Skip to content
A CALL TO ACTION

Mandiant releases rainbow table that cracks weak admin password in 12 hours

Windows laggards still using the vulnerable hashing function: Your days are numbered.

Dan Goodin | 24
Credit: Getty Images
Credit: Getty Images
Story text

Security firm Mandiant has released a database that allows any administrative password protected by Microsoft’s NTLM.v1 hash algorithm to be hacked in an attempt to nudge users who continue using the deprecated function despite known weaknesses.

The database comes in the form of a rainbow table, which is a precomputed table of hash values linked to their corresponding plaintext. These generic tables, which work against multiple hashing schemes, allow hackers to take over accounts by quickly mapping a stolen hash to its password counterpart. NTLMv1 rainbow tables are particularly easy to construct because of NTLMv1’s limited keyspace, meaning the relatively small number of possible passwords the hashing function allows for. NTLMv1 rainbow tables have existed for two decades but typically require large amounts of resources to make any use of them.

New ammo for security pros

On Thursday, Mandiant said it had released an NTLMv1 rainbow table that will allow defenders and researchers (and, of course, malicious hackers, too) to recover passwords in under 12 hours using consumer hardware costing less than $600 USD. The table is hosted in Google Cloud. The database works against Net-NTLMv1 passwords, which are used in network authentication for accessing resources such as SMB network sharing.

Despite its long- and well-known susceptibility to easy cracking, NTLMv1 remains in use in some of the world’s more sensitive networks. One reason for the lack of action is that utilities and organizations in industries, including health care and industrial control, often rely on legacy apps that are incompatible with more recently released hashing algorithms. Another reason is that organizations relying on mission-critical systems can’t afford the downtime required to migrate. Of course, inertia and penny-pinching are also causes.

“By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1,” Mandiant said. “While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys.”

Microsoft released NTLMv1 in the 1980s with the release of OS/2. In 1999, cryptanalyst Bruce Schneier and Mudge published research that exposed key weaknesses in the NTLMv1 underpinnings. At the 2012 Defcon 20 conference, researchers released a tool set that allowed attackers to move from untrusted network guest to admin in 60 seconds, by attacking the underlying weakness. With the 1998 release of Windows NT SP4 in 1998, Microsoft introduced NTLMv2, which fixed the weakness.

Organizations that rely on Windows networking aren’t the only laggards. Microsoft only announced plans to deprecate NTLMv1 last August.

Despite the public awareness that NTLMv1 is weak, “Mandiant consultants continue to identify its use in active environments,” the company said. “This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk.”

The tables first assist attackers in providing per-byte hash results with the known plaintext challenge 1122334455667788. Because Net-NTLM hashes are generated with the user’s password and the challenge, a known plaintext attack, it becomes trivial with these tables to compromise the account. Typically tools including Responder, PetitPotam, and DFSCoerce are involved.

In a thread on Mastodon, researchers and admins applauded the move, because they said it would give them added ammunition when trying to convince decision makers to make the investments to move off the insecure function.

“I’ve had more than one instance in my (admittedly short) infosec career where I’ve had to prove the weakness of a system and it usually involves me dropping a sheet of paper on their desk with their password on it the next morning,” one person said. “These rainbow tables aren’t going to mean much for attackers as they’ve likely already got them or have far better methods, but where it will help is in making the argument that NTLMv1 is unsafe.”

The Mandiant post provides basic steps required to move off of NTLMv1. It links to more detailed instructions.

“Organizations should immediately disable the use of Net-NTLMv1,” Mandiant said. Organizations that get hacked because they failed to heed will have only themselves to blame.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
24 Comments
Staff Picks
A
Autapomorphy
It's important to understand that, by default, Windows cannot just generate NTLMv1 traffic. The use of NTLMv1 versus NTLMv2 isn't negotiated. Instead, the client decides which one to send based on the security policy "Network security: LAN Manager authentication level" which has defaulted to send NTLMv2 since Vista. Getting the computer to emit NTLMv1 requires you explicitly to shoot yourself in the foot by changing this to use the older broken protocol.

Also, creating rainbow tables as this article is about doesn't impact anything. The NTLMv1 response function uses single DES with 56 bits of the user's secret key at a time, and it's been feasible about two decades now to brute-force those 56-bit pieces of the key until you recover the entire user key. That secret user key is sufficient to authenticate as the user (see "pass-the-hash") and there's no need to reverse this secret into the actual text of the password.

P.S. NTLMv2 is still very weak and subject to brute force attacks for weaker passwords, but it's not subject to rainbow tables. The response function for NTLMv2 includes 64 bits of random entropy supplied by client meaning that, unlike NTLMv1, the client does not generate the same response every time if a malicious server sends the same challenge.
Prev story
Next story