The years go by… and NTLMv1 is still lingering.
Mandiant recently issued a reminder on this topic… and accompanied it with rainbow tables. There are around 100 GB of data, licensed under CC BY 4.0, downloadable via the Google Cloud Console or the gsutil tool (they reside in GCP buckets).
The promise: with these tables, keys can be recovered in under 12 hours using consumer-grade hardware costing less than $600. An alternative to brute-force attacks with hashcat and the like. These methods become less effective as the length of the secrets increases.
A few more rainbow tables
Mandiant’s rainbow tables appear to target seven-character passwords.
The RainbowCrack project – a benchmark in the field, integrated into, among other tools, Kali Linux – goes up to 10 with its own tables. It reports success rates ranging from 96.8% to 99.9%.
| Character range | Number of characters | Success rate | Size |
| ASCII 32 to 95 | 7 | 99.9% | 52 GB |
| ASCII 32 to 95 | 8 | 96.8% | 460 GB |
| Uppercase, lowercase, digits | 8 | 99.9% | 127 GB |
| Uppercase, lowercase, digits | 9 | 96.8% | 690 GB |
| Lowercase, digits | 9 | 99.9% | 65 GB |
| Lowercase, digits | 10 | 96.8% | 316 GB |
NTLM, a major undertaking for Microsoft
For a long time, NTLMv1’s first version has been regarded as insufficiently secure. The ANSSI guide on administering Active Directory environments summarizes its weakness: it enables the extraction of hashes simply by capturing network traffic. In practice, attacks will typically force authentication from a highly privileged AD object, such as a domain controller.
NTLMv1 has officially been removed from Microsoft operating systems with Windows 11 24H2 and Windows Server 2025. But remnants remain in certain scenarios, including when MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) is used in a domain-joined environment. Recommended solution: deploy Credential Guard… and take advantage of the audit features, enhanced for the occasion.
The goal for Microsoft is to completely disable the protocol in the long term, moving toward Kerberos. It was necessary to adapt the latter to bring in certain NTLM-specific characteristics – which, incidentally, favored its hard-coded integration by some applications. For example, the absence of a requirement for a local network connection to a domain controller. The so-called IAKerb feature was introduced for this purpose. It enables authentication to a domain controller via a proxy server.
