Microsoft released NTLMv1 with the release of OS/2 in the 1980s. In 1999, cryptanalysts Bruce Schneier and Mudge published research that exposed major vulnerabilities in the NTLMv1 underpinnings. At the 2012 Defcon 20 conference, researchers released a tool set that exploited an underlying weakness that allowed attackers to go from untrusted network guest to admin in 60 seconds. With the release of Windows NT SP4 in 1998, Microsoft introduced NTLMv2, which fixed the weakness.
Organizations that rely on Windows networking aren’t the only ones left behind. Microsoft had already announced plans to discontinue NTLMv1 last August.
Despite public awareness that NTLMv1 is vulnerable, the company said, “Mandiant consultants continue to identify its use in active environments.” “This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it is prevalent due to inertia and lack of demonstrated immediate risk.”
The tables first help attackers provide per-byte hash results with a known plaintext challenge 1122334455667788. Because Net-NTLM hashes are generated with the user’s password and challenge, a known plaintext attack, it becomes trivial to compromise an account with these tables. Attacks against Net-NTLM typically involve tools including Responder, Petitpotam, and DFScore. Tools commonly included include Responder, Petitpotam, and DFScourse.
In a thread on Mastodon, researchers and administrators applauded the move, as they said it would give them additional ammunition when trying to convince decision makers to invest in opting out of an unsafe function.
One person said, “I’ve had more than one instance in my (probably short) infosec career where I’ve had to prove a system’s weakness and it usually involves leaving a sheet of paper with their password on it the next morning.” “These rainbow tables won’t mean much to attackers because they’ve already got them or have better methods elsewhere, but it will help make the argument that NTLMv1 is insecure.”
The Mandiant post provides the basic steps needed to opt out of NTLMv1. This links to more detailed instructions.
“Organizations should immediately disable the use of Net-NTLMv1,” Mandiant said. Organizations that get hacked due to lack of care have only themselves to blame.
<a href