RubyGems - librex - Versions diffs - 0.0.6 → 0.0.7 - Mend

librex 0.0.6 → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

data/README.md +3 -5
data/Rakefile +26 -0
data/lib/rex/compat.rb +1 -1
data/lib/rex/exploitation/javascriptosdetect.rb +125 -62
data/lib/rex/file.rb +15 -0
data/lib/rex/io/stream.rb +1 -1
data/lib/rex/parser/nmap_xml.rb +6 -0
data/lib/rex/poly/block.rb +9 -0
data/lib/rex/post/meterpreter/client.rb +0 -8
data/lib/rex/post/meterpreter/extensions/priv/priv.rb +6 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +1 -1
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +49 -35
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +26 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +9 -2
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +630 -0
data/lib/rex/post/meterpreter/packet.rb +3 -1
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +143 -57
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +6 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +9 -3
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +6 -4
data/lib/rex/proto.rb +1 -0
data/lib/rex/proto/dhcp/server.rb +4 -2
data/lib/rex/proto/http/packet.rb +5 -6
data/lib/rex/proto/ntlm.rb +7 -0
data/lib/rex/proto/ntlm.rb.ut.rb +177 -0
data/lib/rex/proto/ntlm/base.rb +326 -0
data/lib/rex/proto/ntlm/constants.rb +74 -0
data/lib/rex/proto/ntlm/crypt.rb +340 -0
data/lib/rex/proto/ntlm/exceptions.rb +9 -0
data/lib/rex/proto/ntlm/message.rb +533 -0
data/lib/rex/proto/ntlm/utils.rb +358 -0
data/lib/rex/proto/smb/client.rb +548 -86
data/lib/rex/proto/smb/client.rb.ut.rb +4 -4
data/lib/rex/proto/smb/constants.rb +7 -24
data/lib/rex/proto/smb/crypt.rb +12 -71
data/lib/rex/proto/smb/exceptions.rb +12 -0
data/lib/rex/proto/smb/simpleclient.rb +17 -5
data/lib/rex/proto/smb/utils.rb +3 -460
data/lib/rex/proto/tftp/server.rb +2 -2
data/lib/rex/script/base.rb +2 -2
data/lib/rex/socket.rb +12 -0
data/lib/rex/socket.rb.ut.rb +31 -10
data/lib/rex/socket/ssl_tcp_server.rb.ut.rb +15 -5
data/lib/rex/text.rb +55 -4
data/lib/rex/ui/output.rb +0 -2
data/lib/rex/ui/text/dispatcher_shell.rb +95 -10
data/lib/rex/ui/text/output/buffer.rb +0 -4
data/lib/rex/ui/text/shell.rb +8 -0
data/lib/rex/ui/text/table.rb +21 -1
metadata +15 -19
data/lib/rex/proto/smb/crypt.rb.ut.rb +0 -20

data/lib/rex/proto/ntlm/utils.rb ADDED

@@ -0,0 +1,358 @@
+module Rex
+module Proto
+module NTLM
+class Utils
+  	#duplicate from lib/rex/proto/smb/utils cause we only need this fonction from Rex::Proto::SMB::Utils
+	# Convert a unix timestamp to a 64-bit signed server time
+	def self.time_unix_to_smb(unix_time)
+		t64 = (unix_time + 11644473600) * 10000000
+		thi = (t64 & 0xffffffff00000000) >> 32
+		tlo = (t64 & 0x00000000ffffffff)
+		return [thi, tlo]
+	end
+	#
+	# Prepends an ASN1 formatted length field to a piece of data
+	#
+	def self.asn1encode(str = '')
+		res = ''
+		# If the high bit of the first byte is 1, it contains the number of
+		# length bytes that follow
+		case str.length
+			when 0 .. 0x7F
+				res = [str.length].pack('C') + str
+			when 0x80 .. 0xFF
+				res = [0x81, str.length].pack('CC') + str
+			when 0x100 .. 0xFFFF
+				res = [0x82, str.length].pack('Cn') + str
+			when  0x10000 .. 0xffffff
+				res = [0x83, str.length >> 16, str.length & 0xFFFF].pack('CCn') + str
+			when  0x1000000 .. 0xffffffff
+				res = [0x84, str.length].pack('CN') + str
+			else
+				raise "ASN1 str too long"
+		end
+		return res
+	end
+	# GSS functions
+	# GSS BLOB usefull for SMB_NEGOCIATE_RESPONSE message
+	# mechTypes: 2 items :
+	# 	-MechType: 1.3.6.1.4.1.311.2.2.30 (SNMPv2-SMI::enterprises.311.2.2.30)
+	# 	-MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
+	#
+	# this is the default on Win7
+	def self.make_simple_negotiate_secblob_resp
+		blob =
+		"\x60" + self.asn1encode(
+			"\x06" + self.asn1encode(
+				"\x2b\x06\x01\x05\x05\x02"
+			) +
+			"\xa0" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\x06" + self.asn1encode(
+								"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+							)
+						)
+					)
+				)
+			)
+		)
+		return blob
+	end
+	# GSS BLOB usefull for SMB_NEGOCIATE_RESPONSE message
+	# mechTypes: 4 items :
+	# 	MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
+	# 	MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
+	# 	MechType: 1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - User to User)
+	# 	MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
+	# mechListMIC:
+	# 	principal: account@domain
+	def self.make_negotiate_secblob_resp(account, domain)
+		blob =
+		"\x60" + self.asn1encode(
+			"\x06" + self.asn1encode(
+				"\x2b\x06\x01\x05\x05\x02"
+			) +
+			"\xa0" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\x06" + self.asn1encode(
+								"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"
+							) +
+							"\x06" + self.asn1encode(
+								"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
+							) +
+							"\x06" + self.asn1encode(
+								"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"
+							) +
+							"\x06" + self.asn1encode(
+								"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+							)
+						)
+					) +
+					"\xa3" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\xa0" + self.asn1encode(
+								"\x1b" + self.asn1encode(
+									account + '@' + domain
+								)
+							)
+						)
+					)
+				)
+			)
+		)
+		return blob
+	end
+	# GSS BLOB usefull for ntlmssp type 1 message
+	def self.make_ntlmssp_secblob_init(domain = 'WORKGROUP', name = 'WORKSTATION', flags=0x80201)
+		blob =
+		"\x60" + self.asn1encode(
+			"\x06" + self.asn1encode(
+				"\x2b\x06\x01\x05\x05\x02"
+			) +
+			"\xa0" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\x06" + self.asn1encode(
+								"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+							)
+						)
+					) +
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+							"NTLMSSP\x00" +
+							[1, flags].pack('VV') +
+							[
+								domain.length,  #length
+								domain.length,  #max length
+								32
+							].pack('vvV') +
+							[
+								name.length,	#length
+								name.length, 	#max length
+								domain.length + 32
+							].pack('vvV') +
+							domain + name
+						)
+					)
+				)
+			)
+		)
+		return blob
+	end
+	# GSS BLOB usefull for ntlmssp type 2 message
+	def self.make_ntlmssp_secblob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x0a" + self.asn1encode(
+							"\x01"
+						)
+					) +
+					"\xa1" + self.asn1encode(
+						"\x06" + self.asn1encode(
+							"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+						)
+					) +
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+							make_ntlmssp_blob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
+						)
+					)
+				)
+			)
+		return blob
+	end
+	# BLOB without GSS usefull for ntlm type 2 message
+	def self.make_ntlmssp_blob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
+		addr_list  = ''
+		addr_list  << [2, win_domain.length].pack('vv') + win_domain
+		addr_list  << [1, win_name.length].pack('vv') + win_name
+		addr_list  << [4, dns_domain.length].pack('vv') + dns_domain
+		addr_list  << [3, dns_name.length].pack('vv') + dns_name
+		addr_list  << [0, 0].pack('vv')
+		ptr  = 0
+		blob =	"NTLMSSP\x00" +
+				[2].pack('V') +
+				[
+					win_domain.length,  # length
+					win_domain.length,  # max length
+					(ptr += 48) # offset
+				].pack('vvV') +
+				[ flags ].pack('V') +
+				chall +
+				"\x00\x00\x00\x00\x00\x00\x00\x00" +
+				[
+					addr_list.length,  # length
+					addr_list.length,  # max length
+					(ptr += win_domain.length)
+				].pack('vvV') +
+				win_domain +
+				addr_list
+		return blob
+	end
+	# GSS BLOB Usefull for ntlmssp type 3 message
+	def self.make_ntlmssp_secblob_auth(domain, name, user, lm, ntlm, enc_session_key, flags = 0x080201)
+		lm ||= "\x00" * 24
+		ntlm ||= "\x00" * 24
+		domain_uni = Rex::Text.to_unicode(domain)
+		user_uni   = Rex::Text.to_unicode(user)
+		name_uni   = Rex::Text.to_unicode(name)
+		session    = enc_session_key
+		ptr  = 64
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+							"NTLMSSP\x00" +
+							[ 3 ].pack('V') +
+							[	# Lan Manager Response
+								lm.length,
+								lm.length,
+								(ptr)
+							].pack('vvV') +
+							[	# NTLM Manager Response
+								ntlm.length,
+								ntlm.length,
+								(ptr += lm.length)
+							].pack('vvV') +
+							[	# Domain Name
+								domain_uni.length,
+								domain_uni.length,
+								(ptr += ntlm.length)
+							].pack('vvV') +
+							[	# Username
+								user_uni.length,
+								user_uni.length,
+								(ptr += domain_uni.length)
+							].pack('vvV') +
+							[	# Hostname
+								name_uni.length,
+								name_uni.length,
+								(ptr += user_uni.length)
+							].pack('vvV') +
+							[	# Session Key (none)
+								session.length,
+								session.length,
+								(ptr += name_uni.length)
+							].pack('vvV') +
+							[ flags ].pack('V') +
+							lm +
+							ntlm +
+							domain_uni +
+							user_uni +
+							name_uni +
+							session + "\x00"
+					)
+				)
+			)
+		)
+		return blob
+	end
+	# GSS BLOB Usefull for SMB Success
+	def self.make_ntlmv2_secblob_success
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x0a" + self.asn1encode(
+							"\x00"
+						)
+					)
+				)
+			)
+		return blob
+	end
+	# This function return an ntlmv2 client challenge
+	def self.make_ntlmv2_clientchallenge(win_domain, win_name, dns_domain, dns_name, client_challenge = nil, chall_MsvAvTimestamp = nil)
+		client_challenge ||= Rex::Text.rand_text(8)
+		# We have to set the timestamps here to the one in the challenge message from server if present
+		# If we don't do that, recent server like seven will send a STATUS_INVALID_PARAMETER error packet
+		timestamp = chall_MsvAvTimestamp != nil ? chall_MsvAvTimestamp : self.time_unix_to_smb(Time.now.to_i).reverse.pack("VV")
+		# Make those values unicode as requested
+		win_domain = Rex::Text.to_unicode(win_domain)
+		win_name = Rex::Text.to_unicode(win_name)
+		dns_domain = Rex::Text.to_unicode(dns_domain)
+		dns_name = Rex::Text.to_unicode(dns_name)
+		# Make the AV_PAIRs
+		addr_list  = ''
+		addr_list  << [2, win_domain.length].pack('vv') + win_domain
+		addr_list  << [1, win_name.length].pack('vv') + win_name
+		addr_list  << [4, dns_domain.length].pack('vv') + dns_domain
+		addr_list  << [3, dns_name.length].pack('vv') + dns_name
+		addr_list  << [7, 8].pack('vv') + timestamp
+		# MAY BE USEFUL FOR FUTURE
+		# Seven (client) add at least one more av that is of type MsAvRestrictions (8)
+		# maybe this will be usefull with future windows OSs but has no use at all for the moment afaik
+		# restriction_encoding = 	[48,0,0,0].pack("VVV") + # Size, Z4, IntegrityLevel, SubjectIntegrityLevel
+		# 			Rex::Text.rand_text(32)	 # MachineId generated on startup on win7 and above
+		# addr_list  << [8, restriction_encoding.length].pack('vv') + restriction_encoding
+		# Seven (client) and maybe others versions also add an av of type MsvChannelBindings (10) but the hash is "\x00" * 16
+		# addr_list  << [10, 16].pack('vv') + "\x00" * 16
+		# Seven and maybe other versions also add an av of type MsvAvTargetName(9) with value cifs/target(_ip)
+		# implementing it will necessary require knowing the target here, todo... :-/
+		# spn= Rex::Text.to_unicode("cifs/RHOST")
+		# addr_list  << [9, spn.length].pack('vv') + spn
+		addr_list  << [0, 0].pack('vv')
+		ntlm_clientchallenge = 	[1,1,0,0].pack("CCvV") + #RespType, HiRespType, Reserved1, Reserved2
+					timestamp + #Timestamp
+					client_challenge + 	#clientchallenge
+					[0].pack("V")  +	#Reserved3
+					addr_list + "\x00" * 4
+	end
+end
+end
+end
+end

data/lib/rex/proto/smb/client.rb CHANGED

@@ -8,8 +8,11 @@ require 'rex/struct2'
 require 'rex/proto/smb/constants'
 require 'rex/proto/smb/exceptions'
 require 'rex/proto/smb/evasions'
-require 'rex/proto/smb/crypt'
 require 'rex/proto/smb/utils'
+require 'rex/proto/smb/crypt'
+require 'rex/proto/ntlm/crypt'
+require 'rex/proto/ntlm/constants'
+require 'rex/proto/ntlm/utils'
 # Some short-hand class aliases
@@ -18,6 +21,9 @@ CRYPT = Rex::Proto::SMB::Crypt
 UTILS = Rex::Proto::SMB::Utils
 XCEPT = Rex::Proto::SMB::Exceptions
 EVADE = Rex::Proto::SMB::Evasions
+NTLM_CRYPT = Rex::Proto::NTLM::Crypt
+NTLM_CONST = Rex::Proto::NTLM::Constants
+NTLM_UTILS = Rex::Proto::NTLM::Utils
 	def initialize(socket)
 		self.socket = socket
@@ -30,15 +36,28 @@ EVADE = Rex::Proto::SMB::Evasions
 		self.read_timeout = 10
 		self.evasion_opts = {
-		# Padding is performed between packet headers and data
-		'pad_data' => EVADE::EVASION_NONE,
+			# Padding is performed between packet headers and data
+			'pad_data' => EVADE::EVASION_NONE,
-		# File path padding is performed on all open/create calls
-		'pad_file' => EVADE::EVASION_NONE,
+			# File path padding is performed on all open/create calls
+			'pad_file' => EVADE::EVASION_NONE,
-		# Modify the \PIPE\ string in trans_named_pipe calls
-		'obscure_trans_pipe' => EVADE::EVASION_NONE,
+			# Modify the \PIPE\ string in trans_named_pipe calls
+			'obscure_trans_pipe' => EVADE::EVASION_NONE,
 		}
+		self.verify_signature = false
+		self.use_ntlmv2 = false
+		self.usentlm2_session = true
+		self.send_lm = true
+		self.use_lanman_key = false
+		self.send_ntlm  = true
+		# Signing
+		self.sequence_counter = 0
+		self.signing_key      = ''
+		self.require_signing  = false
 	end
 	# Read a SMB packet from the socket
@@ -73,7 +92,17 @@ EVADE = Rex::Proto::SMB::Evasions
 			data << buff
 		end
+		#signing
+		if self.require_signing && self.signing_key != ''
+			if self.verify_signature
+				raise XCEPT::IncorrectSigningError if not CRYPT::is_signature_correct?(self.signing_key,self.sequence_counter,data)
+			end
+			self.sequence_counter += 1
+		end
 		return data
 	end
 	# Send a SMB packet down the socket
@@ -85,6 +114,12 @@ EVADE = Rex::Proto::SMB::Evasions
 		size = 0
 		wait = 0
+		#signing
+		if self.require_signing && self.signing_key != ''
+			data = CRYPT::sign_smb_packet(self.signing_key, self.sequence_counter, data)
+			self.sequence_counter += 1
+		end
 		begin
 			# Just send the packet and return
 			if (size == 0 or size >= data.length)
@@ -121,7 +156,7 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt = CONST::SMB_BASE_PKT.make_struct
 		pkt.from_s(data)
 		res  = pkt
 		begin
 			case pkt['Payload']['SMB'].v['Command']
@@ -219,14 +254,14 @@ EVADE = Rex::Proto::SMB::Evasions
 	# Process incoming SMB_COM_SESSION_SETUP_ANDX packets
 	def smb_parse_session_setup(pkt, data)
-		# Process NTLMv2 negotiate responses
+		# Process NTLMSSP negotiate responses
 		if (pkt['Payload']['SMB'].v['WordCount'] == 4)
 			res = CONST::SMB_SETUP_NTLMV2_RES_PKT.make_struct
 			res.from_s(data)
 			return res
 		end
-		# Process NTLMv1 and LANMAN responses
+		# Process LANMAN responses
 		if (pkt['Payload']['SMB'].v['WordCount'] == 3)
 			res = CONST::SMB_SETUP_RES_PKT.make_struct
 			res.from_s(data)
@@ -436,7 +471,7 @@ EVADE = Rex::Proto::SMB::Evasions
 	end
 	# Negotiate a SMB dialect
-	def negotiate(extended=true, do_recv = true)
+	def negotiate(smb_extended_security=true, do_recv = true)
 		dialects = ['LANMAN1.0', 'LM1.2X002' ]
@@ -452,7 +487,7 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NEGOTIATE
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		if(extended)
+		if(smb_extended_security)
 			pkt['Payload']['SMB'].v['Flags2'] = 0x2801
 		else
 			pkt['Payload']['SMB'].v['Flags2'] = 0xc001
@@ -460,7 +495,7 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload'].v['Payload'] = data
-		ret = self.smb_send(pkt.to_s)
+		ret = self.smb_send(pkt.to_s, EVADE::EVASION_NONE)
 		return ret if not do_recv
 		ack = self.smb_recv_parse(CONST::SMB_COM_NEGOTIATE)
@@ -483,6 +518,11 @@ EVADE = Rex::Proto::SMB::Evasions
 		# Set the security mode
 		self.security_mode = ack['Payload'].v['SecurityMode']
+		#set require_signing
+		if (ack['Payload'].v['SecurityMode'] & 0x08 != 0)
+			self.require_signing	= true
+		end
 		# Set the challenge key
 		if (ack['Payload'].v['EncryptionKey'] != nil)
 			self.challenge_key = ack['Payload'].v['EncryptionKey']
@@ -530,15 +570,6 @@ EVADE = Rex::Proto::SMB::Evasions
 		end
 		self.system_zone = system_zone * 60
-		# XXX: this is being commented out because ruby prior to 1.9.2 doesn't
-		# seem to support representing non-utc or local times (eg, a time in
-		# another timezone)  If you know a way to do it in pre-1.9.2 please
-		# tell us!
-=begin
-		# Adjust the system_time object to reflect the remote timezone
-		self.system_time = self.system_time.utc.localtime(system_zone)
-=end
 		return ack
 	end
@@ -547,15 +578,15 @@ EVADE = Rex::Proto::SMB::Evasions
 	def session_setup(*args)
 		if (self.dialect =~ /^(NT LANMAN 1.0|NT LM 0.12)$/)
 			if (self.challenge_key)
-				return self.session_setup_ntlmv1(*args)
+				return self.session_setup_no_ntlmssp(*args)
 			end
 			if ( self.extended_security )
-				return self.session_setup_ntlmv2(*args)
+				return self.session_setup_with_ntlmssp(*args)
 			end
 		end
 		return self.session_setup_clear(*args)
@@ -571,7 +602,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 10
 		pkt['Payload'].v['AndX'] = 255
 		pkt['Payload'].v['MaxBuff'] = 0xffdf
@@ -601,17 +639,36 @@ EVADE = Rex::Proto::SMB::Evasions
 		return ack
 	end
-	# Authenticate using NTLMv1
-	def session_setup_ntlmv1(user = '', pass = '', domain = '', do_recv = true)
+	# Authenticate without NTLMSSP
+	def session_setup_no_ntlmssp(user = '', pass = '', domain = '', do_recv = true)
+		# Requires a challenge key to have been seen during negotiation
 		raise XCEPT::NTLM1MissingChallenge if not self.challenge_key
-		if (pass.length == 65)
-			hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.challenge_key)
-			hash_nt = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.challenge_key)
+		#
+		# We can not yet handle signing in this situation
+		# But instead of throwing an exception,we will disable signing, continue and hope for the best.
+		#
+		#raise XCEPT::SigningError if self.require_signing
+		self.require_signing = false if self.require_signing
+		if UTILS.is_pass_ntlm_hash?(pass)
+			arglm = {
+				:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
+				:challenge =>  self.challenge_key
+			}
+			hash_lm = NTLM_CRYPT::lm_response(arglm)
+			argntlm = {
+				:ntlm_hash =>  [ pass.upcase()[33,65] ].pack('H32'),
+				:challenge =>  self.challenge_key
+			}
+			hash_nt = NTLM_CRYPT::ntlm_response(argntlm)
 		else
-			hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
-			hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key)   : ''
+			hash_lm = pass.length > 0 ? NTLM_CRYPT.lanman_des(pass, self.challenge_key) : ''
+			hash_nt = pass.length > 0 ? NTLM_CRYPT.ntlm_md4(pass, self.challenge_key)   : ''
 		end
 		data = ''
@@ -660,8 +717,10 @@ EVADE = Rex::Proto::SMB::Evasions
 	end
-	# Authenticate using NTLMv1 with a precomputed hash pair
-	def session_setup_ntlmv1_prehash(user, domain, hash_lm, hash_nt, do_recv = true)
+	# Authenticate without ntlmssp with a precomputed hash pair
+	def session_setup_no_ntlmssp_prehash(user, domain, hash_lm, hash_nt, do_recv = true)
+		raise XCEPT::NTLM2MissingChallenge if self.require_signing
 		data = ''
 		data << hash_lm
@@ -708,14 +767,40 @@ EVADE = Rex::Proto::SMB::Evasions
 		return ack
 	end
-	# Authenticate using extended security negotiation (NTLMv2)
-	def session_setup_ntlmv2(user = '', pass = '', domain = '', name = nil, do_recv = true)
+	# Authenticate using extended security negotiation
+	def session_setup_with_ntlmssp(user = '', pass = '', domain = '', name = nil, do_recv = true)
+		if require_signing
+			ntlmssp_flags = 0xe2088215
+		else
+			ntlmssp_flags = 0xa2080205
+		end
+		if self.usentlm2_session
+			if self.use_ntlmv2
+				#set Negotiate Target Info
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_TARGET_INFO
+			end
+		else
+			#remove the ntlm2_session flag
+			ntlmssp_flags &= 0xfff7ffff
+			#set lanmanflag only when lm and ntlm are sent
+			if self.send_lm
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_LMKEY if self.use_lanman_key
+			end
+		end
+		#we can also downgrade ntlm2_session when we send only lmv1
+		ntlmssp_flags &= 0xfff7ffff if self.usentlm2_session && (not self.use_ntlmv2) && (not self.send_ntlm)
 		if (name == nil)
 			name = Rex::Text.rand_text_alphanumeric(16)
 		end
-		blob = UTILS.make_ntlmv2_secblob_init(domain, name)
+		blob = NTLM_UTILS.make_ntlmssp_secblob_init(domain, name, ntlmssp_flags)
 		native_data = ''
 		native_data << self.native_os + "\x00"
@@ -726,26 +811,33 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2801
+		if require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 12
 		pkt['Payload'].v['AndX'] = 255
 		pkt['Payload'].v['MaxBuff'] = 0xffdf
 		pkt['Payload'].v['MaxMPX'] = 2
 		pkt['Payload'].v['VCNum'] = 1
 		pkt['Payload'].v['SecurityBlobLen'] = blob.length
-		pkt['Payload'].v['Capabilities'] = 0x8000d05c
+		pkt['Payload'].v['Capabilities'] = 0x800000d4
 		pkt['Payload'].v['SessionKey'] = self.session_id
 		pkt['Payload'].v['Payload'] = blob + native_data
 		ret = self.smb_send(pkt.to_s)
 		return ret if not do_recv
 		ack = self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, true)
-		# The server doesn't know about NTLM_NEGOTIATE, try ntlmv1
+		# The server doesn't know about NTLM_NEGOTIATE
 		if (ack['Payload']['SMB'].v['ErrorClass'] == 0x00020002)
-			return session_setup_ntlmv1(user, pass, domain)
+			return session_setup_no_ntlmssp(user, pass, domain)
 		end
 		# Make sure the error code tells us to continue processing
@@ -782,62 +874,326 @@ EVADE = Rex::Proto::SMB::Evasions
 		# Extract the address list from the blob
 		alist_len,alist_mlen,alist_off = blob[cidx + 40, 8].unpack("vvV")
 		alist_buf = blob[cidx + alist_off, alist_len]
+		chall_MsvAvTimestamp = nil
 		while(alist_buf.length > 0)
 			atype, alen = alist_buf.slice!(0,4).unpack('vv')
 			break if atype == 0x00
 			addr = alist_buf.slice!(0, alen)
 			case atype
 			when 1
+				#netbios name
 				self.default_name =  addr.gsub("\x00", '')
 			when 2
+				#netbios domain
 				self.default_domain = addr.gsub("\x00", '')
 			when 3
+				#dns name
 				self.dns_host_name =  addr.gsub("\x00", '')
 			when 4
+				#dns domain
 				self.dns_domain_name =  addr.gsub("\x00", '')
 			when 5
-				# unknown
+				#The FQDN of the forest.
+			when 6
+				#A 32-bit value indicating server or client configuration
 			when 7
-				# client time
+				#Client time
+				chall_MsvAvTimestamp = addr
+			when 8
+				#A Restriction_Encoding structure
+			when 9
+				#The SPN of the target server.
+			when 10
+				#A channel bindings hash.
 			end
 		end
+		#calculate the lm/ntlm response
+		resp_lm = "\x00" * 24
+		resp_ntlm = "\x00" * 24
-		# Generate a random client-side challenge
 		client_challenge = Rex::Text.rand_text(8)
+		ntlm_cli_challenge = ''
+		if self.send_ntlm  #should be default
+			if self.usentlm2_session
+				if self.use_ntlmv2
+				# This is only a partial implementation, in some situation recent servers may send STATUS_INVALID_PARAMETER
+				# answer must then be somewhere in [MS-NLMP].pdf around 3.1.5.2.1 :-/
+					ntlm_cli_challenge = NTLM_UTILS::make_ntlmv2_clientchallenge(default_domain, default_name, dns_domain_name,
+												dns_host_name,client_challenge , chall_MsvAvTimestamp)
+					if UTILS.is_pass_ntlm_hash?(pass)
+						argntlm = {
+							:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(
+												user,
+												[ pass.upcase()[33,65] ].pack('H32'),
+												domain,{:pass_is_hash => true}
+											),
+							:challenge   => self.challenge_key
+						}
+					else
+						argntlm = {
+							:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(user, pass, domain),
+							:challenge   => self.challenge_key
+						}
+					end
+					optntlm = { :nt_client_challenge => ntlm_cli_challenge}
+					ntlmv2_response = NTLM_CRYPT::ntlmv2_response(argntlm,optntlm)
+					resp_ntlm = ntlmv2_response
+					if self.send_lm
+						if UTILS.is_pass_ntlm_hash?(pass)
+							arglm = {
+								:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(
+													user,
+													[ pass.upcase()[33,65] ].pack('H32'),
+													domain,{:pass_is_hash => true}
+												),
+								:challenge   => self.challenge_key
+							}
+						else
+							arglm = {
+								:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(user,pass, domain),
+								:challenge   => self.challenge_key
+							}
+						end
+						optlm = { :client_challenge => client_challenge }
+						resp_lm = NTLM_CRYPT::lmv2_response(arglm, optlm)
+					else
+						resp_lm = "\x00" * 24
+					end
+				else # ntlm2_session
+					if UTILS.is_pass_ntlm_hash?(pass)
+						argntlm = {
+							:ntlm_hash =>  [ pass.upcase()[33,65] ].pack('H32'),
+							:challenge => self.challenge_key
+						}
+					else
+						argntlm = {
+							:ntlm_hash =>  NTLM_CRYPT::ntlm_hash(pass),
+							:challenge => self.challenge_key
+						}
+					end
+					optntlm = {	:client_challenge => client_challenge}
+					resp_ntlm = NTLM_CRYPT::ntlm2_session(argntlm,optntlm).join[24,24]
+					# Generate the fake LANMAN hash
+					resp_lm = client_challenge + ("\x00" * 16)
+				end
-		# Generate the nonce
-		nonce = CRYPT.md5_hash(self.challenge_key + client_challenge)
-		# Generate the NTLM hash
-		if (pass.length == 65)
-			resp_ntlm = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), nonce[0, 8])
-		else
-			resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
-		end
+			else # we use lmv1/ntlmv1
+				if UTILS.is_pass_ntlm_hash?(pass)
+					argntlm = {
+						:ntlm_hash =>  [ pass.upcase()[33,65] ].pack('H32'),
+						:challenge =>  self.challenge_key
+					}
+				else
+					argntlm = {
+						:ntlm_hash =>  NTLM_CRYPT::ntlm_hash(pass),
+						:challenge =>  self.challenge_key
+					}
+				end
+				resp_ntlm = NTLM_CRYPT::ntlm_response(argntlm)
+				if self.send_lm
+					if UTILS.is_pass_ntlm_hash?(pass)
+						arglm = {
+							:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
+							:challenge =>  self.challenge_key
+						}
+					else
+						arglm = {
+							:lm_hash => NTLM_CRYPT::lm_hash(pass),
+							:challenge =>  self.challenge_key
+						}
+					end
+					resp_lm = NTLM_CRYPT::lm_response(arglm)
+				else
+					#when windows does not send lm in ntlmv1 type response,
+					# it gives lm response the same value as ntlm response
+					resp_lm  = resp_ntlm
+				end
+			end
+		else #send_ntlm = false
+			#lmv2
+			if self.usentlm2_session && self.use_ntlmv2
+				if UTILS.is_pass_ntlm_hash?(pass)
+					arglm = {
+						:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(
+											user,
+											[ pass.upcase()[33,65] ].pack('H32'),
+											domain,{:pass_is_hash => true}
+										),
+						:challenge => self.challenge_key
+					}
+				else
+					arglm = {
+						:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(user,pass, domain),
+						:challenge => self.challenge_key
+					}
+				end
+				optlm = { :client_challenge => client_challenge }
+				resp_lm = NTLM_CRYPT::lmv2_response(arglm, optlm)
+			else
+				if UTILS.is_pass_ntlm_hash?(pass)
+					arglm = {
+						:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
+						:challenge =>  self.challenge_key
+					}
+				else
+					arglm = {
+						:lm_hash => NTLM_CRYPT::lm_hash(pass),
+						:challenge =>  self.challenge_key
+					}
+				end
+				resp_lm = NTLM_CRYPT::lm_response(arglm)
+			end
+			resp_ntlm = ""
+		end
+		# Create the sessionkey (aka signing key, aka mackey) and encrypted session key
+		# Server will decide for key_size and key_exchange
+		enc_session_key = ''
+		if self.require_signing
+			server_ntlmssp_flags = blob[cidx + 20, 4].unpack("V")[0]
+			# Set default key size and key exchange values
+			key_size = 40
+			key_exchange = false
+			# Remove ntlmssp.negotiate56
+			ntlmssp_flags &= 0x7fffffff
+			# Remove ntlmssp.negotiatekeyexch
+			ntlmssp_flags &= 0xbfffffff
+			# Remove ntlmssp.negotiate128
+			ntlmssp_flags &= 0xdfffffff
+			# Check the keyexchange
+			if server_ntlmssp_flags & NTLM_CONST::NEGOTIATE_KEY_EXCH != 0 then
+				key_exchange = true
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_KEY_EXCH
+			end
+			# Check 128bits
+			if server_ntlmssp_flags & NTLM_CONST::NEGOTIATE_128 != 0 then
+				key_size = 128
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_128
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_56
+			# Check 56bits
+			else
+				if server_ntlmssp_flags & NTLM_CONST::NEGOTIATE_56 != 0 then
+					key_size = 56
+					ntlmssp_flags |= NTLM_CONST::NEGOTIATE_56
+				end
+			end
-		# Generate the fake LANMAN hash
-		resp_lmv2 = client_challenge + ("\x00" * 16)
+			# Generate the user session key
+			lanman_weak = false
+			if self.send_ntlm  # Should be default
+				if self.usentlm2_session
+					if self.use_ntlmv2
+						if UTILS.is_pass_ntlm_hash?(pass)
+							user_session_key = NTLM_CRYPT::ntlmv2_user_session_key(user,
+													[ pass.upcase()[33,65] ].pack('H32'),
+											 		domain,
+													self.challenge_key, ntlm_cli_challenge,
+													{:pass_is_hash => true})
+						else
+							user_session_key = NTLM_CRYPT::ntlmv2_user_session_key(user, pass, domain,
+												self.challenge_key, ntlm_cli_challenge)
+						end
+					else
+						if UTILS.is_pass_ntlm_hash?(pass)
+							user_session_key = NTLM_CRYPT::ntlm2_session_user_session_key([ pass.upcase()[33,65] ].pack('H32'),
+															self.challenge_key,
+															client_challenge,
+															{:pass_is_hash => true})
+						else
+							user_session_key = NTLM_CRYPT::ntlm2_session_user_session_key(pass, self.challenge_key,
+															client_challenge)
+						end
+					end
+				else # lmv1/ntlmv1
+					if self.send_lm
+						if self.use_lanman_key
+							if UTILS.is_pass_ntlm_hash?(pass)
+								user_session_key = NTLM_CRYPT::lanman_session_key([ pass.upcase()[0,32] ].pack('H32'),
+														self.challenge_key,
+														{:pass_is_hash => true})
+							else
+								user_session_key = NTLM_CRYPT::lanman_session_key(pass, self.challenge_key)
+							end
+							lanman_weak = true
+						else
+							if UTILS.is_pass_ntlm_hash?(pass)
+								user_session_key = NTLM_CRYPT::ntlmv1_user_session_key([ pass.upcase()[33,65] ].pack('H32'),
+															{:pass_is_hash => true})
+							else
+								user_session_key = NTLM_CRYPT::ntlmv1_user_session_key(pass)
+							end
+						end
+					end
+				end
+			else
+					if self.usentlm2_session && self.use_ntlmv2
+						if UTILS.is_pass_ntlm_hash?(pass)
+							user_session_key = NTLM_CRYPT::lmv2_user_session_key(user, [ pass.upcase()[33,65] ].pack('H32'),
+													domain,
+													self.challenge_key, client_challenge,
+													{:pass_is_hash => true})
+						else
+							user_session_key = NTLM_CRYPT::lmv2_user_session_key(user, pass, domain,
+													self.challenge_key, client_challenge)
+						end
+					else
+						if UTILS.is_pass_ntlm_hash?(pass)
+							user_session_key = NTLM_CRYPT::lmv1_user_session_key([ pass.upcase()[0,32] ].pack('H32'),
+														{:pass_is_hash => true})
+						else
+							user_session_key = NTLM_CRYPT::lmv1_user_session_key(pass)
+						end
+					end
+			end
-		# Create the ntlmv2 security blob data
-		blob = UTILS.make_ntlmv2_secblob_auth(domain, name, user, resp_lmv2, resp_ntlm)
+			user_session_key = NTLM_CRYPT::make_weak_sessionkey(user_session_key,key_size, lanman_weak)
+			self.sequence_counter = 0
+			# Sessionkey and encrypted session key
+			if key_exchange
+				self.signing_key = Rex::Text.rand_text(16)
+				enc_session_key = NTLM_CRYPT::encrypt_sessionkey(self.signing_key, user_session_key)
+			else
+				self.signing_key = user_session_key
+			end
+		end
+		# Create the security blob data
+		blob = NTLM_UTILS.make_ntlmssp_secblob_auth(domain, name, user, resp_lm, resp_ntlm, enc_session_key, ntlmssp_flags)
 		pkt = CONST::SMB_SETUP_NTLMV2_PKT.make_struct
 		self.smb_defaults(pkt['Payload']['SMB'])
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2801
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 12
 		pkt['Payload']['SMB'].v['UserID'] = temp_user_id
 		pkt['Payload'].v['AndX'] = 255
 		pkt['Payload'].v['MaxBuff'] = 0xffdf
 		pkt['Payload'].v['MaxMPX'] = 2
 		pkt['Payload'].v['VCNum'] = 1
-		pkt['Payload'].v['SecurityBlobLen'] = blob.length
 		pkt['Payload'].v['Capabilities'] = 0x8000d05c
 		pkt['Payload'].v['SessionKey'] = self.session_id
+		pkt['Payload'].v['SecurityBlobLen'] = blob.length
 		pkt['Payload'].v['Payload'] = blob + native_data
 		# NOTE: if do_recv is set to false, we cant reach here...
@@ -847,8 +1203,13 @@ EVADE = Rex::Proto::SMB::Evasions
 		# Make sure that authentication succeeded
 		if (ack['Payload']['SMB'].v['ErrorClass'] != 0)
 			if (user.length == 0)
-				return self.session_setup_ntlmv1(user, pass, domain)
+				# Ensure that signing is disabled when we hit this corner case
+				self.require_signing = false
+				# Fall back to the non-ntlmssp authentication method
+				return self.session_setup_no_ntlmssp(user, pass, domain)
 			end
 			failure = XCEPT::ErrorCode.new
@@ -869,7 +1230,7 @@ EVADE = Rex::Proto::SMB::Evasions
 	# An exploit helper function for sending arbitrary SPNEGO blobs
-	def session_setup_ntlmv2_blob(blob = '', do_recv = true)
+	def session_setup_with_ntlmssp_blob(blob = '', do_recv = true)
 		native_data = ''
 		native_data << self.native_os + "\x00"
 		native_data << self.native_lm + "\x00"
@@ -898,14 +1259,14 @@ EVADE = Rex::Proto::SMB::Evasions
 	end
-	# Authenticate using extended security negotiation (NTLMv2), but stop half-way, using the temporary ID
-	def session_setup_ntlmv2_temp(domain = '', name = nil, do_recv = true)
+	# Authenticate using extended security negotiation (NTLMSSP), but stop half-way, using the temporary ID
+	def session_setup_with_ntlmssp_temp(domain = '', name = nil, do_recv = true)
 		if (name == nil)
 			name = Rex::Text.rand_text_alphanumeric(16)
 		end
-		blob = UTILS.make_ntlmv2_secblob_init(domain, name)
+		blob = NTLM_UTILS.make_ntlmssp_secblob_init(domain, name)
 		native_data = ''
 		native_data << self.native_os + "\x00"
@@ -934,7 +1295,7 @@ EVADE = Rex::Proto::SMB::Evasions
 		# The server doesn't know about NTLM_NEGOTIATE, try ntlmv1
 		if (ack['Payload']['SMB'].v['ErrorClass'] == 0x00020002)
-			return session_setup_ntlmv1(user, pass, domain)
+			return session_setup_no_ntlmssp(user, pass, domain)
 		end
 		# Make sure the error code tells us to continue processing
@@ -981,7 +1342,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TREE_CONNECT_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 4
 		pkt['Payload'].v['AndX'] = 255
 		pkt['Payload'].v['PasswordLen'] = pass.length + 1
@@ -1008,7 +1376,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TREE_DISCONNECT
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 0
 		pkt['Payload']['SMB'].v['TreeID'] = tree_id
@@ -1037,7 +1412,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 24
 		pkt['Payload'].v['AndX'] = 255
@@ -1071,7 +1453,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_DELETE
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['TreeID'] = tree_id
 		pkt['Payload']['SMB'].v['WordCount'] = 1
@@ -1095,7 +1484,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_OPEN_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 15
 		pkt['Payload'].v['AndX'] = 255
@@ -1125,7 +1521,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_CLOSE
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['TreeID'] = tree_id
 		pkt['Payload']['SMB'].v['WordCount'] = 3
@@ -1140,10 +1543,8 @@ EVADE = Rex::Proto::SMB::Evasions
 		return ack
 	end
 	# Writes data to an open file handle
 	def write(file_id = self.last_file_id, offset = 0, data = '', do_recv = true)
 		pkt = CONST::SMB_WRITE_PKT.make_struct
 		self.smb_defaults(pkt['Payload']['SMB'])
@@ -1153,7 +1554,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2805
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14
 		pkt['Payload'].v['AndX'] = 255
@@ -1184,7 +1592,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_READ_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 10
 		pkt['Payload'].v['AndX'] = 255
@@ -1272,7 +1687,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1343,7 +1765,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1406,7 +1835,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1449,7 +1885,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1488,7 +1931,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1526,7 +1976,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 18
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1757,7 +2214,8 @@ EVADE = Rex::Proto::SMB::Evasions
 # public read/write methods
 	attr_accessor	:native_os, :native_lm, :encrypt_passwords, :extended_security, :read_timeout, :evasion_opts
-	attr_accessor  :system_time, :system_zone
+	attr_accessor	:verify_signature, :use_ntlmv2, :usentlm2_session, :send_lm, :use_lanman_key, :send_ntlm
+	attr_accessor  	:system_time, :system_zone
 # public read methods
 	attr_reader		:dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
@@ -1765,6 +2223,8 @@ EVADE = Rex::Proto::SMB::Evasions
 	attr_reader		:multiplex_id, :last_tree_id, :last_file_id, :process_id, :last_search_id
 	attr_reader		:dns_host_name, :dns_domain_name
 	attr_reader		:security_mode, :server_guid
+	#signing related
+	attr_reader		:sequence_counter,:signing_key, :require_signing
 # private methods
 	attr_writer		:dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
@@ -1772,6 +2232,8 @@ EVADE = Rex::Proto::SMB::Evasions
 	attr_writer		:dns_host_name, :dns_domain_name
 	attr_writer		:multiplex_id, :last_tree_id, :last_file_id, :process_id, :last_search_id
 	attr_writer		:security_mode, :server_guid
+	#signing related
+	attr_writer		:sequence_counter,:signing_key, :require_signing
 	attr_accessor	:socket