Mandiant Drops the Hammer on NTLMv1: Releases rainbow table capable of cracking Admin passwords in 12 hours.

By Ash K
Mandiant Drops the Hammer on NTLMv1: Releases rainbow table capable of cracking Admin passwords in 12 hours.

Mandiant has released a precomputed rainbow table capable of cracking administrative passwords protected by Microsoft’s deprecated NTLMv1 hashing algorithm in under 12 hours using consumer-grade hardware. The move is not a zero-day disclosure or a newly discovered weakness. It is a deliberate escalation designed to force long-delayed action across enterprises that continue to rely on a fundamentally broken authentication protocol.

The message is blunt. If NTLMv1 is still present anywhere in your environment, password secrecy is no longer theoretical. It is a timing problem measured in hours.

What Mandiant actually released

The release consists of a rainbow table targeting NTLMv1 and Net-NTLMv1 hashes. Rainbow tables are precomputed mappings between hashes and their plaintext equivalents, allowing attackers or defenders to reverse weak hashes without performing expensive brute-force operations.

Mandiant’s table is hosted in cloud infrastructure and optimized to recover passwords in under 12 hours using hardware costing less than $600. What once required specialized rigs and time-intensive computation has effectively been commoditized.

Why NTLMv1 is uniquely fragile

NTLMv1 suffers from a severely limited keyspace and outdated cryptographic design. The algorithm splits passwords into chunks and applies DES-based operations that dramatically reduce entropy. This makes precomputation feasible at scale.

Unlike modern hashing schemes that incorporate salts and computational cost, NTLMv1 offers attackers a static, predictable structure. Once a rainbow table exists, the same table can be reused across countless organizations.

Net-NTLMv1 and network authentication risk

The danger extends beyond stored password hashes. Net-NTLMv1 is still encountered in network authentication scenarios such as SMB access, legacy device authentication, and certain proxy or relay contexts.

An attacker who captures a Net-NTLMv1 challenge-response over the network does not need to compromise a domain controller. With Mandiant’s table, they can recover the underlying password offline and reuse it elsewhere.

Why NTLMv1 still exists in 2026

Despite being deprecated for decades, NTLMv1 persists in real-world environments for familiar reasons. Legacy applications, industrial systems, healthcare platforms, and embedded devices often cannot negotiate modern authentication methods.

In other cases, NTLMv1 survives due to inertia. It is enabled “just in case,” left behind during upgrades, or quietly reintroduced by misconfigured systems and old group policy objects.

This is not new. The economics are.

NTLMv1 rainbow tables have existed for years. What has changed is accessibility. Mandiant’s release removes the cost and expertise barrier that previously limited practical exploitation.

This means defenders, penetration testers, and attackers now share the same capability. Demonstrating impact no longer requires sending sensitive hashes to third-party cracking services or investing in specialized hardware.

What attackers gain from cracked admin credentials

Recovered administrative passwords are rarely used in isolation. In Active Directory environments, they often unlock lateral movement, privilege escalation, backup systems, virtualization platforms, and security tooling.

For ransomware operators and access brokers, NTLMv1 is a gift. A single captured hash can collapse an entire trust boundary if password reuse or weak segmentation exists.

Why this matters for critical infrastructure

Mandiant explicitly highlighted utilities, healthcare, and industrial control environments as sectors where NTLMv1 stubbornly remains. These environments often balance security against uptime, and authentication changes are viewed as operational risk.

The uncomfortable reality is that NTLMv1 now represents a far greater operational risk than migration downtime. A compromised admin account in these sectors can translate into service outages, safety incidents, and regulatory consequences.

Immediate actions organizations should take

This release leaves little room for gradual remediation. Organizations should act decisively.

  • Audit domain controllers and systems for NTLMv1 usage.
  • Disable NTLMv1 wherever possible via Group Policy.
  • Monitor authentication logs for Net-NTLMv1 handshakes.
  • Rotate credentials for any accounts that may have used NTLMv1.
  • Accelerate migration to Kerberos and modern authentication protocols.

Why Mandiant released this publicly

Mandiant has framed the release as a forcing function. By making exploitation trivial, the company aims to eliminate plausible deniability around NTLMv1 risk.

Security teams can now demonstrate impact internally without sensationalism. A cracked admin password recovered in hours is often more persuasive than years of theoretical warnings.

A line in the sand for Windows security

This release marks a clear inflection point. NTLMv1 is no longer merely insecure. It is operationally indefensible.

In 2026, continuing to allow NTLMv1 is not a technical debt issue. It is a conscious acceptance of credential compromise. Mandiant’s rainbow table makes that reality impossible to ignore.

Source credit: Reporting and technical context based on coverage by Ars Technica and statements from Mandiant regarding the release of NTLMv1 rainbow tables.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.