Google shows how easy it is to crack old Microsoft Windows logins
Google just dropped a dataset proving that a decades-old Windows login system can be cracked in hours, putting corporate networks at risk.
Google’s incident response arm, Mandiant, has decided that it’s done waiting for organizations to take Net-NTLMv1 vulnerabilities seriously.
This week, the tech giant publicly released a massive dataset of Net-NTLMv1 rainbow tables, effectively handing defenders and attackers a demonstration of just how broken this authentication protocol really is.
“By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1,” writes Nic Losby, a Principal Red Team Consultant at Mandiant.
With the released dataset, users can recover keys in under 12 hours using consumer hardware costing less than $600. The tables are hosted on Google Cloud and available to the community.
An old protocol that refuses to die
Microsoft’s Net-NTLMv1 is an authentication protocol used in older Windows systems, but its documented weaknesses date back to 1999. By the early 2010s, security researchers were already demonstrating real-world exploits.
Yet Google’s Mandiant says its consultants still routinely encounter Net-NTLMv1 running in live enterprise environments, posing significant risks.
“This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk,” writes Losby.
Tools to exploit Net-NTLMv1 have existed for years, but according to Mandiant, the friction was still too high for many defenders to convincingly demonstrate risk.
Cracking hashes often meant uploading sensitive data to third-party services or investing in expensive hardware. Mandiant believes the newly released rainbow table dataset removes those barriers.
How to crack Net-NTLMv1?
The issue with Net-NTLMv1 is simple. If an attacker manages to grab a Net-NTLMv1 login response and Extended Session Security is not enabled, the protocol gives them everything they need to break it.
If an attacker captures a Net-NTLMv1 hash and already knows the fixed plaintext value 1122334455667788, they can run what is known as a “known plaintext attack.”
This type of attack reliably recovers the underlying key. That key is effectively the password hash of the Active Directory account. Once that hash is exposed, attackers can quickly turn access into higher privileges.
From there, the attack escalates quickly. Attackers often pair this flaw with tricks that force important systems to log in on demand. Tools like PetitPotam or DFSCoerce can force a highly privileged system, including a domain controller, to authenticate.
Once the password hash of a domain controller’s machine account is recovered, attackers can obtain DCSync privileges and effectively own the entire Active Directory environment.
How does a rainbow table work?
A rainbow table, a technique known for two decades now, is a shortcut for cracking passwords. It comprises a database of password hashes and their original plaintext forms.
Instead of trying passwords one at a time, attackers precompute huge lists of possible passwords and their corresponding cryptographic outputs in advance.
When attackers steal hashed passwords, they can quickly crack them by simply matching the hashes against the table to find the corresponding password.
A rainbow table is particularly effective against outdated authentication protocols, such as Net-NTLMv1, that rely on predictable encryption and lack modern defense mechanisms, such as salting.
Unlock more exclusive Cybernews content on YouTube.
