NTLMv1 rainbow tables have been available for 15-20 years. The only thing new is that Google are publishing theirs.

NTLM is often used for more of the underlying technologies, some more secure than others… nthash, net-ntlmv1, net-ntlmv2. There’s a little more complexity here and this is different than the stuff that was out 15 years ago

> this is different than the stuff that was out 15 years ago

This stuff was out at least 10-15 years ago. It’s different from the ancient local ntlm hash cracking everyone used to get admin in high school, yes, but it’s not a novel technique.

on cursory google, https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/maste... is 6 years old and was old news when it was committed, and https://crack.sh/netntlm/ has been around online for at least 10 and I think more like 15+ years.

Microsoft has deprecated NTLM and is actively ripping it out of windows.

https://support.microsoft.com/en-us/topic/upcoming-changes-t...

Windows 11 is probably the last version that will contain NTLM (and hopefully NTLMv2). Going forward everything will be Kerberos or Oauth based.

Ironically enough, the things that tend to break first when you try to turn off NTLM are still Microsoft products like ADCS.

You're not wrong, I just want to point out this is net-lmvm1, which is different and more complex. Not functionally meaningfully more complex to an adversary with a few hundred USD (almost typed LSD) in monies. But technically larger tables. That being said I'm in agreement that this has been known problem for 10+ years, and Google is just saying the horses are so long out of the barn their grandchildren are grazing.

The bad guys already know you live in a bad neighborhood and have been closing your front door with a plastic combination lock you got in a Happy Meal 40 years ago. They can already come and go at a whim. This is Google letting you know that your crappy lock is pre-broken to encourage you to upgrade to literally anything else.

It's certainly morally and legally dubious to facilitate attacks on things that others choose to use in within their own private domains, just because you disagree with that choice. But that's how these people roll.

It's been 15 years since this was known broken. If you had children when it was not known broken, they'd be almost old enough to drive in most western nations.

At some point the line must be drawn.

Some are very entitled to drawing lines on someone else's property. Why don't you mind your own business?

I mean this kindly, but if you're still using net-netlmv1 on anything that matters, you need to pay much more mind to your own business because even the original vendor of it has been telling you to get off that since 1999 because it is not safe.

If you're using it on something that doesn't matter, then it also doesn't matter that rainbow tables any attacker could have already had for a decade are slightly more available.