packetgen-plugin-smb 0.5.0 → 0.6.3

data/lib/packetgen/plugin/netbios/session.rb

@@ -1,10 +1,10 @@
+# frozen_string_literal: true
+
 # This file is part of PacketGen
 # See https://github.com/sdaubert/packetgen-plugin-smb for more informations
 # Copyright (C) 2016 Sylvain Daubert <sylvain.daubert@laposte.net>
 # This program is published under MIT license.
 
-# frozen_string_literal: true
-
 module PacketGen::Plugin
   # Module to group all NetBIOS headers
   # @author Sylvain Daubert
@@ -25,12 +25,12 @@ module PacketGen::Plugin
 
       # Session packet types
       TYPES = {
-        'message'           => 0,
-        'request'           => 0x81,
+        'message' => 0,
+        'request' => 0x81,
         'positive_response' => 0x82,
         'negative_response' => 0x83,
         'retarget_response' => 0x84,
-        'keep_alive'        => 0x85,
+        'keep_alive' => 0x85,
       }.freeze
 
       # @!attribute type

data/lib/packetgen/plugin/netbios.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # This file is part of PacketGen
 # See https://github.com/sdaubert/packetgen-plugin-smb for more informations
 # Copyright (C) 2016 Sylvain Daubert <sylvain.daubert@laposte.net>

data/lib/packetgen/plugin/ntlm/authenticate.rb

@@ -0,0 +1,197 @@
+# frozen_string_literal: true
+
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  class NTLM
+    # NTLM Challenge message
+    # @author Sylvain Daubert
+    class Authenticate < NTLM
+      # void MIC
+      VOID_MIC = ([0] * 16).pack('C').freeze
+
+      update_field :type, default: NTLM::TYPES['authenticate']
+
+      # @!attribute lm_response
+      #   A LM_RESPONSE or LMV2_RESPONSE structure that contains the computed
+      #   LM response to the challenge.
+      #   @return [PacketGen::Types::String]
+      # @!attribute lm_response_len
+      #   16-bit unsigned integer that defines the size in bytes of
+      #   {#lm_response} in {#payload}.
+      #   @return [Integer]
+      # @!attribute lm_response_maxlen
+      #   16-bit unsigned integer that should be equal to {#lm_response_len}.
+      #   @return [Integer]
+      # @!attribute lm_response_offset
+      #   A 32-bit unsigned integer that defines the offset, in bytes, from
+      #   the beginning of the AUTHENTICATE MESSAGE to {#lm_response} in {#payload}.
+      #   @return [Integer]
+      define_in_payload :lm_response, PacketGen::Types::String
+
+      # @!attribute nt_response
+      #   A NTLM_RESPONSE or NTLMV2_RESPONSE structure that contains the computed
+      #   NT response to the challenge.
+      #   @return [Ntlmv2Response]
+      # @!attribute nt_response_len
+      #   16-bit unsigned integer that defines the size in bytes of
+      #   {#nt_response} in {#payload}.
+      #   @return [Integer]
+      # @!attribute nt_response_maxlen
+      #   16-bit unsigned integer that should be equal to {#nt_response_len}.
+      #   @return [Integer]
+      # @!attribute nt_response_offset
+      #   A 32-bit unsigned integer that defines the offset, in bytes, from
+      #   the beginning of the AUTHENTICATE MESSAGE to {#nt_response} in {#payload}.
+      #   @return [Integer]
+      define_in_payload :nt_response, Ntlmv2Response
+
+      # @!attribute domain_name
+      #  Name of the client authentication domain.
+      #  @return [SMB::String]
+      # @!attribute domain_name_len
+      #  2-byte {#domain_name} length
+      #  @return [Integer]
+      # @!attribute domain_name_maxlen
+      #  2-byte {#domain_name} max length. Should be equal to {#domain_name_len}.
+      #  @return [Integer]
+      # @!attribute domain_name_offset
+      #  4-byte {#domain_name} offset from  the beginning of the AUTHENTICATE
+      #  MESSAGE in {#payload}
+      #  @return [Integer]
+      define_in_payload :domain_name, SMB::String, null_terminated: false
+
+      # @!attribute user_name
+      #  Name of the user to be authenticated.
+      #  @return [SMB::String]
+      # @!attribute user_name_len
+      #  2-byte {#user_name} length
+      #  @return [Integer]
+      # @!attribute user_name_maxlen
+      #  2-byte {#user_name} max length. Should be equal to {#user_name_len}.
+      #  @return [Integer]
+      # @!attribute user_name_offset
+      #  4-byte {#user_name} offset from  the beginning of the AUTHENTICATE
+      #  MESSAGE in {#payload}
+      #  @return [Integer]
+      define_in_payload :user_name, SMB::String, null_terminated: false
+
+      # @!attribute workstation
+      #  Name of the client machine.
+      #  @return [SMB::String]
+      # @!attribute workstation_len
+      #  2-byte {#workstation} length
+      #  @return [Integer]
+      # @!attribute workstation_maxlen
+      #  2-byte {#workstation} max length. Should be equal to {#workstation_len}.
+      #  @return [Integer]
+      # @!attribute workstation_offset
+      #  4-byte {#workstation} offset from  the beginning of the AUTHENTICATE
+      #  MESSAGE in {#payload}
+      #  @return [Integer]
+      define_in_payload :workstation, SMB::String, null_terminated: false
+
+      # @!attribute session_key
+      #  The client's encrypted random session key. On
+      #  @return [PacketGen::Types::String]
+      # @!attribute session_key_len
+      #  2-byte {#session_key} length
+      #  @return [Integer]
+      # @!attribute session_key_maxlen
+      #  2-byte {#session_key} max length. Should be equal to {#session_key_len}.
+      #  @return [Integer]
+      # @!attribute session_key_offset
+      #  4-byte {#session_key} offset from  the beginning of the AUTHENTICATE
+      #  MESSAGE in {#payload}.
+      #  @return [Integer]
+      define_in_payload :session_key, PacketGen::Types::String
+
+      # @!attribute flags
+      #   Negotiate flags
+      #   @return [Integer]
+
+      # @!group Negotiate flags
+      # @!attribute nego56?
+      #   Also known as +flags_w?+.
+      #   @return [Boolean]
+      # @!attribute key_exch?
+      #   Also known as +flags_v?+
+      #   @return [Boolean]
+      # @!attribute nego128?
+      #   Also known as +flags_u?+
+      #   @return [Boolean]
+      # @!attribute version?
+      #   Also known as +flags_t+
+      #   @return [Integer]
+      # @!attribute target_info?
+      #   Also known as +flags_s?+
+      #   @return [Boolean]
+      # @!attribute non_nt_session_key?
+      #   Also known as +flags_r?+
+      #   @return [Boolean]
+      # @!attribute identify?
+      #   Also known as +flags_q+
+      #   @return [Boolean]
+      # @!attribute ext_session_security?
+      #   Also known as +flags_p?+
+      #   @return [Boolean]
+      # @!attribute target_type_server?
+      #   Also known as +flags_o?+
+      #   @return [Boolean]
+      # @!attribute target_type_domain?
+      #   Also known as +flags_n?+
+      #   @return [Boolean]
+      # @!attribute always_sign?
+      #   Also known as +flags_m?+
+      #   @return [Boolean]
+      # @!attribute oem_target_info_supplied?
+      #   Also known as +flags_l?+
+      #   @return [Boolean]
+      # @!attribute oem_domain_supplied?
+      #   Also known as +flags_k?+
+      #   @return [Boolean]
+      # @!attribute anonymous?
+      #   Also known as +flags_j?+
+      #   @return [Boolean]
+      # @!attribute ntlm?
+      #   Also known as +flags_h?+
+      #   @return [Boolean]
+      # @!attribute lm_key?
+      #   Also known as +flags_g?+
+      #   @return [Boolean]
+      # @!attribute datagram?
+      #   Also known as +flags_f?+
+      #   @return [Boolean]
+      # @!attribute seal?
+      #   Also known as +flags_e?+
+      #   @return [Boolean]
+      # @!attribute sign?
+      #   Also known as +flags_d?+
+      #   @return [Boolean]
+      # @!attribute request_target?
+      #   Also known as +flags_c?+
+      #   @return [Boolean]
+      # @!attribute oem?
+      #   Also known as +flags_b?+
+      #   @return [Boolean]
+      # @!attribute unicode?
+      #   Also known as +flags_a?+
+      #   @return [Boolean]
+      define_negotiate_flags
+      # @!endgroup Negotiate flags
+
+      # @!attribute version
+      #  8-byte version information
+      #  @return [String]
+      define_field_before :payload, :version, PacketGen::Types::String, static_length: 8, default: VOID_VERSION
+
+      # @!attribute mic
+      #  16-byte message integrity code
+      #  @return [String]
+      define_field_before :payload, :mic, PacketGen::Types::String, static_length: 16, default: VOID_MIC
+    end
+  end
+end

data/lib/packetgen/plugin/ntlm/av_pair.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  class NTLM
+    # Known AvPair IDs
+    AVPAIR_TYPES = {
+      'EOL' => 0,
+      'ComputerName' => 1,
+      'DomainName' => 2,
+      'DnsComputerName' => 3,
+      'DnsDomainName' => 4,
+      'DnsTreeName' => 5,
+      'Flags' => 6,
+      'Timestamp' => 7,
+      'SingleHost' => 8,
+      'TargetName' => 9,
+      'ChannelBindings' => 10
+    }.freeze
+
+    # AVPAIR structure, with value of type {SMB::String}.
+    AvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                  length_class: PacketGen::Types::Int16le,
+                                                  value_class: SMB::String)
+    AvPair.define_type_enum AVPAIR_TYPES
+
+    class AvPair
+      def initialize(options={})
+        super
+        self[:value] = self[:value].class.new(null_terminated: false).read(self.value)
+      end
+    end
+
+    # EOL AVPAIR structure, with no value
+    EOLAvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                     length_class: PacketGen::Types::Int16le)
+    EOLAvPair.define_type_enum AVPAIR_TYPES
+
+    # Timestamp AVPAIR structure, with value of type {SMB::Filetime}.
+    TimestampAvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                           length_class: PacketGen::Types::Int16le,
+                                                           value_class: SMB::Filetime)
+    TimestampAvPair.define_type_enum AVPAIR_TYPES
+
+    # Int32le AVPAIR structure, with value a {PacketGen::Types::Int32le}.
+    Int32leAvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                         length_class: PacketGen::Types::Int16le,
+                                                         value_class: PacketGen::Types::Int32le)
+    Int32leAvPair.define_type_enum AVPAIR_TYPES
+
+    # String AVPAIR structure, with value a {PacketGen::Types::String}.
+    StringAvPair = PacketGen::Types::AbstractTLV.create(type_class: PacketGen::Types::Int16leEnum,
+                                                        length_class: PacketGen::Types::Int16le,
+                                                        value_class: PacketGen::Types::String)
+    StringAvPair.define_type_enum AVPAIR_TYPES
+
+    # Specialized array containing {AvPair AvPairs}.
+    class ArrayOfAvPair < PacketGen::Types::Array
+      set_of AvPair
+
+      # Get unicode property
+      # @return [Boolean]
+      attr_reader :unicode
+      alias unicode? unicode
+
+      # Set unicode property
+      # @param [Boolean] unicode
+      # @return [Boolean]
+      def unicode=(unicode)
+        @unicode = unicode
+        each { |avpair| avpair.value.unicode = unicode if avpair.value.respond_to? :unicode= }
+        unicode
+      end
+
+      # @return [String]
+      def to_s
+        self.unicode = unicode
+        super
+      end
+
+      private
+
+      def record_from_hash(hsh)
+        obj = AvPair.new(type: hsh[:type])
+        klass = real_type(obj)
+
+        avpair = klass.new
+        avpair.type = hsh[:type]
+        avpair[:value].unicode = unicode? if avpair[:value].respond_to?(:unicode=)
+        avpair[:value].read(hsh[:value])
+        avpair.length = hsh[:length] || avpair[:value].sz
+        avpair
+      end
+
+      def real_type(obj)
+        case obj.type
+        when AVPAIR_TYPES['EOL']
+          EOLAvPair
+        when AVPAIR_TYPES['Timestamp']
+          TimestampAvPair
+        when AVPAIR_TYPES['Flags']
+          Int32leAvPair
+        when AVPAIR_TYPES['SingleHost'], AVPAIR_TYPES['ChannelBindings']
+          StringAvPair
+        else
+          AvPair
+        end
+      end
+    end
+  end
+end

data/lib/packetgen/plugin/ntlm/challenge.rb

@@ -0,0 +1,140 @@
+# frozen_string_literal: true
+
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  class NTLM
+    # NTLM Challenge message
+    # @author Sylvain Daubert
+    class Challenge < NTLM
+      update_field :type, default: NTLM::TYPES['challenge']
+
+      # @!attribute target_name
+      #   Name of the server authentication realm. Must be expressed in the
+      #   negotiated character set.
+      #   @return [SMB::String]
+      # @!attribute target_name_len
+      #   16-bit unsigned integer that defines the size in bytes of
+      #   {#target_name} in {#payload}. This field is set only if {#request_target?}
+      #   is set.
+      #   @return [Integer]
+      # @!attribute target_name_maxlen
+      #   16-bit unsigned integer that should be equal to {#target_name_len}.
+      #   @return [Integer]
+      # @!attribute target_name_offset
+      #   A 32-bit unsigned integer that defines the offset, in bytes, from
+      #   the beginning of the CHALLENGE MESSAGE to {#target_name} in {#payload}.
+      #   This field is set only if {#request_target?} is set.
+      #   @return [Integer]
+      define_in_payload :target_name, SMB::String, null_terminated: false
+
+      # @!attribute flags
+      #   Negotiate flags
+      #   @return [Integer]
+
+      # @!group Negotiate flags
+      # @!attribute nego56?
+      #   Also known as +flags_w?+.
+      #   @return [Boolean]
+      # @!attribute key_exch?
+      #   Also known as +flags_v?+
+      #   @return [Boolean]
+      # @!attribute nego128?
+      #   Also known as +flags_u?+
+      #   @return [Boolean]
+      # @!attribute version?
+      #   Also known as +flags_t+
+      #   @return [Integer]
+      # @!attribute target_info?
+      #   Also known as +flags_s?+
+      #   @return [Boolean]
+      # @!attribute non_nt_session_key?
+      #   Also known as +flags_r?+
+      #   @return [Boolean]
+      # @!attribute identify?
+      #   Also known as +flags_q+
+      #   @return [Boolean]
+      # @!attribute ext_session_security?
+      #   Also known as +flags_p?+
+      #   @return [Boolean]
+      # @!attribute target_type_server?
+      #   Also known as +flags_o?+
+      #   @return [Boolean]
+      # @!attribute target_type_domain?
+      #   Also known as +flags_n?+
+      #   @return [Boolean]
+      # @!attribute always_sign?
+      #   Also known as +flags_m?+
+      #   @return [Boolean]
+      # @!attribute oem_target_info_supplied?
+      #   Also known as +flags_l?+
+      #   @return [Boolean]
+      # @!attribute oem_domain_supplied?
+      #   Also known as +flags_k?+
+      #   @return [Boolean]
+      # @!attribute anonymous?
+      #   Also known as +flags_j?+
+      #   @return [Boolean]
+      # @!attribute ntlm?
+      #   Also known as +flags_h?+
+      #   @return [Boolean]
+      # @!attribute lm_key?
+      #   Also known as +flags_g?+
+      #   @return [Boolean]
+      # @!attribute datagram?
+      #   Also known as +flags_f?+
+      #   @return [Boolean]
+      # @!attribute seal?
+      #   Also known as +flags_e?+
+      #   @return [Boolean]
+      # @!attribute sign?
+      #   Also known as +flags_d?+
+      #   @return [Boolean]
+      # @!attribute request_target?
+      #   Also known as +flags_c?+
+      #   @return [Boolean]
+      # @!attribute oem?
+      #   Also known as +flags_b?+
+      #   @return [Boolean]
+      # @!attribute unicode?
+      #   Also known as +flags_a?+
+      #   @return [Boolean]
+      define_negotiate_flags
+      # @!endgroup Negotiate flags
+
+      # @!attribute challenge
+      #   64-bit value containing the NTLM challenge.
+      #   @return [String]
+      define_field_before :payload, :challenge, PacketGen::Types::String, static_length: 8, default: VOID_CHALLENGE
+      # @!attribute reserved
+      #   64-bit reserved field
+      #   @return [Integer]
+      define_field_before :payload, :reserved, PacketGen::Types::Int64le
+
+      # @!attribute target_info
+      #   @return [ArrayOfAvPair]
+      # @!attribute target_info_len
+      #   16-bit unsigned integer that defines the size in bytes of
+      #   {#target_info} in {#payload}. This field is set only if {#target_info?}
+      #   is set.
+      #   @return [Integer]
+      # @!attribute target_info_maxlen
+      #   16-bit unsigned integer that should be equal to {#target_info_len}.
+      #   @return [Integer]
+      # @!attribute target_info_offset
+      #   A 32-bit unsigned integer that defines the offset, in bytes, from
+      #   the beginning of the CHALLENGE MESSAGE to {#target_info} in {#payload}.
+      #   This field is set only if {#target_info?} is set.
+      #   @return [Integer]
+      define_in_payload :target_info, ArrayOfAvPair
+
+      # @!attribute version
+      #  8-byte version information
+      #  @return [String]
+      define_field_before :payload, :version, PacketGen::Types::String, static_length: 8, default: VOID_VERSION
+    end
+  end
+end

data/lib/packetgen/plugin/ntlm/negotiate.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  class NTLM
+    # NTLM Negotiate message
+    # @author Sylvain Daubert
+    class Negotiate < NTLM
+      # @return [String]
+      attr_accessor :domain_name
+      # @return [String]
+      attr_accessor :workstation
+
+      update_field :type, default: NTLM::TYPES['negotiate']
+      # @!attribute flags
+      #   Negotiate flags
+      #   @return [Integer]
+
+      # @!group Negotiate flags
+      # @!attribute nego56?
+      #   Also known as +flags_w?+.
+      #   @return [Boolean]
+      # @!attribute key_exch?
+      #   Also known as +flags_v?+
+      #   @return [Boolean]
+      # @!attribute nego128?
+      #   Also known as +flags_u?+
+      #   @return [Boolean]
+      # @!attribute version?
+      #   Also known as +flags_t+
+      #   @return [Integer]
+      # @!attribute target_info?
+      #   Also known as +flags_s?+
+      #   @return [Boolean]
+      # @!attribute non_nt_session_key?
+      #   Also known as +flags_r?+
+      #   @return [Boolean]
+      # @!attribute identify?
+      #   Also known as +flags_q+
+      #   @return [Boolean]
+      # @!attribute ext_session_security?
+      #   Also known as +flags_p?+
+      #   @return [Boolean]
+      # @!attribute target_type_server?
+      #   Also known as +flags_o?+
+      #   @return [Boolean]
+      # @!attribute target_type_domain?
+      #   Also known as +flags_n?+
+      #   @return [Boolean]
+      # @!attribute always_sign?
+      #   Also known as +flags_m?+
+      #   @return [Boolean]
+      # @!attribute oem_workstation_supplied?
+      #   Also known as +flags_l?+
+      #   @return [Boolean]
+      # @!attribute oem_domain_supplied?
+      #   Also known as +flags_k?+
+      #   @return [Boolean]
+      # @!attribute anonymous?
+      #   Also known as +flags_j?+
+      #   @return [Boolean]
+      # @!attribute ntlm?
+      #   Also known as +flags_h?+
+      #   @return [Boolean]
+      # @!attribute lm_key?
+      #   Also known as +flags_g?+
+      #   @return [Boolean]
+      # @!attribute datagram?
+      #   Also known as +flags_f?+
+      #   @return [Boolean]
+      # @!attribute seal?
+      #   Also known as +flags_e?+
+      #   @return [Boolean]
+      # @!attribute sign?
+      #   Also known as +flags_d?+
+      #   @return [Boolean]
+      # @!attribute request_target?
+      #   Also known as +flags_c?+
+      #   @return [Boolean]
+      # @!attribute oem?
+      #   Also known as +flags_b?+
+      #   @return [Boolean]
+      # @!attribute unicode?
+      #   Also known as +flags_a?+
+      #   @return [Boolean]
+      define_negotiate_flags
+      # @!endgroup Negotiate flags
+
+      # @!attribute domain_name
+      #  Name of the client authentication domain. Must be OEM encoded.
+      #  @return [PacketGen::Types::String]
+      # @!attribute domain_name_len
+      #  2-byte domain name length
+      #  @return [Integer]
+      # @!attribute domain_name_maxlen
+      #  2-byte domain name max length
+      #  @return [Integer]
+      # @!attribute domain_name_offset
+      #  4-byte domain name offset
+      #  @return [Integer]
+      define_in_payload :domain_name, PacketGen::Types::String
+
+      # @!attribute workstation
+      #  Name of the client machine. Must be OEM encoded.
+      #  @return [PacketGen::Types::String]
+      # @!attribute workstation_len
+      #  2-byte workstation length
+      #  @return [Integer]
+      # @!attribute workstation_maxlen
+      #  2-byte workstation max length
+      #  @return [Integer]
+      # @!attribute workstation_offset
+      #  4-byte workstation offset
+      #  @return [Integer]
+      define_in_payload :workstation, PacketGen::Types::String
+
+      # @!attribute version
+      #  8-byte version information
+      #  @return [String]
+      define_field_before :payload, :version, PacketGen::Types::String, static_length: 8, default: VOID_VERSION
+    end
+  end
+end

data/lib/packetgen/plugin/ntlm/ntlmv2_response.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+# This file is part of packetgen-plugin-smb.
+# See https://github.com/sdaubert/packetgen-plugin-smb for more informations
+# Copyright (C) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+module PacketGen::Plugin
+  class NTLM
+    class Ntlmv2Response < PacketGen::Types::Fields
+      # @!attribute response
+      #   16-byte array of unsigned char containing the client's NT challenge
+      #   response.
+      #   @return [String]
+      define_field :response, PacketGen::Types::String, static_length: 16
+      alias ntproof_str response
+      alias ntproof_str= response=
+
+      # @!attribute type
+      #   8-bit current version of the challenge. Should be 1.
+      #   @return [Integer]
+      define_field :type, PacketGen::Types::Int8, default: 1
+      # @!attribute hi_type
+      #   8-bit maximum supported version of the challenge. Should be 1.
+      #   @return [Integer]
+      define_field :hi_type, PacketGen::Types::Int8, default: 1
+      # @!attribute reserved1
+      #   16-bit reserved word.
+      #   @return [Integer]
+      define_field :reserved1, PacketGen::Types::Int16le
+      # @!attribute reserved2
+      #   32-bit reserved word.
+      #   @return [Integer]
+      define_field :reserved2, PacketGen::Types::Int32le
+      # @!attribute timestamp
+      #   64-bit current system time.
+      #   @return [SMB::Filetime]
+      define_field :timestamp, SMB::Filetime
+      # @!attribute client_challenge
+      #   8-byte challenge from client
+      #   @return [String]
+      define_field :client_challenge, PacketGen::Types::String, static_length: 8
+      # @!attribute reserved3
+      #   32-bit reserved word.
+      #   @return [Integer]
+      define_field :reserved3, PacketGen::Types::Int32le
+      # @!attribute avpairs
+      #   @return [ArrayOfAvPair]
+      define_field :avpairs, ArrayOfAvPair
+
+      # @return [false]
+      def empty?
+        false
+      end
+
+      alias size sz
+    end
+  end
+end