Google’s security division, Mandiant, has taken an unusual step to make organizations reconsider their use of an outdated and insecure protocol. They’ve published a tool that makes cracking NTLMv1 credentials extremely easy for attackers. The goal is to highlight that, despite years of warnings, many still rely on this vulnerable protocol.

The Insecure History of NTLMv1

NTLMv1 is a legacy challenge-response protocol from the 1990s, used to authenticate Windows NT users to Active Directory. It’s based on an old encryption standard called DES, which has long been considered insecure. Microsoft introduced NTLMv2 in 1996 as a more secure alternative, and eventually replaced NTLM entirely with Kerberos. However, NTLMv1 still lingers as a fallback option for older applications that need compatibility.

This continued use has created a security risk. NTLMv1 has well-known vulnerabilities, and attackers have repeatedly targeted it over the years. Despite the availability of more secure options, many organizations haven’t fully phased it out, often due to inertia or concerns over legacy systems.

Mandiant’s New Tool and Its Impact

To demonstrate just how vulnerable NTLMv1 remains, Mandiant released a rainbow table—essentially a pre-computed database—that allows anyone to crack NTLMv1 hashes quickly. This lookup, available on the Google Cloud Research Dataset portal, lets security professionals and attackers alike turn server responses into actual password hashes in about 12 hours on a modest $600 computer. This is far faster and cheaper than traditional brute-force methods.

The rainbow table doesn’t weaken NTLMv1’s security per se; it simply makes exploiting its weaknesses easier and more accessible. Mandiant hopes that by publishing this tool, security teams will see the urgency of removing NTLMv1 from their networks. They want to make it clear that this protocol is a significant security hole that needs addressing.

Why NTLMv1 Is Still a Problem Today

Despite the known dangers, some organizations continue to use NTLMv1 because of legacy systems or compatibility issues. Mandiant’s own consultants have found it still active in many environments. Cybercriminals also target NTLMv1 hashes regularly. For instance, in 2024, the threat group TA577 used phishing emails to send challenge-response requests to legacy printers and other internal resources, exploiting NTLMv1 vulnerabilities.

Additionally, recent attacks involved a vulnerability (CVE-2025-54918) related to NTLM, which came just weeks after Microsoft announced it would remove NTLMv1 support from Windows Server 2025 and Windows 11. These incidents show that even with warnings and updates, many systems remain vulnerable because organizations have yet to fully upgrade or disable NTLMv1.

Experts emphasize that the main challenge is awareness. Many security teams are unaware that NTLMv1 is still in use or underestimate its risk. Removing it requires planning and effort, but the potential security benefits are significant.

In conclusion, Mandiant’s release of a cracking tool aims to serve as a wake-up call. It underscores the importance of retiring outdated protocols like NTLMv1. Moving forward, organizations should prioritize updating their systems to use more secure authentication methods and eliminate reliance on legacy protocols that put them at risk of credential theft and other attacks.

Inspired by

• https://www.computerworld.com/article/4118820/mandiant-pushes-organizations-to-dump-insecure-ntlmv1-by-releasing-a-way-to-crack-it-2.html

Sources

• csoonline.com
• google.com
• csoonline.com
• crowdstrike.com
• microsoft.com