Microsoft released NTLMv1 within the Eighties with the discharge of OS/2. In 1999, cryptanalyst Bruce Schneier and Mudge published research that exposed key weaknesses within the NTLMv1 underpinnings. On the 2012 Defcon 20 conference, researchers released a tool set that allowed attackers to maneuver from untrusted network guest to admin in 60 seconds, by attacking the underlying weakness. With the 1998 release of Windows NT SP4 in 1998, Microsoft introduced NTLMv2, which fixed the weakness.
Organizations that depend on Windows networking aren’t the one laggards. Microsoft only announced plans to deprecate NTLMv1 last August.
Despite the general public awareness that NTLMv1 is weak, “Mandiant consultants proceed to discover its use in lively environments,” the corporate said. “This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it stays prevalent because of inertia and a scarcity of demonstrated immediate risk.”
The tables first assist attackers in providing per-byte hash results with the known plaintext challenge 1122334455667788. Because Net-NTLM hashes are generated with the user’s password and the challenge, a known plaintext attack, it becomes trivial with these tables to compromise the accont. Typically tools including Responder, PetitPotam, and DFSCoerce are involved in attacks against Net-NTLM. Typically tools including Responder, PetitPotam, and DFSCoerce are involved.
In a thread on Mastodon, researchers and admins applauded the move, because they said it could give them added ammunition when attempting to persuade decision makers to make the investments to maneuver off the insecure function.
“I’ve had a couple of instance in my (admittedly short) infosec profession where I’ve needed to prove the weakness of a system and it normally involves me dropping a sheet of paper on their desk with their password on it the subsequent morning,” one person said. “These rainbow tables aren’t going to mean much for attackers as they’ve likely already got them or have much better methods, but where it can assistance is in making the argument that NTLMv1 is unsafe.”
The Mandiant post provides basic steps required to maneuver off of NTLMv1. It links to more detailed instructions.
“Organizations should immediately disable using Net-NTLMv1,” Mandiant said. Organizations that get hacked because they didn’t heed could have only themselves in charge.
