Security firm Mandiant has unveiled a rainbow table that enables cracking of administrative passwords protected by the outdated NTLMv1 hashing algorithm in under 12 hours using affordable hardware. The tool targets lingering use of this vulnerable protocol in sensitive networks. Mandiant hopes it will push organizations to abandon the deprecated function.
Security researchers at Mandiant have introduced a new resource to highlight the dangers of the long-deprecated NTLMv1 hashing algorithm. Released on January 16, 2026, the rainbow table is a precomputed database of hash values mapped to plaintext passwords. It allows recovery of Net-NTLMv1 protected credentials—used in network authentication for services like SMB file sharing—in less than 12 hours on consumer-grade hardware costing under $600. The table is hosted on Google Cloud and works against passwords generated with the known plaintext challenge 1122334455667788.
NTLMv1 dates back to the 1980s, introduced with Microsoft's OS/2 operating system. Its weaknesses were first exposed in 1999 by cryptanalyst Bruce Schneier and researcher Mudge. Microsoft addressed these flaws with NTLMv2 in 1998 via Windows NT SP4. Despite this, and a recent announcement in August 2025 to deprecate NTLMv1, the protocol persists in some critical sectors. Industries like healthcare and industrial control systems often stick with legacy applications incompatible with newer algorithms, compounded by migration costs and operational inertia.
"By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1," the firm stated. Existing exploitation tools, such as Responder, PetitPotam, and DFSCoerce, can coerce Net-NTLMv1 hashes, but cracking them previously demanded significant resources or third-party services. Mandiant consultants still encounter NTLMv1 in active environments, leaving organizations open to easy credential theft.
Feedback from the security community has been positive. One infosec professional shared on Mastodon: "I’ve had more than one instance in my (admittedly short) infosec career where I’ve had to prove the weakness of a system and it usually involves me dropping a sheet of paper on their desk with their password on it the next morning. These rainbow tables aren’t going to mean much for attackers as they’ve likely already got them or have far better methods, but where it will help is in making the argument that NTLMv1 is unsafe."
Mandiant urges immediate disablement of Net-NTLMv1 and provides guidance on migration steps. The release serves as a wake-up call for laggards, emphasizing that continued use invites avoidable risks.
