Security firm Mandiant, now part of Google Cloud, recently made a striking decision: it publicly released a massive dataset of Net-NTLMv1 rainbow tables. These pre-computed lookup tables allow someone to transform a captured NTLMv1 authentication hash back into a plaintext password extremely quickly — often in under half a day on inexpensive hardware.
At first glance, this might sound like publishing a hacking tool. But the goal isn’t to arm attackers: Mandiant says this release is intended to underscore just how insecure NTLMv1 is and to help defenders prove the risk, forcing organizations to finally remove this weak authentication protocol from their systems.
What Net-NTLMv1 Is — And Why It Still Matters
Net-NTLMv1 is an old Windows network authentication protocol first introduced in the late 1980s. It was widely used back when enterprises were first connecting hundreds or thousands of computers together. But even by the early 2000s, researchers began documenting deep weaknesses in the protocol’s cryptography.
NTLMv1 relies on DES (Data Encryption Standard) — an algorithm now considered outdated and insufficiently secure for protecting modern systems. More importantly, NTLMv1 does not include modern protections like salting or complex challenge-response randomness, which make brute-force or pre-computation attacks much harder.
Because these weaknesses have been known for decades — cryptanalysis research on NTLMv1 goes back to at least 1999 — Microsoft itself moved on to NTLMv2 and then to Kerberos as a more secure primary authentication protocol.
Yet despite its obsolescence and obvious insecurity, NTLMv1 remains enabled in many networks today. The reason isn’t ignorance — it’s inertia and compatibility. Old systems, poorly maintained appliances, and legacy services in industries like healthcare, industrial control systems, and manufacturing often only work with NTLMv1. Shutting it off could break critical business functions.
This is exactly the problem Mandiant is trying to solve: organizations acknowledge the insecurity of NTLMv1, but they delay removing it until someone can prove it’s actually risky in their environment.
Why Rainbow Tables Matter
The Classic Trade-Off: Time vs. Space
Rainbow tables aren’t a new cryptographic invention. They were first described in academic research in the early 2000s and represent a classic time-memory trade-off: instead of brute-forcing every password hash individually, attackers pre-compute a huge list linking hashes to their plaintext values and store that in a table.
In the past, generating and storing rainbow tables was expensive — requiring lots of computation and storage. And cracking tools often required specialized algorithms or uploading hashes to online services that do the work for you. All that slowed down attackers and limited usage to those with plenty of resources.
What Mandiant did was generate and release an enormous set of rainbow tables specifically for Net-NTLMv1. The dataset reportedly contains trillions of pre-computed password possibilities and spans around 8.6 TB of data.
By publishing this dataset freely, Mandiant effectively removes the computational and financial barrier to cracking NTLMv1 hashes. If an attacker or defender captures a Net-NTLMv1 hash, they can look it up in the rainbow table rather than brute-force it — and recover the corresponding password often within about 12 hours using consumer hardware costing a few hundred dollars.
This dramatically lowers the effort required to break weak NTLMv1 passwords, and that is the point.
The Threat: How Attackers Can Abuse This
Before these tables were released, attackers faced one of two slow and expensive paths to crack NTLMv1 hashes:
- Upload the hash to an external cracking service — which involves legal and operational hurdles.
- Use costly custom hardware to brute-force the hash.
Now, with the rainbow tables available and indexed, those hurdles largely disappear. This has several direct security implications:
- Credential theft becomes easier — If an attacker obtains a Net-NTLMv1 hash (for example, by coercing a machine to authenticate or intercepting network traffic), they can convert it to a password quickly.
- Privilege escalation becomes more realistic — With credentials in hand, attackers can impersonate accounts, including domain controllers or other privileged identities.
- Lateral movement and deeper compromise in Active Directory environments become simpler — Once you control a privileged account, you can move around and take further actions inside a network.
One common attack chain involves authentication coercion techniques (like PetitPotam or DFSCoerce), which force a Domain Controller or other high-value host to authenticate using NTLMv1. An attacker captures that hash, then cracks it using the rainbow tables and uses the recovered password to escalate their access.
This makes legacy NTLMv1 not just theoretically insecure, but practically exploitable in real-world attack scenarios.
Mandiant’s Intent: Shock to Action
In its blog post, Mandiant makes its position clear: it wants organizations to stop dragging their feet. The tables were published so defenders can prove to their leadership and stakeholders just how simple it is to crack NTLMv1.
Mandiant emphasizes that these rainbow tables are intended to be used by security teams and researchers to audit systems and demonstrate risk. But the reality is that the same techniques can also be used by attackers — which is exactly the point: the vulnerability is real, and continuing to leave NTLMv1 enabled is a business risk.
What Organizations Should Do Now
If you manage Windows systems — especially in an Active Directory environment — Mandiant strongly recommends several urgent steps:
1. Disable Net-NTLMv1 Everywhere You Can
Use Windows Group Policy or local security policy settings to disable NTLMv1 authentication. For example, setting “Network security: LAN Manager authentication level” to Send NTLMv2 response only helps ensure stronger protocols are used.
2. Monitor Usage of NTLMv1
Check authentication logs for NTLMv1 authentication attempts. On Windows, specific event IDs and flags can tell you when NTLMv1 or legacy LM authentication is occurring.
3. Migrate to Modern Protocols
Where possible, replace NTLMv1 with NTLMv2 or Kerberos, and work with application owners to update or replace legacy systems that insist on old protocols.
4. Educate Teams and Leadership
Make sure developers, sysadmins, and executives understand why legacy protocols matter and the real threats they create.
The Broader Message
Mandiant’s release isn’t about introducing a new vulnerability — it’s about making a long-known weakness impossible to ignore. By publicizing just how easy it is to crack NTLMv1 with freely available rainbow tables, Mandiant aims to accelerate protocol deprecation once and for all.
This episode highlights a broader truth in cybersecurity: legacy systems and protocols often persist long after they should have been retired, not because they’re secure, but because operational inertia and cost make change difficult. Now, with this dataset in the wild, that inertia will be harder to justify.
