific configurations (`--lm` and `--disable-ess` flags, static authentication value `1122334455667788`) to force targets (e.g., DCs via coercion) to negotiate using the vulnerable Net-NTLMv1 protocol.
- **Known Plaintext Attack (KPA):** Exploits the fundamental cryptographic weakness of Net-NTLMv1 when Extended Session Security (ESS) is absent, specifically when the known plaintext used is `1122334455667788`.
- **Rainbow Table Lookup:** Utilizes pre-computed rainbow tables (released by Mandiant) to drastically reduce cracking time (under 12 hours on consumer hardware) compared to brute-forcing original DES keys.
- **NT Hash Reconstruction:** After retrieving key material via cracking the DES components derived from the Net-NTLMv1 hash, the attacker reconstructs the full NT hash of the target object.
### Advanced Features
- **Authentication Coercion:** Tools like **PetitPotam** or **DFSCoerce** are used to force privileged hosts (like DCs) to initiate authentication against the attacker-controlled service, exposing the Net-NTLMv1 hash for capture.
- **Domain Compromise:** Recovery of a Domain Controller's machine account hash allows the attacker to perform **DCSync** attacks (using tools like `secretsdump.py` from Impacket) to dump credentials for any account in the Active Directory environment.
## Indicators of Compromise
- **File Hashes:** Not applicable for the protocol/technique itself, but the Mandiant dataset checksums are SHA512.
- **File Names:** Not applicable for the protocol/technique itself, but associated tools include **Responder**, **PetitPotam**, **DFSCoerce**, and **secretsdump.py**.
- **Network Indicators:** Authentication attempts utilizing the NTLMv1 package without ESS.
- **Behavioral Indicators:** Detection of Event ID 4624 (Logon Success) where the "Authentication Package" name attribute is **"LM"** or **"NTLMv1"**.
## Associated Threat Actors
Threat actors actively running internal network reconnaissance and post-exploitation phases often benefit from exploiting this weakness, though no specific group attribution is provided in the context regarding the use of these specific rainbow tables.
## Detection Methods
- **Behavioral detection:** Monitoring logs for Event ID 4624 where authentication packages indicate "LM" or "NTLMv1".
- **Configuration Monitoring:** Checking system policies (Local/Group Policy) to ensure the **"Network security: LAN Manager authentication level"** is set to **"Send NTLMv2 response only"**.
## Mitigation Strategies
- **Immediate Protocol Disablement (Primary):** Configure Group Policy or Local Computer Policy to enforce **"Send NTLMv2 response only"** for the "Network security: LAN Manager authentication level."
- **Monitoring:** Implement alerting for any appearance of NTLMv1 or LM authentication package usage in Event ID 4624 logs.
## Related Tools/Techniques
- **Attack Tools Used in Workflow:**
- Responder (for hash capture)
- PetitPotam / DFSCoerce (for authentication coercion)
- Impacket (specifically `secretsdump.py` for DCSync)
- **Cracking Tools Utilizing Tables:**
- rainbowcrack (rcrack)
- RainbowCrack-NG
- rainbowcrackalack (and its forks)
- Hashcat (used for final NT hash validation via mode `-m 27000`)
- **Preprocessing Tools:**
- ntlmv1-multi
- twobytes