Mandiant Publishes Precomputed Tables That Slash NTLMv1 Crack Time to ~12 Hours

Mandiant has produced and circulated precomputed tables that materially shorten the time required to recover credentials protected by the obsolete NTLMv1 protocol, reducing practical crack time to on the order of half a day for weak administrator passwords. The toolset leverages a known-plaintext vector and per-byte hashing to convert Net-NTLM challenge-response data into recoverable secrets; this approach resurrects a long-understood weakness and packages it into a weaponized form. Despite NTLMv1’s documented frailties and the existence of NTLMv2 for decades, many enterprise environments still accept the older negotiation because legacy systems, administrative inertia, and insufficient risk pressure have delayed migration. The tables do not invent a new crypto break; they automate and accelerate attacks that previously required more time or effort, eliminating the principal friction that kept some accounts relatively safe. Operationally, this lowers the barrier for credential theft during common coercion techniques and relay chains that are already part of the attacker playbook. Tools that coerce or relay authentication requests can now feed captured responses into the tables and obtain usable credentials far more quickly than before. For defenders, the release is a double-edged sword: it makes exploitation easier for malicious actors but also supplies a practical demonstration that security teams can use to compel remediation and justify migration investments. Mandiant accompanies the tables with prescriptive guidance to remove NTLMv1 from authentication flows, and the firm frames the change as an urgent, addressable configuration problem rather than a theoretical threat. The business impact for organizations that continue to permit NTLMv1 ranges from straightforward administrative compromise to broader lateral movement risks that drive incident scope and recovery costs upward. Remediation requires careful inventory of authentication endpoints, policy updates to enforce higher protocols, and testing to prevent service disruption where legacy devices depend on older negotiations. The release is likely to accelerate enterprise deprecation timelines, increase pressure on vendors to provide transitional options, and raise the bar for risk acceptance committees that have tolerated NTLMv1. In short, the event translates a longstanding cryptographic liability into an immediate operational hazard that organizations can no longer credibly ignore.