RubyGems - librex - Versions diffs - 0.0.6 → 0.0.7 - Mend

librex 0.0.6 → 0.0.7

Files changed (51) hide show

data/README.md +3 -5
data/Rakefile +26 -0
data/lib/rex/compat.rb +1 -1
data/lib/rex/exploitation/javascriptosdetect.rb +125 -62
data/lib/rex/file.rb +15 -0
data/lib/rex/io/stream.rb +1 -1
data/lib/rex/parser/nmap_xml.rb +6 -0
data/lib/rex/poly/block.rb +9 -0
data/lib/rex/post/meterpreter/client.rb +0 -8
data/lib/rex/post/meterpreter/extensions/priv/priv.rb +6 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +1 -1
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +49 -35
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +26 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +9 -2
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +630 -0
data/lib/rex/post/meterpreter/packet.rb +3 -1
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +143 -57
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +6 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +9 -3
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +6 -4
data/lib/rex/proto.rb +1 -0
data/lib/rex/proto/dhcp/server.rb +4 -2
data/lib/rex/proto/http/packet.rb +5 -6
data/lib/rex/proto/ntlm.rb +7 -0
data/lib/rex/proto/ntlm.rb.ut.rb +177 -0
data/lib/rex/proto/ntlm/base.rb +326 -0
data/lib/rex/proto/ntlm/constants.rb +74 -0
data/lib/rex/proto/ntlm/crypt.rb +340 -0
data/lib/rex/proto/ntlm/exceptions.rb +9 -0
data/lib/rex/proto/ntlm/message.rb +533 -0
data/lib/rex/proto/ntlm/utils.rb +358 -0
data/lib/rex/proto/smb/client.rb +548 -86
data/lib/rex/proto/smb/client.rb.ut.rb +4 -4
data/lib/rex/proto/smb/constants.rb +7 -24
data/lib/rex/proto/smb/crypt.rb +12 -71
data/lib/rex/proto/smb/exceptions.rb +12 -0
data/lib/rex/proto/smb/simpleclient.rb +17 -5
data/lib/rex/proto/smb/utils.rb +3 -460
data/lib/rex/proto/tftp/server.rb +2 -2
data/lib/rex/script/base.rb +2 -2
data/lib/rex/socket.rb +12 -0
data/lib/rex/socket.rb.ut.rb +31 -10
data/lib/rex/socket/ssl_tcp_server.rb.ut.rb +15 -5
data/lib/rex/text.rb +55 -4
data/lib/rex/ui/output.rb +0 -2
data/lib/rex/ui/text/dispatcher_shell.rb +95 -10
data/lib/rex/ui/text/output/buffer.rb +0 -4
data/lib/rex/ui/text/shell.rb +8 -0
data/lib/rex/ui/text/table.rb +21 -1
metadata +15 -19
data/lib/rex/proto/smb/crypt.rb.ut.rb +0 -20

@@ -0,0 +1,358 @@
+module Rex
+module Proto
+module NTLM
+class Utils
+  	#duplicate from lib/rex/proto/smb/utils cause we only need this fonction from Rex::Proto::SMB::Utils
+	# Convert a unix timestamp to a 64-bit signed server time
+	def self.time_unix_to_smb(unix_time)
+		t64 = (unix_time + 11644473600) * 10000000
+		thi = (t64 & 0xffffffff00000000) >> 32
+		tlo = (t64 & 0x00000000ffffffff)
+		return [thi, tlo]
+	end
+	#
+	# Prepends an ASN1 formatted length field to a piece of data
+	#
+	def self.asn1encode(str = '')
+		res = ''
+		# If the high bit of the first byte is 1, it contains the number of
+		# length bytes that follow
+		case str.length
+			when 0 .. 0x7F
+				res = [str.length].pack('C') + str
+			when 0x80 .. 0xFF
+				res = [0x81, str.length].pack('CC') + str
+			when 0x100 .. 0xFFFF
+				res = [0x82, str.length].pack('Cn') + str
+			when  0x10000 .. 0xffffff
+				res = [0x83, str.length >> 16, str.length & 0xFFFF].pack('CCn') + str
+			when  0x1000000 .. 0xffffffff
+				res = [0x84, str.length].pack('CN') + str
+			else
+				raise "ASN1 str too long"
+		end
+		return res
+	end
+	# GSS functions
+	# GSS BLOB usefull for SMB_NEGOCIATE_RESPONSE message
+	# mechTypes: 2 items :
+	# 	-MechType: 1.3.6.1.4.1.311.2.2.30 (SNMPv2-SMI::enterprises.311.2.2.30)
+	# 	-MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
+	#
+	# this is the default on Win7
+	def self.make_simple_negotiate_secblob_resp
+		blob =
+		"\x60" + self.asn1encode(
+			"\x06" + self.asn1encode(
+				"\x2b\x06\x01\x05\x05\x02"
+			) +
+			"\xa0" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\x06" + self.asn1encode(
+								"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+							)
+						)
+					)
+				)
+			)
+		)
+		return blob
+	end
+	# GSS BLOB usefull for SMB_NEGOCIATE_RESPONSE message
+	# mechTypes: 4 items :
+	# 	MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
+	# 	MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
+	# 	MechType: 1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - User to User)
+	# 	MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
+	# mechListMIC:
+	# 	principal: account@domain
+	def self.make_negotiate_secblob_resp(account, domain)
+		blob =
+		"\x60" + self.asn1encode(
+			"\x06" + self.asn1encode(
+				"\x2b\x06\x01\x05\x05\x02"
+			) +
+			"\xa0" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\x06" + self.asn1encode(
+								"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"
+							) +
+							"\x06" + self.asn1encode(
+								"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
+							) +
+							"\x06" + self.asn1encode(
+								"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"
+							) +
+							"\x06" + self.asn1encode(
+								"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+							)
+						)
+					) +
+					"\xa3" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\xa0" + self.asn1encode(
+								"\x1b" + self.asn1encode(
+									account + '@' + domain
+								)
+							)
+						)
+					)
+				)
+			)
+		)
+		return blob
+	end
+	# GSS BLOB usefull for ntlmssp type 1 message
+	def self.make_ntlmssp_secblob_init(domain = 'WORKGROUP', name = 'WORKSTATION', flags=0x80201)
+		blob =
+		"\x60" + self.asn1encode(
+			"\x06" + self.asn1encode(
+				"\x2b\x06\x01\x05\x05\x02"
+			) +
+			"\xa0" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x30" + self.asn1encode(
+							"\x06" + self.asn1encode(
+								"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+							)
+						)
+					) +
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+							"NTLMSSP\x00" +
+							[1, flags].pack('VV') +
+							[
+								domain.length,  #length
+								domain.length,  #max length
+								32
+							].pack('vvV') +
+							[
+								name.length,	#length
+								name.length, 	#max length
+								domain.length + 32
+							].pack('vvV') +
+							domain + name
+						)
+					)
+				)
+			)
+		)
+		return blob
+	end
+	# GSS BLOB usefull for ntlmssp type 2 message
+	def self.make_ntlmssp_secblob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x0a" + self.asn1encode(
+							"\x01"
+						)
+					) +
+					"\xa1" + self.asn1encode(
+						"\x06" + self.asn1encode(
+							"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
+						)
+					) +
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+							make_ntlmssp_blob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
+						)
+					)
+				)
+			)
+		return blob
+	end
+	# BLOB without GSS usefull for ntlm type 2 message
+	def self.make_ntlmssp_blob_chall(win_domain, win_name, dns_domain, dns_name, chall, flags)
+		addr_list  = ''
+		addr_list  << [2, win_domain.length].pack('vv') + win_domain
+		addr_list  << [1, win_name.length].pack('vv') + win_name
+		addr_list  << [4, dns_domain.length].pack('vv') + dns_domain
+		addr_list  << [3, dns_name.length].pack('vv') + dns_name
+		addr_list  << [0, 0].pack('vv')
+		ptr  = 0
+		blob =	"NTLMSSP\x00" +
+				[2].pack('V') +
+				[
+					win_domain.length,  # length
+					win_domain.length,  # max length
+					(ptr += 48) # offset
+				].pack('vvV') +
+				[ flags ].pack('V') +
+				chall +
+				"\x00\x00\x00\x00\x00\x00\x00\x00" +
+				[
+					addr_list.length,  # length
+					addr_list.length,  # max length
+					(ptr += win_domain.length)
+				].pack('vvV') +
+				win_domain +
+				addr_list
+		return blob
+	end
+	# GSS BLOB Usefull for ntlmssp type 3 message
+	def self.make_ntlmssp_secblob_auth(domain, name, user, lm, ntlm, enc_session_key, flags = 0x080201)
+		lm ||= "\x00" * 24
+		ntlm ||= "\x00" * 24
+		domain_uni = Rex::Text.to_unicode(domain)
+		user_uni   = Rex::Text.to_unicode(user)
+		name_uni   = Rex::Text.to_unicode(name)
+		session    = enc_session_key
+		ptr  = 64
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa2" + self.asn1encode(
+						"\x04" + self.asn1encode(
+							"NTLMSSP\x00" +
+							[ 3 ].pack('V') +
+							[	# Lan Manager Response
+								lm.length,
+								lm.length,
+								(ptr)
+							].pack('vvV') +
+							[	# NTLM Manager Response
+								ntlm.length,
+								ntlm.length,
+								(ptr += lm.length)
+							].pack('vvV') +
+							[	# Domain Name
+								domain_uni.length,
+								domain_uni.length,
+								(ptr += ntlm.length)
+							].pack('vvV') +
+							[	# Username
+								user_uni.length,
+								user_uni.length,
+								(ptr += domain_uni.length)
+							].pack('vvV') +
+							[	# Hostname
+								name_uni.length,
+								name_uni.length,
+								(ptr += user_uni.length)
+							].pack('vvV') +
+							[	# Session Key (none)
+								session.length,
+								session.length,
+								(ptr += name_uni.length)
+							].pack('vvV') +
+							[ flags ].pack('V') +
+							lm +
+							ntlm +
+							domain_uni +
+							user_uni +
+							name_uni +
+							session + "\x00"
+					)
+				)
+			)
+		)
+		return blob
+	end
+	# GSS BLOB Usefull for SMB Success
+	def self.make_ntlmv2_secblob_success
+		blob =
+			"\xa1" + self.asn1encode(
+				"\x30" + self.asn1encode(
+					"\xa0" + self.asn1encode(
+						"\x0a" + self.asn1encode(
+							"\x00"
+						)
+					)
+				)
+			)
+		return blob
+	end
+	# This function return an ntlmv2 client challenge
+	def self.make_ntlmv2_clientchallenge(win_domain, win_name, dns_domain, dns_name, client_challenge = nil, chall_MsvAvTimestamp = nil)
+		client_challenge ||= Rex::Text.rand_text(8)
+		# We have to set the timestamps here to the one in the challenge message from server if present
+		# If we don't do that, recent server like seven will send a STATUS_INVALID_PARAMETER error packet
+		timestamp = chall_MsvAvTimestamp != nil ? chall_MsvAvTimestamp : self.time_unix_to_smb(Time.now.to_i).reverse.pack("VV")
+		# Make those values unicode as requested
+		win_domain = Rex::Text.to_unicode(win_domain)
+		win_name = Rex::Text.to_unicode(win_name)
+		dns_domain = Rex::Text.to_unicode(dns_domain)
+		dns_name = Rex::Text.to_unicode(dns_name)
+		# Make the AV_PAIRs
+		addr_list  = ''
+		addr_list  << [2, win_domain.length].pack('vv') + win_domain
+		addr_list  << [1, win_name.length].pack('vv') + win_name
+		addr_list  << [4, dns_domain.length].pack('vv') + dns_domain
+		addr_list  << [3, dns_name.length].pack('vv') + dns_name
+		addr_list  << [7, 8].pack('vv') + timestamp
+		# MAY BE USEFUL FOR FUTURE
+		# Seven (client) add at least one more av that is of type MsAvRestrictions (8)
+		# maybe this will be usefull with future windows OSs but has no use at all for the moment afaik
+		# restriction_encoding = 	[48,0,0,0].pack("VVV") + # Size, Z4, IntegrityLevel, SubjectIntegrityLevel
+		# 			Rex::Text.rand_text(32)	 # MachineId generated on startup on win7 and above
+		# addr_list  << [8, restriction_encoding.length].pack('vv') + restriction_encoding
+		# Seven (client) and maybe others versions also add an av of type MsvChannelBindings (10) but the hash is "\x00" * 16
+		# addr_list  << [10, 16].pack('vv') + "\x00" * 16
+		# Seven and maybe other versions also add an av of type MsvAvTargetName(9) with value cifs/target(_ip)
+		# implementing it will necessary require knowing the target here, todo... :-/
+		# spn= Rex::Text.to_unicode("cifs/RHOST")
+		# addr_list  << [9, spn.length].pack('vv') + spn
+		addr_list  << [0, 0].pack('vv')
+		ntlm_clientchallenge = 	[1,1,0,0].pack("CCvV") + #RespType, HiRespType, Reserved1, Reserved2
+					timestamp + #Timestamp
+					client_challenge + 	#clientchallenge
+					[0].pack("V")  +	#Reserved3
+					addr_list + "\x00" * 4
+	end
+end
+end
+end
+end

data/lib/rex/proto/smb/client.rb CHANGED

@@ -8,8 +8,11 @@ require 'rex/struct2'
 require 'rex/proto/smb/constants'
 require 'rex/proto/smb/exceptions'
 require 'rex/proto/smb/evasions'
-require 'rex/proto/smb/crypt'
 require 'rex/proto/smb/utils'
+require 'rex/proto/smb/crypt'
+require 'rex/proto/ntlm/crypt'
+require 'rex/proto/ntlm/constants'
+require 'rex/proto/ntlm/utils'
 # Some short-hand class aliases
@@ -18,6 +21,9 @@ CRYPT = Rex::Proto::SMB::Crypt
 UTILS = Rex::Proto::SMB::Utils
 XCEPT = Rex::Proto::SMB::Exceptions
 EVADE = Rex::Proto::SMB::Evasions
+NTLM_CRYPT = Rex::Proto::NTLM::Crypt
+NTLM_CONST = Rex::Proto::NTLM::Constants
+NTLM_UTILS = Rex::Proto::NTLM::Utils
 	def initialize(socket)
 		self.socket = socket
@@ -30,15 +36,28 @@ EVADE = Rex::Proto::SMB::Evasions
 		self.read_timeout = 10
 		self.evasion_opts = {
-		# Padding is performed between packet headers and data
-		'pad_data' => EVADE::EVASION_NONE,
+			# Padding is performed between packet headers and data
+			'pad_data' => EVADE::EVASION_NONE,
-		# File path padding is performed on all open/create calls
-		'pad_file' => EVADE::EVASION_NONE,
+			# File path padding is performed on all open/create calls
+			'pad_file' => EVADE::EVASION_NONE,
-		# Modify the \PIPE\ string in trans_named_pipe calls
-		'obscure_trans_pipe' => EVADE::EVASION_NONE,
+			# Modify the \PIPE\ string in trans_named_pipe calls
+			'obscure_trans_pipe' => EVADE::EVASION_NONE,
 		}
+		self.verify_signature = false
+		self.use_ntlmv2 = false
+		self.usentlm2_session = true
+		self.send_lm = true
+		self.use_lanman_key = false
+		self.send_ntlm  = true
+		# Signing
+		self.sequence_counter = 0
+		self.signing_key      = ''
+		self.require_signing  = false
 	end
 	# Read a SMB packet from the socket
@@ -73,7 +92,17 @@ EVADE = Rex::Proto::SMB::Evasions
 			data << buff
 		end
+		#signing
+		if self.require_signing && self.signing_key != ''
+			if self.verify_signature
+				raise XCEPT::IncorrectSigningError if not CRYPT::is_signature_correct?(self.signing_key,self.sequence_counter,data)
+			end
+			self.sequence_counter += 1
+		end
 		return data
 	end
 	# Send a SMB packet down the socket
@@ -85,6 +114,12 @@ EVADE = Rex::Proto::SMB::Evasions
 		size = 0
 		wait = 0
+		#signing
+		if self.require_signing && self.signing_key != ''
+			data = CRYPT::sign_smb_packet(self.signing_key, self.sequence_counter, data)
+			self.sequence_counter += 1
+		end
 		begin
 			# Just send the packet and return
 			if (size == 0 or size >= data.length)
@@ -121,7 +156,7 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt = CONST::SMB_BASE_PKT.make_struct
 		pkt.from_s(data)
 		res  = pkt
 		begin
 			case pkt['Payload']['SMB'].v['Command']
@@ -219,14 +254,14 @@ EVADE = Rex::Proto::SMB::Evasions
 	# Process incoming SMB_COM_SESSION_SETUP_ANDX packets
 	def smb_parse_session_setup(pkt, data)
-		# Process NTLMv2 negotiate responses
+		# Process NTLMSSP negotiate responses
 		if (pkt['Payload']['SMB'].v['WordCount'] == 4)
 			res = CONST::SMB_SETUP_NTLMV2_RES_PKT.make_struct
 			res.from_s(data)
 			return res
 		end
-		# Process NTLMv1 and LANMAN responses
+		# Process LANMAN responses
 		if (pkt['Payload']['SMB'].v['WordCount'] == 3)
 			res = CONST::SMB_SETUP_RES_PKT.make_struct
 			res.from_s(data)
@@ -436,7 +471,7 @@ EVADE = Rex::Proto::SMB::Evasions
 	end
 	# Negotiate a SMB dialect
-	def negotiate(extended=true, do_recv = true)
+	def negotiate(smb_extended_security=true, do_recv = true)
 		dialects = ['LANMAN1.0', 'LM1.2X002' ]
@@ -452,7 +487,7 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NEGOTIATE
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		if(extended)
+		if(smb_extended_security)
 			pkt['Payload']['SMB'].v['Flags2'] = 0x2801
 		else
 			pkt['Payload']['SMB'].v['Flags2'] = 0xc001
@@ -460,7 +495,7 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload'].v['Payload'] = data
-		ret = self.smb_send(pkt.to_s)
+		ret = self.smb_send(pkt.to_s, EVADE::EVASION_NONE)
 		return ret if not do_recv
 		ack = self.smb_recv_parse(CONST::SMB_COM_NEGOTIATE)
@@ -483,6 +518,11 @@ EVADE = Rex::Proto::SMB::Evasions
 		# Set the security mode
 		self.security_mode = ack['Payload'].v['SecurityMode']
+		#set require_signing
+		if (ack['Payload'].v['SecurityMode'] & 0x08 != 0)
+			self.require_signing	= true
+		end
 		# Set the challenge key
 		if (ack['Payload'].v['EncryptionKey'] != nil)
 			self.challenge_key = ack['Payload'].v['EncryptionKey']
@@ -530,15 +570,6 @@ EVADE = Rex::Proto::SMB::Evasions
 		end
 		self.system_zone = system_zone * 60
-		# XXX: this is being commented out because ruby prior to 1.9.2 doesn't
-		# seem to support representing non-utc or local times (eg, a time in
-		# another timezone)  If you know a way to do it in pre-1.9.2 please
-		# tell us!
-=begin
-		# Adjust the system_time object to reflect the remote timezone
-		self.system_time = self.system_time.utc.localtime(system_zone)
-=end
 		return ack
 	end
@@ -547,15 +578,15 @@ EVADE = Rex::Proto::SMB::Evasions
 	def session_setup(*args)
 		if (self.dialect =~ /^(NT LANMAN 1.0|NT LM 0.12)$/)
 			if (self.challenge_key)
-				return self.session_setup_ntlmv1(*args)
+				return self.session_setup_no_ntlmssp(*args)
 			end
 			if ( self.extended_security )
-				return self.session_setup_ntlmv2(*args)
+				return self.session_setup_with_ntlmssp(*args)
 			end
 		end
 		return self.session_setup_clear(*args)
@@ -571,7 +602,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 10
 		pkt['Payload'].v['AndX'] = 255
 		pkt['Payload'].v['MaxBuff'] = 0xffdf
@@ -601,17 +639,36 @@ EVADE = Rex::Proto::SMB::Evasions
 		return ack
 	end
-	# Authenticate using NTLMv1
-	def session_setup_ntlmv1(user = '', pass = '', domain = '', do_recv = true)
+	# Authenticate without NTLMSSP
+	def session_setup_no_ntlmssp(user = '', pass = '', domain = '', do_recv = true)
+		# Requires a challenge key to have been seen during negotiation
 		raise XCEPT::NTLM1MissingChallenge if not self.challenge_key
-		if (pass.length == 65)
-			hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.challenge_key)
-			hash_nt = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.challenge_key)
+		#
+		# We can not yet handle signing in this situation
+		# But instead of throwing an exception,we will disable signing, continue and hope for the best.
+		#
+		#raise XCEPT::SigningError if self.require_signing
+		self.require_signing = false if self.require_signing
+		if UTILS.is_pass_ntlm_hash?(pass)
+			arglm = {
+				:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
+				:challenge =>  self.challenge_key
+			}
+			hash_lm = NTLM_CRYPT::lm_response(arglm)
+			argntlm = {
+				:ntlm_hash =>  [ pass.upcase()[33,65] ].pack('H32'),
+				:challenge =>  self.challenge_key
+			}
+			hash_nt = NTLM_CRYPT::ntlm_response(argntlm)
 		else
-			hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
-			hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key)   : ''
+			hash_lm = pass.length > 0 ? NTLM_CRYPT.lanman_des(pass, self.challenge_key) : ''
+			hash_nt = pass.length > 0 ? NTLM_CRYPT.ntlm_md4(pass, self.challenge_key)   : ''
 		end
 		data = ''
@@ -660,8 +717,10 @@ EVADE = Rex::Proto::SMB::Evasions
 	end
-	# Authenticate using NTLMv1 with a precomputed hash pair
-	def session_setup_ntlmv1_prehash(user, domain, hash_lm, hash_nt, do_recv = true)
+	# Authenticate without ntlmssp with a precomputed hash pair
+	def session_setup_no_ntlmssp_prehash(user, domain, hash_lm, hash_nt, do_recv = true)
+		raise XCEPT::NTLM2MissingChallenge if self.require_signing
 		data = ''
 		data << hash_lm
@@ -708,14 +767,40 @@ EVADE = Rex::Proto::SMB::Evasions
 		return ack
 	end
-	# Authenticate using extended security negotiation (NTLMv2)
-	def session_setup_ntlmv2(user = '', pass = '', domain = '', name = nil, do_recv = true)
+	# Authenticate using extended security negotiation
+	def session_setup_with_ntlmssp(user = '', pass = '', domain = '', name = nil, do_recv = true)
+		if require_signing
+			ntlmssp_flags = 0xe2088215
+		else
+			ntlmssp_flags = 0xa2080205
+		end
+		if self.usentlm2_session
+			if self.use_ntlmv2
+				#set Negotiate Target Info
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_TARGET_INFO
+			end
+		else
+			#remove the ntlm2_session flag
+			ntlmssp_flags &= 0xfff7ffff
+			#set lanmanflag only when lm and ntlm are sent
+			if self.send_lm
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_LMKEY if self.use_lanman_key
+			end
+		end
+		#we can also downgrade ntlm2_session when we send only lmv1
+		ntlmssp_flags &= 0xfff7ffff if self.usentlm2_session && (not self.use_ntlmv2) && (not self.send_ntlm)
 		if (name == nil)
 			name = Rex::Text.rand_text_alphanumeric(16)
 		end
-		blob = UTILS.make_ntlmv2_secblob_init(domain, name)
+		blob = NTLM_UTILS.make_ntlmssp_secblob_init(domain, name, ntlmssp_flags)
 		native_data = ''
 		native_data << self.native_os + "\x00"
@@ -726,26 +811,33 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2801
+		if require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 12
 		pkt['Payload'].v['AndX'] = 255
 		pkt['Payload'].v['MaxBuff'] = 0xffdf
 		pkt['Payload'].v['MaxMPX'] = 2
 		pkt['Payload'].v['VCNum'] = 1
 		pkt['Payload'].v['SecurityBlobLen'] = blob.length
-		pkt['Payload'].v['Capabilities'] = 0x8000d05c
+		pkt['Payload'].v['Capabilities'] = 0x800000d4
 		pkt['Payload'].v['SessionKey'] = self.session_id
 		pkt['Payload'].v['Payload'] = blob + native_data
 		ret = self.smb_send(pkt.to_s)
 		return ret if not do_recv
 		ack = self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, true)
-		# The server doesn't know about NTLM_NEGOTIATE, try ntlmv1
+		# The server doesn't know about NTLM_NEGOTIATE
 		if (ack['Payload']['SMB'].v['ErrorClass'] == 0x00020002)
-			return session_setup_ntlmv1(user, pass, domain)
+			return session_setup_no_ntlmssp(user, pass, domain)
 		end
 		# Make sure the error code tells us to continue processing
@@ -782,62 +874,326 @@ EVADE = Rex::Proto::SMB::Evasions
 		# Extract the address list from the blob
 		alist_len,alist_mlen,alist_off = blob[cidx + 40, 8].unpack("vvV")
 		alist_buf = blob[cidx + alist_off, alist_len]
+		chall_MsvAvTimestamp = nil
 		while(alist_buf.length > 0)
 			atype, alen = alist_buf.slice!(0,4).unpack('vv')
 			break if atype == 0x00
 			addr = alist_buf.slice!(0, alen)
 			case atype
 			when 1
+				#netbios name
 				self.default_name =  addr.gsub("\x00", '')
 			when 2
+				#netbios domain
 				self.default_domain = addr.gsub("\x00", '')
 			when 3
+				#dns name
 				self.dns_host_name =  addr.gsub("\x00", '')
 			when 4
+				#dns domain
 				self.dns_domain_name =  addr.gsub("\x00", '')
 			when 5
-				# unknown
+				#The FQDN of the forest.
+			when 6
+				#A 32-bit value indicating server or client configuration
 			when 7
-				# client time
+				#Client time
+				chall_MsvAvTimestamp = addr
+			when 8
+				#A Restriction_Encoding structure
+			when 9
+				#The SPN of the target server.
+			when 10
+				#A channel bindings hash.
 			end
 		end
+		#calculate the lm/ntlm response
+		resp_lm = "\x00" * 24
+		resp_ntlm = "\x00" * 24
-		# Generate a random client-side challenge
 		client_challenge = Rex::Text.rand_text(8)
+		ntlm_cli_challenge = ''
+		if self.send_ntlm  #should be default
+			if self.usentlm2_session
+				if self.use_ntlmv2
+				# This is only a partial implementation, in some situation recent servers may send STATUS_INVALID_PARAMETER
+				# answer must then be somewhere in [MS-NLMP].pdf around 3.1.5.2.1 :-/
+					ntlm_cli_challenge = NTLM_UTILS::make_ntlmv2_clientchallenge(default_domain, default_name, dns_domain_name,
+												dns_host_name,client_challenge , chall_MsvAvTimestamp)
+					if UTILS.is_pass_ntlm_hash?(pass)
+						argntlm = {
+							:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(
+												user,
+												[ pass.upcase()[33,65] ].pack('H32'),
+												domain,{:pass_is_hash => true}
+											),
+							:challenge   => self.challenge_key
+						}
+					else
+						argntlm = {
+							:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(user, pass, domain),
+							:challenge   => self.challenge_key
+						}
+					end
+					optntlm = { :nt_client_challenge => ntlm_cli_challenge}
+					ntlmv2_response = NTLM_CRYPT::ntlmv2_response(argntlm,optntlm)
+					resp_ntlm = ntlmv2_response
+					if self.send_lm
+						if UTILS.is_pass_ntlm_hash?(pass)
+							arglm = {
+								:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(
+													user,
+													[ pass.upcase()[33,65] ].pack('H32'),
+													domain,{:pass_is_hash => true}
+												),
+								:challenge   => self.challenge_key
+							}
+						else
+							arglm = {
+								:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(user,pass, domain),
+								:challenge   => self.challenge_key
+							}
+						end
+						optlm = { :client_challenge => client_challenge }
+						resp_lm = NTLM_CRYPT::lmv2_response(arglm, optlm)
+					else
+						resp_lm = "\x00" * 24
+					end
+				else # ntlm2_session
+					if UTILS.is_pass_ntlm_hash?(pass)
+						argntlm = {
+							:ntlm_hash =>  [ pass.upcase()[33,65] ].pack('H32'),
+							:challenge => self.challenge_key
+						}
+					else
+						argntlm = {
+							:ntlm_hash =>  NTLM_CRYPT::ntlm_hash(pass),
+							:challenge => self.challenge_key
+						}
+					end
+					optntlm = {	:client_challenge => client_challenge}
+					resp_ntlm = NTLM_CRYPT::ntlm2_session(argntlm,optntlm).join[24,24]
+					# Generate the fake LANMAN hash
+					resp_lm = client_challenge + ("\x00" * 16)
+				end
-		# Generate the nonce
-		nonce = CRYPT.md5_hash(self.challenge_key + client_challenge)
-		# Generate the NTLM hash
-		if (pass.length == 65)
-			resp_ntlm = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), nonce[0, 8])
-		else
-			resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
-		end
+			else # we use lmv1/ntlmv1
+				if UTILS.is_pass_ntlm_hash?(pass)
+					argntlm = {
+						:ntlm_hash =>  [ pass.upcase()[33,65] ].pack('H32'),
+						:challenge =>  self.challenge_key
+					}
+				else
+					argntlm = {
+						:ntlm_hash =>  NTLM_CRYPT::ntlm_hash(pass),
+						:challenge =>  self.challenge_key
+					}
+				end
+				resp_ntlm = NTLM_CRYPT::ntlm_response(argntlm)
+				if self.send_lm
+					if UTILS.is_pass_ntlm_hash?(pass)
+						arglm = {
+							:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
+							:challenge =>  self.challenge_key
+						}
+					else
+						arglm = {
+							:lm_hash => NTLM_CRYPT::lm_hash(pass),
+							:challenge =>  self.challenge_key
+						}
+					end
+					resp_lm = NTLM_CRYPT::lm_response(arglm)
+				else
+					#when windows does not send lm in ntlmv1 type response,
+					# it gives lm response the same value as ntlm response
+					resp_lm  = resp_ntlm
+				end
+			end
+		else #send_ntlm = false
+			#lmv2
+			if self.usentlm2_session && self.use_ntlmv2
+				if UTILS.is_pass_ntlm_hash?(pass)
+					arglm = {
+						:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(
+											user,
+											[ pass.upcase()[33,65] ].pack('H32'),
+											domain,{:pass_is_hash => true}
+										),
+						:challenge => self.challenge_key
+					}
+				else
+					arglm = {
+						:ntlmv2_hash =>  NTLM_CRYPT::ntlmv2_hash(user,pass, domain),
+						:challenge => self.challenge_key
+					}
+				end
+				optlm = { :client_challenge => client_challenge }
+				resp_lm = NTLM_CRYPT::lmv2_response(arglm, optlm)
+			else
+				if UTILS.is_pass_ntlm_hash?(pass)
+					arglm = {
+						:lm_hash => [ pass.upcase()[0,32] ].pack('H32'),
+						:challenge =>  self.challenge_key
+					}
+				else
+					arglm = {
+						:lm_hash => NTLM_CRYPT::lm_hash(pass),
+						:challenge =>  self.challenge_key
+					}
+				end
+				resp_lm = NTLM_CRYPT::lm_response(arglm)
+			end
+			resp_ntlm = ""
+		end
+		# Create the sessionkey (aka signing key, aka mackey) and encrypted session key
+		# Server will decide for key_size and key_exchange
+		enc_session_key = ''
+		if self.require_signing
+			server_ntlmssp_flags = blob[cidx + 20, 4].unpack("V")[0]
+			# Set default key size and key exchange values
+			key_size = 40
+			key_exchange = false
+			# Remove ntlmssp.negotiate56
+			ntlmssp_flags &= 0x7fffffff
+			# Remove ntlmssp.negotiatekeyexch
+			ntlmssp_flags &= 0xbfffffff
+			# Remove ntlmssp.negotiate128
+			ntlmssp_flags &= 0xdfffffff
+			# Check the keyexchange
+			if server_ntlmssp_flags & NTLM_CONST::NEGOTIATE_KEY_EXCH != 0 then
+				key_exchange = true
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_KEY_EXCH
+			end
+			# Check 128bits
+			if server_ntlmssp_flags & NTLM_CONST::NEGOTIATE_128 != 0 then
+				key_size = 128
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_128
+				ntlmssp_flags |= NTLM_CONST::NEGOTIATE_56
+			# Check 56bits
+			else
+				if server_ntlmssp_flags & NTLM_CONST::NEGOTIATE_56 != 0 then
+					key_size = 56
+					ntlmssp_flags |= NTLM_CONST::NEGOTIATE_56
+				end
+			end
-		# Generate the fake LANMAN hash
-		resp_lmv2 = client_challenge + ("\x00" * 16)
+			# Generate the user session key
+			lanman_weak = false
+			if self.send_ntlm  # Should be default
+				if self.usentlm2_session
+					if self.use_ntlmv2
+						if UTILS.is_pass_ntlm_hash?(pass)
+							user_session_key = NTLM_CRYPT::ntlmv2_user_session_key(user,
+													[ pass.upcase()[33,65] ].pack('H32'),
+											 		domain,
+													self.challenge_key, ntlm_cli_challenge,
+													{:pass_is_hash => true})
+						else
+							user_session_key = NTLM_CRYPT::ntlmv2_user_session_key(user, pass, domain,
+												self.challenge_key, ntlm_cli_challenge)
+						end
+					else
+						if UTILS.is_pass_ntlm_hash?(pass)
+							user_session_key = NTLM_CRYPT::ntlm2_session_user_session_key([ pass.upcase()[33,65] ].pack('H32'),
+															self.challenge_key,
+															client_challenge,
+															{:pass_is_hash => true})
+						else
+							user_session_key = NTLM_CRYPT::ntlm2_session_user_session_key(pass, self.challenge_key,
+															client_challenge)
+						end
+					end
+				else # lmv1/ntlmv1
+					if self.send_lm
+						if self.use_lanman_key
+							if UTILS.is_pass_ntlm_hash?(pass)
+								user_session_key = NTLM_CRYPT::lanman_session_key([ pass.upcase()[0,32] ].pack('H32'),
+														self.challenge_key,
+														{:pass_is_hash => true})
+							else
+								user_session_key = NTLM_CRYPT::lanman_session_key(pass, self.challenge_key)
+							end
+							lanman_weak = true
+						else
+							if UTILS.is_pass_ntlm_hash?(pass)
+								user_session_key = NTLM_CRYPT::ntlmv1_user_session_key([ pass.upcase()[33,65] ].pack('H32'),
+															{:pass_is_hash => true})
+							else
+								user_session_key = NTLM_CRYPT::ntlmv1_user_session_key(pass)
+							end
+						end
+					end
+				end
+			else
+					if self.usentlm2_session && self.use_ntlmv2
+						if UTILS.is_pass_ntlm_hash?(pass)
+							user_session_key = NTLM_CRYPT::lmv2_user_session_key(user, [ pass.upcase()[33,65] ].pack('H32'),
+													domain,
+													self.challenge_key, client_challenge,
+													{:pass_is_hash => true})
+						else
+							user_session_key = NTLM_CRYPT::lmv2_user_session_key(user, pass, domain,
+													self.challenge_key, client_challenge)
+						end
+					else
+						if UTILS.is_pass_ntlm_hash?(pass)
+							user_session_key = NTLM_CRYPT::lmv1_user_session_key([ pass.upcase()[0,32] ].pack('H32'),
+														{:pass_is_hash => true})
+						else
+							user_session_key = NTLM_CRYPT::lmv1_user_session_key(pass)
+						end
+					end
+			end
-		# Create the ntlmv2 security blob data
-		blob = UTILS.make_ntlmv2_secblob_auth(domain, name, user, resp_lmv2, resp_ntlm)
+			user_session_key = NTLM_CRYPT::make_weak_sessionkey(user_session_key,key_size, lanman_weak)
+			self.sequence_counter = 0
+			# Sessionkey and encrypted session key
+			if key_exchange
+				self.signing_key = Rex::Text.rand_text(16)
+				enc_session_key = NTLM_CRYPT::encrypt_sessionkey(self.signing_key, user_session_key)
+			else
+				self.signing_key = user_session_key
+			end
+		end
+		# Create the security blob data
+		blob = NTLM_UTILS.make_ntlmssp_secblob_auth(domain, name, user, resp_lm, resp_ntlm, enc_session_key, ntlmssp_flags)
 		pkt = CONST::SMB_SETUP_NTLMV2_PKT.make_struct
 		self.smb_defaults(pkt['Payload']['SMB'])
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2801
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 12
 		pkt['Payload']['SMB'].v['UserID'] = temp_user_id
 		pkt['Payload'].v['AndX'] = 255
 		pkt['Payload'].v['MaxBuff'] = 0xffdf
 		pkt['Payload'].v['MaxMPX'] = 2
 		pkt['Payload'].v['VCNum'] = 1
-		pkt['Payload'].v['SecurityBlobLen'] = blob.length
 		pkt['Payload'].v['Capabilities'] = 0x8000d05c
 		pkt['Payload'].v['SessionKey'] = self.session_id
+		pkt['Payload'].v['SecurityBlobLen'] = blob.length
 		pkt['Payload'].v['Payload'] = blob + native_data
 		# NOTE: if do_recv is set to false, we cant reach here...
@@ -847,8 +1203,13 @@ EVADE = Rex::Proto::SMB::Evasions
 		# Make sure that authentication succeeded
 		if (ack['Payload']['SMB'].v['ErrorClass'] != 0)
 			if (user.length == 0)
-				return self.session_setup_ntlmv1(user, pass, domain)
+				# Ensure that signing is disabled when we hit this corner case
+				self.require_signing = false
+				# Fall back to the non-ntlmssp authentication method
+				return self.session_setup_no_ntlmssp(user, pass, domain)
 			end
 			failure = XCEPT::ErrorCode.new
@@ -869,7 +1230,7 @@ EVADE = Rex::Proto::SMB::Evasions
 	# An exploit helper function for sending arbitrary SPNEGO blobs
-	def session_setup_ntlmv2_blob(blob = '', do_recv = true)
+	def session_setup_with_ntlmssp_blob(blob = '', do_recv = true)
 		native_data = ''
 		native_data << self.native_os + "\x00"
 		native_data << self.native_lm + "\x00"
@@ -898,14 +1259,14 @@ EVADE = Rex::Proto::SMB::Evasions
 	end
-	# Authenticate using extended security negotiation (NTLMv2), but stop half-way, using the temporary ID
-	def session_setup_ntlmv2_temp(domain = '', name = nil, do_recv = true)
+	# Authenticate using extended security negotiation (NTLMSSP), but stop half-way, using the temporary ID
+	def session_setup_with_ntlmssp_temp(domain = '', name = nil, do_recv = true)
 		if (name == nil)
 			name = Rex::Text.rand_text_alphanumeric(16)
 		end
-		blob = UTILS.make_ntlmv2_secblob_init(domain, name)
+		blob = NTLM_UTILS.make_ntlmssp_secblob_init(domain, name)
 		native_data = ''
 		native_data << self.native_os + "\x00"
@@ -934,7 +1295,7 @@ EVADE = Rex::Proto::SMB::Evasions
 		# The server doesn't know about NTLM_NEGOTIATE, try ntlmv1
 		if (ack['Payload']['SMB'].v['ErrorClass'] == 0x00020002)
-			return session_setup_ntlmv1(user, pass, domain)
+			return session_setup_no_ntlmssp(user, pass, domain)
 		end
 		# Make sure the error code tells us to continue processing
@@ -981,7 +1342,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TREE_CONNECT_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 4
 		pkt['Payload'].v['AndX'] = 255
 		pkt['Payload'].v['PasswordLen'] = pass.length + 1
@@ -1008,7 +1376,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TREE_DISCONNECT
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 0
 		pkt['Payload']['SMB'].v['TreeID'] = tree_id
@@ -1037,7 +1412,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 24
 		pkt['Payload'].v['AndX'] = 255
@@ -1071,7 +1453,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_DELETE
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['TreeID'] = tree_id
 		pkt['Payload']['SMB'].v['WordCount'] = 1
@@ -1095,7 +1484,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_OPEN_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 15
 		pkt['Payload'].v['AndX'] = 255
@@ -1125,7 +1521,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_CLOSE
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['TreeID'] = tree_id
 		pkt['Payload']['SMB'].v['WordCount'] = 3
@@ -1140,10 +1543,8 @@ EVADE = Rex::Proto::SMB::Evasions
 		return ack
 	end
 	# Writes data to an open file handle
 	def write(file_id = self.last_file_id, offset = 0, data = '', do_recv = true)
 		pkt = CONST::SMB_WRITE_PKT.make_struct
 		self.smb_defaults(pkt['Payload']['SMB'])
@@ -1153,7 +1554,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2805
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14
 		pkt['Payload'].v['AndX'] = 255
@@ -1184,7 +1592,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_READ_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 10
 		pkt['Payload'].v['AndX'] = 255
@@ -1272,7 +1687,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1343,7 +1765,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1406,7 +1835,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1449,7 +1885,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1488,7 +1931,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1526,7 +1976,14 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
-		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
+		if self.require_signing
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] = 0x2807
+		else
+			#ascii
+			pkt['Payload']['SMB'].v['Flags2'] =  0x2801
+		end
 		pkt['Payload']['SMB'].v['WordCount'] = 18
 		pkt['Payload'].v['ParamCountTotal'] = param.length
@@ -1757,7 +2214,8 @@ EVADE = Rex::Proto::SMB::Evasions
 # public read/write methods
 	attr_accessor	:native_os, :native_lm, :encrypt_passwords, :extended_security, :read_timeout, :evasion_opts
-	attr_accessor  :system_time, :system_zone
+	attr_accessor	:verify_signature, :use_ntlmv2, :usentlm2_session, :send_lm, :use_lanman_key, :send_ntlm
+	attr_accessor  	:system_time, :system_zone
 # public read methods
 	attr_reader		:dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
@@ -1765,6 +2223,8 @@ EVADE = Rex::Proto::SMB::Evasions
 	attr_reader		:multiplex_id, :last_tree_id, :last_file_id, :process_id, :last_search_id
 	attr_reader		:dns_host_name, :dns_domain_name
 	attr_reader		:security_mode, :server_guid
+	#signing related
+	attr_reader		:sequence_counter,:signing_key, :require_signing
 # private methods
 	attr_writer		:dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
@@ -1772,6 +2232,8 @@ EVADE = Rex::Proto::SMB::Evasions
 	attr_writer		:dns_host_name, :dns_domain_name
 	attr_writer		:multiplex_id, :last_tree_id, :last_file_id, :process_id, :last_search_id
 	attr_writer		:security_mode, :server_guid
+	#signing related
+	attr_writer		:sequence_counter,:signing_key, :require_signing
 	attr_accessor	:socket