All products
Microsoft’s Legacy NTLMv1 Protocol: A Ticking Time Bomb for Organizations
Microsoft released NTLMv1 in the 1980s with the release of OS/2, and it has been a security concern ever since. In 1999, cryptanalyst Bruce Schneier and Mudge published research that exposed key weaknesses in the NTLMv1 underpinnings. The weaknesses were further highlighted at the 2012 Defcon 20 conference, where researchers released a tool set that allowed attackers to move from untrusted network guest to admin in 60 seconds. Despite the introduction of NTLMv2 in 1998 with Windows NT SP4, which fixed the weakness, many organizations still rely on the outdated protocol.
According to Mandiant, a cybersecurity firm, NTLMv1 is still widely used in active environments, leaving organizations vulnerable to trivial credential theft. The company notes that the legacy protocol remains prevalent due to inertia and a lack of demonstrated immediate risk. However, this lack of awareness can have severe consequences, as attackers can use known plaintext attacks to compromise accounts. The use of tools like Responder, PetitPotam, and DFSCoerce can make it trivial for attackers to obtain per-byte hash results, allowing them to crack weak admin passwords.
The Release of Rainbow Tables: A Wake-Up Call for Organizations
Mandiant has released a rainbow table that can crack weak admin passwords in 12 hours, highlighting the urgent need for organizations to move away from NTLMv1. The table provides per-byte hash results with the known plaintext challenge 1122334455667788, making it easy for attackers to compromise accounts. While the release of the rainbow table may not be a game-changer for attackers, who likely already have access to such tools, it serves as a wake-up call for organizations to take action. Researchers and admins have applauded the move, as it provides them with added ammunition to convince decision-makers to invest in moving away from the insecure function.
As one researcher noted, the release of the rainbow table can be used to demonstrate the weakness of NTLMv1 to decision-makers. By showing the ease with which passwords can be compromised, organizations can be convinced to take action to disable the use of Net-NTLMv1. Mandiant provides basic steps required to move off of NTLMv1, with links to more detailed instructions. The company emphasizes that organizations should immediately disable the use of Net-NTLMv1 to avoid being hacked.
A Call to Action: Disable NTLMv1 Now
Organizations that fail to heed the warning and disable NTLMv1 will have only themselves to blame if they are hacked. The release of the rainbow table is a stark reminder of the importance of keeping software up to date and disabling outdated protocols. As Microsoft announced plans to deprecate NTLMv1 only last August, it is essential for organizations to take proactive steps to protect themselves. By disabling NTLMv1 and moving to more secure protocols, organizations can significantly reduce the risk of credential theft and protect their networks from attacks. For more information, read the full article Here
Image Credit: arstechnica.com