This post is about who gets left behind when “helping defenders” means publishing attack tools without defensive resources.
On January 15th, Google's Mandiant published “Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation.”
The post contains 8TB of rainbow tables, 10 figures showing attack execution, a step-by-step guide to compromising a domain controller, and 4 sentences on remediation.
Who's Still on NTLMv1
Organizations that could migrate already did. The ones remaining are stuck:
- Healthcare systems with FDA-certified devices running locked firmware
- Utilities on SCADA systems from 2008 that can't be updated without recertification
- Schools with legacy student information systems and no budget for replacement
- Municipalities on IT capital cycles that haven't changed since the financial crisis
- RADIUS/MSCHAPv2 deployments that Microsoft explicitly exempts from deprecation timelines
These aren't organizations that ignored warnings for 25 years. They're organizations trapped by regulatory constraints, vendor lock-in, and capital limitations outside their control.
Shodan reports 256,804 hosts publicly negotiating SMBv1 with authentication enabled—and that's only external exposure. The attack Mandiant documented executes on internal networks, invisible to any public census.
Mandiant has that census. They assess these environments. They respond to incidents in them. They published 8TB of attack tools and didn't publish an impact assessment.
The Ratio
| Content | Figures | Words |
|---|---|---|
| Attack walkthrough | 10 | ~1,500 |
| Remediation | 0 | ~100 |
Their “Related Reading” section links to:
- crack.sh (cracking service)
- hashcat forum threads
- Attack documentation from swisskyrepo, hackndo, praetorian, trustedsec
- NetNTLMtoSilverTicket (attack tool)
- shuck.sh (another cracking service)
Not one detection script. Not one hardening guide. Not one link to Microsoft's migration documentation.
What Was Missing
If the goal were helping defenders, the post would have included:
- Coordination with CISA on release timing and sector notifications
- A remediation window before full public release
- Detection queries and monitoring guidance
- Links to Microsoft's existing migration documentation
- Acknowledgment of regulatory and operational constraints
- Resources for under-resourced sectors
The post offered none of this.
The Counterarguments
To be fair:
NTLMv1 has been deprecated since Windows Vista in 2006. Microsoft has published migration guidance for nearly 20 years. Cracking tools already existed—crack.sh has offered this as a service for over a decade. The rainbow tables reduce cost and barrier but don't create a new attack class.
Publishing attack tools to force deprecation has precedent. Firesheep demonstrated session hijacking on open WiFi and accelerated HTTPS adoption.
But there's a key difference: Eric Butler released Firesheep when HTTPS Everywhere was already available. The fix existed. Users could protect themselves immediately. Mandiant released 8TB of attack tables without a detection tool, without a scanner, without anything defenders could deploy that afternoon.
The question isn't whether forcing functions can work. It's whether you arm both sides or just one.
The Tool They Should Have Linked To
We built it.
pqprobe scan-smb detects:
- NTLMv1 without Extended Session Security (the specific Mandiant attack vector)
- NTLMv1 with ESS
- NTLMv2 configurations
- SMB version negotiation
- Signing requirements
pqprobe audit-windows checks:
- LmCompatibilityLevel registry settings
- Event 4624 authentication logs for actual NTLMv1 usage
- Group Policy configuration
- Silverfort and other bypass scenarios
Example output (illustrative):
$ pqprobe scan-smb 10.0.0.0/24 -o table
HOST SMB NTLM SCORE GRADE
───────────────────────────────────────────────
10.0.0.5 v1 NTLMv1 12 F
10.0.0.12 v2 NTLMv1-ESS 38 D
10.0.0.15 v3 NTLMv2 71 C
10.0.0.22 v3 NTLMv2+sign 89 BThe scanner is free for unlimited use. It runs in your browser or on your infrastructure. It generates the report you need to prioritize remediation—not the attack chain you don't.
The Point
I've published attack techniques many times before. In 2012 I co-wrote Securing the Virtual Environment while consulting with VMware. Every attack chapter was paired with defensive measures. I gave lectures around the world in labs to groups learning how to do a hypervisor escape so they could defend against one. The book was published so long ago it shipped with a DVD of tools—for defenders.
Attack and defense together—that's the pairing necessary to claim you're writing about defense. Mandiant published an attack. We built a defense tool. Know the difference.