I recall using ntlm rainbow tables to crack windows hashes in high school in like 2008?<p>Amazing that this is still around and causing someone enough of a headache to justify spending money on.<p>Also amazing what a teenager with lots of free time and a bootable Linux usb can get up to.
There used to be a joint online project to compute these tables in a SETI like distributed system. Everyone who contributed their CPU cycles, could use the tables. And yeah, around 2005-2008.
LM, nthash aka NTLM, net-ntlmv1 aka ntlmv1, net-ntlmv2 aka NTLMv2. Challenge response stuff is different. Naming here is painful.
net-ntlmv1 rainbow tables have been around forever too though, the same attack documented in this blog post has been hosted as a web service at <a href="https://crack.sh/netntlm/" rel="nofollow">https://crack.sh/netntlm/</a> for 10+ years
Ah Microsoft and naming things... Name a better combo<p>But fair enough, I don't recall which exact version I was mucking with that long ago.
A few years ago i was doing some vm things in azure. Hadnt touched azure before, and spent 10+ minutes of frustration trying to figure out how to get amd64/x86_64 things started, as the only thing i could find was "Azure ARM", and on googling, "arm" here means azure resource manager... ARGH why does microsoft insist on using existing names and acronyms!?!?
Ya they just announced they are renaming security algos to copilot!!! story here -> <a href="https://dubious-adware-breach-scam@is.gd/WVZvnI?exploit.bat" rel="nofollow">https://dubious-adware-breach-scam@is.gd/WVZvnI?exploit.bat</a>
yep, that and also can use cain and abel even back then... hardest part was putting whatever network card in promiscious mode.
Yeah that protocol is very very broken. I recently did an ntlm plugin implementation for Caido [1] and I had to fork our crypto JS module to add back MD4 and 3DES.<p>[1] <a href="https://github.com/caido-community/ntlm" rel="nofollow">https://github.com/caido-community/ntlm</a>
This empowers script kiddies, but not significantly moreso than they already were. Of all the places this is still in use, they've been exposed for years, so this isn't likely to result in a a bunch of new exploitations.<p>However, it's most likely to be used by governments, with legacy servers that are finicky, with filesharing set up that's impacted other computers configured for compatibility, or legacy ancient network gear or printers.<p>I wonder who they're pushing around, and what the motivation is?
Mandiant is Google's incident response consulting business. Having worked for many years in that field myself (though not for Mandiant), they're probably sick of going to the same old engagements where companies have been getting owned the same way over and over again for the last 15 years.<p>What releases like this do is give IT ops people the ammunition they need to convince their leadership to actually spend some money on fixing systemic security problems.
> Mandiant is Google's incident response consulting business<p>Consulting business? I was under the impression (from Google Reader) that if users aren’t in the millions, then they’ll kill the project. How could they also run a high-touch consultancy?!<p>> they're probably sick of going to the same old engagements<p>Hmm… consultancies love this type of recurring revenue - it’s easy money
> Consulting business? I was under the impression (from Google Reader) that if users aren’t in the millions, then they’ll kill the project. How could they also run a high-touch consultancy?!<p>Google also has the Project Zero which doesn't fit into Google business culture either. I wonder if Mandiant is paying for their payroll.
Google is a quarter million person company (if you count full time, temps, vendors and contractors).<p>Google Cloud is basically an entirely different company than Search or Maps. Cloud will happily sell you $10m in compute a year and a value add $400k of security consulting.
It also empowers IT depts and cybersecurity people to be able to easily build a PoC to show why moving on from the deprecated protocol is important. In many white-hat jobs you can't just grab rainbow tables from a torrent, so a resource like this is helpful. For the grays and black hats, they've had access to rainbow tables like this for a very long time, so no change there.
Out of curiosity, why can't white hats grab rainbow tables from torrents? Is it about seeding?
Its less about torrents being the delivery mechanism and more about bringing data from a potentially unknown source, under potentially unknown licensing, and distributed for a potentially unknown reason into the corporate computing environment.<p>Torrents would be a perfectly valid way for Google to distribute this dataset, but the key difference would be that Google is providing it for this purpose and presumably didn't do anything underhanded to collect or generate it, and tells you explicitly how you're allowed to use it via the license.<p>That sort of legal and compliance homework is good practice for any business to some extent (don't use random p2p discoveries for sensitive business purposes), but is probably critical to remain employed in the sorts of giant enterprises where an internal security engineer needs to build a compelling case for spending money to upgrade an outdated protocol.
Any business that needs convincing to move on from anything labeled NTLM does not care what "nerds" have to say. They are either one of those "I'm not spending money on something that works" or stuck with such legacy technical debt that at this point, removing it from environment is too costly to even consider so executives kick it down the road.
I suspect Mandiant hears a lot of "this is impractical to exploit so we don't care" from their clients. Now they have a compelling rebuttal to that.
You've been able to find these for years. In fact it's entirely possible they just grabbed some or all of them out of an existing torrent originally.<p>It would completely not surprise me if there are automagic attacks on net-ntlmv1 at this point against some cloud hosted storage. This has been doable by anyone since like 2016 if you had the space and weren't prevented from using that protocol version.
For those interested: The SHA512 file lists 4096 files. Each file is 2 GiB. That means 8 TiB (or about 8.6 TB) of storage required.
And terrorism is just an abstract way of securing underprepared government facilities.
Didn't l0phtcrack do this like 25 years ago?
They're just dumping them out as 2GB blobs onto a cloud? Where is the zippy search UI? Very lazy behavior for the hyper giant Google.
Why would you want a search UI for a rainbow table? That makes no sense.
Right? I feel like rainbow tables for NTLM have been around for decades, though at-cost. This seems incredibly low effort on Google's part.
They don't know how to count that low.<p><a href="https://www.lesswrong.com/posts/koGbEwgbfst2wCbzG/i-don-t-know-how-to-count-that-low" rel="nofollow">https://www.lesswrong.com/posts/koGbEwgbfst2wCbzG/i-don-t-kn...</a>
pretty cool
Holy smoke. I honestly thought the 90s called and wanted their Windows exploits back (TFA mentions 1999). I do remember talk about this from many moons ago.<p>But we are in two-thousand-twenty-FUCKING-six.<p>It's unbelievable. Just plain unbelievable.
Can't wait for someone to decide one of protocols used by google needs to be deprecated.
Plenty of protocols used by google over the years have been deprecated. The difference being that google actually stops using insecure protocols when they are discovered to be insecure instead of trying to sweep things under the rug.<p>Keep in mind we are talking about a protocol from 1987. How many protocols from 1987 is google currently using?
Well, you'll be waiting 20 years or so post-deprecation if you want an equivalent timeline.
Google thrives on being the Internet's biggest bully.<p>It turns out when nerds get a billion dollars they like being bullies too.
Google does that every Tuesday
> under 12 hours using consumer hardware costing less than $600 USD<p>Great, so someone with half a motherboard can break this hash
I wonder how the Mandiant acquisition is regarded within google.<p>Was it a success? Is Mandiant a cash cow or was it basically an acquihire?<p>The big "contact mandiant" button next to the post feels a bit like trying to stay relevant and acquire more customers.
"To demonstrate how crappy most front door locks are, to boost our company's social media cred we will be leaving drills and a dish of bump keys at the entrance of the neighborhood."
NTLMv1 rainbow tables have been available for 15-20 years. The only thing new is that Google are publishing theirs.
NTLM is often used for more of the underlying technologies, some more secure than others… nthash, net-ntlmv1, net-ntlmv2. There’s a little more complexity here and this is different than the stuff that was out 15 years ago
> this is different than the stuff that was out 15 years ago<p>This stuff was out at least 10-15 years ago. It’s different from the ancient local ntlm hash cracking everyone used to get admin in high school, yes, but it’s not a novel technique.<p>on cursory google, <a href="https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/master/Readme.md" rel="nofollow">https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/maste...</a> is 6 years old and was old news when it was committed, and <a href="https://crack.sh/netntlm/" rel="nofollow">https://crack.sh/netntlm/</a> has been around online for at least 10 and I think more like 15+ years.
Microsoft has deprecated NTLM and is actively ripping it out of windows.<p><a href="https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e" rel="nofollow">https://support.microsoft.com/en-us/topic/upcoming-changes-t...</a><p>Windows 11 is probably the last version that will contain NTLM (and hopefully NTLMv2). Going forward everything will be Kerberos or Oauth based.
It's certainly morally and legally dubious to facilitate attacks on things that others choose to use in within their own private domains, just because you disagree with that choice. But that's how these people roll.
The bad guys already know you live in a bad neighborhood and have been closing your front door with a plastic combination lock you got in a Happy Meal 40 years ago. They can already come and go at a whim. This is Google letting <i>you</i> know that your crappy lock is pre-broken to encourage you to upgrade to literally anything else.
you say that like it's a negative analogy
This is like reminding that there are CVSes from 2010. Yes there are. And there are plenty of vulnerable systems.<p>They decided to not fix the vulns (either directly by not patching, or indirectly by not investing in cybersecurity). So exploiting them is somehow an act of mercy. They may not know they have a problem and they have an opportunity to learn.<p>Let's just hope they will have white or gray-ish hats teaching the lesson