Understanding Mandiant’s Release of Net-NTLMv1 Rainbow Tables

Introduction

Mandiant is taking a bold step in cybersecurity by publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables. This move aims to highlight the pressing need for organizations to abandon this outdated protocol. Despite its known vulnerabilities—which have been well-documented since 1999—Net-NTLMv1 continues to be discovered in active environments. Its persistent use exposes organizations to the risk of trivial credential theft, largely due to inertia and an absence of immediate, visible risks.

Mandiant’s initiative to provide these rainbow tables is designed to make it easier for security professionals to demonstrate the protocol’s weaknesses. Historically, the tools required to exploit this vulnerability were either costly or involved the risky practice of uploading sensitive data to third-party services. With this dataset, defenders and researchers can recover keys in less than 12 hours, using consumer-grade hardware that costs under $600. This collaboration between Mandiant’s industry expertise and Google Cloud’s vast resources serves to tackle and mitigate entire classes of cyber threats.

This article delves into the genesis of these tables, provides avenues for community access, and outlines essential steps for disabling Net-NTLMv1 to prevent authentication coercion attacks.

Background

The insecurity of Net-NTLMv1 became widely recognized around 2012, particularly following discussions at DEFCON 20. Cryptanalysis of the protocol has been around since at least 1999, with key insights about its weaknesses documented in various scholarly works. Notably, Hashcat began supporting the cracking of Data Encryption Standard (DES) keys with known plaintext in 2016, democratizing the ability to attack this protocol even further.

Rainbow tables themselves have a long history; their foundational concept first appeared in a paper by Philippe Oechslin in 2003, building on earlier work by Martin Hellman in 1980 about time-memory trade-offs.

The vulnerability associated with Net-NTLMv1 arises from the fact that if an attacker can access a Net-NTLMv1 hash without Extended Session Security (ESS) for the known plaintext of 1122334455667788, they can conduct a known plaintext attack (KPA). This guarantees the recovery of key material, which is essentially the password hash of an authenticating Active Directory (AD) object. The implications are severe, as this easily leads to privilege escalation.

Attackers often utilize coercive authentication methods from a highly privileged object, such as a domain controller (DC). By recovering the password hash of a DC machine account, they can gain DCSync privileges, leading to the potential compromise of any other accounts in Active Directory.

Dataset Release

The rainbow tables dataset is available for public download through the command:
bash
gsutil -m cp gs://net-ntlmv1-tables/tables .

Alternatively, it can be accessed via the Google Cloud Research Dataset portal.

For those concerned about data integrity, the SHA512 hashes of these tables can be verified by downloading the checksum file:
bash
gsutil -m cp gs://net-ntlmv1-tables/tables.sha512 .

Followed by:
bash
sha512sum -c tables.sha512

The password cracking community has already begun creating derivative works and is hosting pre-made versions of these tables.

Use of the Tables

Once a Net-NTLMv1 hash is obtained, security professionals and researchers can leverage these tables using modern or historical rainbow table software. Notable tools include RainbowCrack (rcrack) and RainbowCrack-NG, which can be utilized on CPUs. For those employing GPUs, forked versions like rainbowcrackalack are also available.

However, before using these tables, it’s essential to preprocess the Net-NTLMv1 hash into DES components using ntlmv1-multi. Detailed instructions for this process can be found in the document titled "Obtaining a Net-NTLMv1 Hash."

Obtaining a Net-NTLMv1 Hash

In typical attack scenarios, adversaries will utilize tools like Responder with flags --lm and --disable-ess, setting the authentication to a static value of 1122334455667788 to restrict connections to those that can use Net-NTLMv1. Attackers can either wait for incoming connections or force authentication through other tools like PetitPotam or DFSCoerce. This approach generates connections from domain controllers or less privileged hosts, which are instrumental in achieving their objectives.

The responses obtained from these connections can then be analyzed to extract password hashes either from user accounts or computer machine accounts. The processes involved are complex, and understanding the mechanics gives a clearer view into the types of threats organizations might face.

Through careful investigation and proactive measures, organizations can better protect themselves against the vulnerabilities associated with Net-NTLMv1, particularly with the assistance of this invaluable dataset released by Mandiant.