Mandiant publishes tables to aid attacks on legacy Net-NTLMv1 authentication

Mandiant has published tables intended to speed attacks against the legacy Net-NTLMv1 authentication protocol, the company said. The tables provide per-byte hash results for the known plaintext challenge 1122334455667788, which Mandiant says makes compromising accounts trivial in environments that still use Net-NTLMv1.

NTLMv1 dates back to Microsoft’s 1980s release of OS/2, and researchers have long documented its weaknesses: Bruce Schneier and Mudge published research in 1999, and a 2012 Defcon tool set demonstrated how attackers could escalate from an untrusted guest to admin by exploiting the underlying flaw.

Microsoft introduced NTLMv2 with Windows NT SP4 in 1998, and the company only announced plans to deprecate NTLMv1 last August. Mandiant said consultants continue to find NTLMv1 in active environments and warned the legacy protocol “leaves organizations vulnerable to trivial credential theft.” The company pointed to common attack tools such as Responder, PetitPotam, and DFSCoerce in relation to Net-NTLM attacks.

The Mandiant post includes basic steps and links to more detailed instructions for moving off NTLMv1, and the company urged organisations to “immediately disable the use of Net-NTLMv1.” Researchers and admins on Mastodon applauded the release as useful for persuading decision makers; one person said it helps when they need to prove a system’s weakness, sometimes by showing a password on a desk the next morning.

Key Topics

Tech, Mandiant, Microsoft, Responder, Petitpotam