ruby_smb 1.0.3 → 2.0.1

data/lib/ruby_smb/smb2/packet/write_request.rb

@@ -4,6 +4,8 @@ module RubySMB
       # An SMB2 Write Request Packet as defined in
       # [2.2.21 SMB2 WRITE Request](https://msdn.microsoft.com/en-us/library/cc246532.aspx)
       class WriteRequest < RubySMB::GenericPacket
+        COMMAND = RubySMB::SMB2::Commands::WRITE
+
         endian :little
 
         smb2_header           :smb2_header
@@ -19,10 +21,6 @@ module RubySMB
         uint32                :flags,                 label: 'Flags'
         string                :buffer,                label: 'Write Data Buffer'
 
-        def initialize_instance
-          super
-          smb2_header.command = RubySMB::SMB2::Commands::WRITE
-        end
       end
     end
   end

data/lib/ruby_smb/smb2/packet/write_response.rb

@@ -4,6 +4,8 @@ module RubySMB
       # An SMB2 Write Response Packet as defined in
       # [2.2.22 SMB2 WRITE Response](https://msdn.microsoft.com/en-us/library/cc246533.aspx)
       class WriteResponse < RubySMB::GenericPacket
+        COMMAND = RubySMB::SMB2::Commands::WRITE
+
         endian :little
 
         smb2_header           :smb2_header
@@ -17,7 +19,6 @@ module RubySMB
 
         def initialize_instance
           super
-          smb2_header.command = RubySMB::SMB2::Commands::WRITE
           smb2_header.flags.reply = 1
         end
       end

data/lib/ruby_smb/smb2/pipe.rb

@@ -3,18 +3,29 @@ module RubySMB
     # Represents a pipe on the Remote server that we can perform
     # various I/O operations on.
     class Pipe < File
-      require 'ruby_smb/smb2/dcerpc'
+      require 'ruby_smb/dcerpc'
 
-      include RubySMB::SMB2::Dcerpc
+      include RubySMB::Dcerpc
 
       STATUS_CONNECTED = 0x00000003
       STATUS_CLOSING   = 0x00000004
 
+      def initialize(tree:, response:, name:)
+        raise ArgumentError, 'No Name Provided' if name.nil?
+        case name
+        when 'srvsvc'
+          extend RubySMB::Dcerpc::Srvsvc
+        when 'winreg'
+          extend RubySMB::Dcerpc::Winreg
+        end
+        super(tree: tree, response: response, name: name)
+      end
+
       # Performs a peek operation on the named pipe
       #
       # @param peek_size [Integer] Amount of data to peek
       # @return [RubySMB::SMB2::Packet::IoctlResponse]
-      # @raise [RubySMB::Error::InvalidPacket] if not a valid FSCTL_PIPE_PEEK response
+      # @raise [RubySMB::Error::InvalidPacket] if not a valid FIoctlResponse response
       # @raise [RubySMB::Error::UnexpectedStatusCode] If status is not STATUS_BUFFER_OVERFLOW or STATUS_SUCCESS
       def peek(peek_size: 0)
         packet = RubySMB::SMB2::Packet::IoctlRequest.new
@@ -24,18 +35,18 @@ module RubySMB
         packet.max_output_response = 16 + peek_size
         packet = set_header_fields(packet)
         raw_response = @tree.client.send_recv(packet)
-        begin
-          response = RubySMB::SMB2::Packet::IoctlResponse.read(raw_response)
-        rescue IOError
-          response = RubySMB::SMB2::Packet::ErrorPacket.read(raw_response)
+        response = RubySMB::SMB2::Packet::IoctlResponse.read(raw_response)
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB2::Packet::IoctlResponse::COMMAND,
+            received_proto: response.smb2_header.protocol,
+            received_cmd:   response.smb2_header.command
+          )
         end
 
         unless response.status_code == WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW or response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
-          raise RubySMB::Error::UnexpectedStatusCode, response.status_code.name
-        end
-
-        unless response.smb2_header.command == RubySMB::SMB2::Commands::IOCTL
-          raise RubySMB::Error::InvalidPacket, 'Not an IoctlResponse packet'
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
         end
         response
       end
@@ -67,6 +78,69 @@ module RubySMB
         state == STATUS_CONNECTED
       end
 
+      def dcerpc_request(stub_packet, options={})
+        options.merge!(endpoint: stub_packet.class.name.split('::').at(-2))
+        dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: stub_packet.opnum }, options)
+        dcerpc_request.stub.read(stub_packet.to_binary_s)
+        ioctl_send_recv(dcerpc_request, options)
+      end
+
+      def ioctl_send_recv(action, options={})
+        request = set_header_fields(RubySMB::SMB2::Packet::IoctlRequest.new(options))
+        request.ctl_code = 0x0011C017
+        request.flags.is_fsctl = 0x00000001
+        request.buffer = action.to_binary_s
+
+        ioctl_raw_response = @tree.client.send_recv(request)
+        ioctl_response = RubySMB::SMB2::Packet::IoctlResponse.read(ioctl_raw_response)
+        unless ioctl_response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB2::Packet::IoctlRequest::COMMAND,
+            received_proto: ioctl_response.smb2_header.protocol,
+            received_cmd:   ioctl_response.smb2_header.command
+          )
+        end
+        unless [WindowsError::NTStatus::STATUS_SUCCESS,
+                WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW].include?(ioctl_response.status_code)
+          raise RubySMB::Error::UnexpectedStatusCode, ioctl_response.status_code
+        end
+
+        raw_data = ioctl_response.output_data
+        if ioctl_response.status_code == WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW
+          raw_data << read(bytes: @tree.client.max_buffer_size - ioctl_response.output_count)
+          dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          unless dcerpc_response.pdu_header.pfc_flags.first_frag == 1
+            raise RubySMB::Dcerpc::Error::InvalidPacket, "Not the first fragment"
+          end
+          stub_data = dcerpc_response.stub.to_s
+
+          loop do
+            break if dcerpc_response.pdu_header.pfc_flags.last_frag == 1
+            raw_data = read(bytes: @tree.client.max_buffer_size)
+            dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+            stub_data << dcerpc_response.stub.to_s
+          end
+          stub_data
+        else
+          dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          dcerpc_response.stub.to_s
+        end
+      end
+
+
+      private
+
+      def dcerpc_response_from_raw_response(raw_data)
+        dcerpc_response = RubySMB::Dcerpc::Response.read(raw_data)
+        unless dcerpc_response.pdu_header.ptype == RubySMB::Dcerpc::PTypes::RESPONSE
+          raise RubySMB::Dcerpc::Error::InvalidPacket, "Not a Response packet"
+        end
+        dcerpc_response
+      rescue IOError
+        raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the DCERPC response"
+      end
+
     end
   end
 end

data/lib/ruby_smb/smb2/smb2_header.rb

@@ -6,7 +6,7 @@ module RubySMB
       endian              :little
       bit32               :protocol,          label: 'Protocol ID Field',      initial_value: RubySMB::SMB2::SMB2_PROTOCOL_ID
       uint16              :structure_size,    label: 'Header Structure Size',  initial_value: 64
-      uint16              :credit_charge,     label: 'Credit Charge',          initial_value: 0
+      uint16              :credit_charge,     label: 'Credit Charge',          initial_value: 1
       nt_status           :nt_status,         label: 'NT Status',              initial_value: 0
       uint16              :command,           label: 'Command'
       uint16              :credits,           label: 'Credit Request/Response'

data/lib/ruby_smb/smb2/tree.rb

@@ -23,22 +23,37 @@ module RubySMB
       #   @return [Integer]
       attr_accessor :id
 
-      def initialize(client:, share:, response:)
-        @client             = client
-        @share              = share
-        @id                 = response.smb2_header.tree_id
-        @permissions        = response.maximal_access
-        @share_type         = response.share_type
+      # Whether or not the share associated with this tree connect needs to be encrypted (SMB 3.x)
+      # @!attribute [rw] tree_connect_encrypt_data
+      #   @return [Boolean]
+      attr_accessor :tree_connect_encrypt_data
+
+      def initialize(client:, share:, response:, encrypt: false)
+        @client              = client
+        @share               = share
+        @id                  = response.smb2_header.tree_id
+        @permissions         = response.maximal_access
+        @share_type          = response.share_type
+        @tree_connect_encrypt_data = encrypt
       end
 
       # Disconnects this Tree from the current session
       #
       # @return [WindowsError::ErrorCode] the NTStatus sent back by the server.
+      # @raise [RubySMB::Error::InvalidPacket] if the response is not a TreeDisconnectResponse packet
       def disconnect!
         request = RubySMB::SMB2::Packet::TreeDisconnectRequest.new
         request = set_header_fields(request)
-        raw_response = client.send_recv(request)
+        raw_response = client.send_recv(request, encrypt: @tree_connect_encrypt_data)
         response = RubySMB::SMB2::Packet::TreeDisconnectResponse.read(raw_response)
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB2::Packet::TreeDisconnectResponse::COMMAND,
+            received_proto: response.smb2_header.protocol,
+            received_cmd:   response.smb2_header.command
+          )
+        end
         response.status_code
       end
 
@@ -87,22 +102,29 @@ module RubySMB
         create_request.create_disposition   = disposition
         create_request.name                 = filename
 
-        raw_response  = client.send_recv(create_request)
+        raw_response  = client.send_recv(create_request, encrypt: @tree_connect_encrypt_data)
         response      = RubySMB::SMB2::Packet::CreateResponse.read(raw_response)
-
-        if response.is_a?(RubySMB::SMB2::Packet::ErrorPacket)
-          raise RubySMB::Error::RubySMBError
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB2::Packet::CreateResponse::COMMAND,
+            received_proto: response.smb2_header.protocol,
+            received_cmd:   response.smb2_header.command
+          )
+        end
+        unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
         end
 
         case @share_type
-        when 0x01
-          RubySMB::SMB2::File.new(name: filename, tree: self, response: response)
-        when 0x02
+        when RubySMB::SMB2::Packet::TreeConnectResponse::SMB2_SHARE_TYPE_DISK
+          RubySMB::SMB2::File.new(name: filename, tree: self, response: response, encrypt: @tree_connect_encrypt_data)
+        when RubySMB::SMB2::Packet::TreeConnectResponse::SMB2_SHARE_TYPE_PIPE
           RubySMB::SMB2::Pipe.new(name: filename, tree: self, response: response)
-        # when 0x03
+        # when RubySMB::SMB2::TreeConnectResponse::SMB2_SHARE_TYPE_PRINT
         #   it's a printer!
         else
-          raise RubySMB::Error::RubySMBError
+          raise RubySMB::Error::RubySMBError, 'Unsupported share type'
         end
       end
 
@@ -116,6 +138,7 @@ module RubySMB
       # @param pattern [String] search pattern
       # @param type [Class] file information class
       # @return [Array] array of directory structures
+      # @raise [RubySMB::Error::InvalidPacket] if the response is not a QueryDirectoryResponse packet
       def list(directory: nil, pattern: '*', type: RubySMB::Fscc::FileInformation::FileIdFullDirectoryInformation)
         create_response = open_directory(directory: directory)
         file_id         = create_response.file_id
@@ -131,16 +154,23 @@ module RubySMB
         files = []
 
         loop do
-          response            = client.send_recv(directory_request)
+          response            = client.send_recv(directory_request, encrypt: @tree_connect_encrypt_data)
           directory_response  = RubySMB::SMB2::Packet::QueryDirectoryResponse.read(response)
+          unless directory_response.valid?
+            raise RubySMB::Error::InvalidPacket.new(
+              expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+              expected_cmd:   RubySMB::SMB2::Packet::QueryDirectoryResponse::COMMAND,
+              received_proto: directory_response.smb2_header.protocol,
+              received_cmd:   directory_response.smb2_header.command
+            )
+          end
 
           status_code         = directory_response.smb2_header.nt_status.to_nt_status
 
           break if status_code == WindowsError::NTStatus::STATUS_NO_MORE_FILES
 
           unless status_code == WindowsError::NTStatus::STATUS_SUCCESS
-
-            raise RubySMB::Error::UnexpectedStatusCode, status_code.to_s
+            raise RubySMB::Error::UnexpectedStatusCode, status_code
           end
 
           files += directory_response.results(type)
@@ -162,14 +192,28 @@ module RubySMB
       # @param write [Boolean] whether to request write access
       # @param delete [Boolean] whether to request delete access
       # @return [RubySMB::SMB2::Packet::CreateResponse] the response packet returned from the server
+      # @raise [RubySMB::Error::InvalidPacket] if the response is not a CreateResponse packet
       def open_directory(directory: nil, disposition: RubySMB::Dispositions::FILE_OPEN,
                          impersonation: RubySMB::ImpersonationLevels::SEC_IMPERSONATE,
                          read: true, write: false, delete: false)
 
         create_request  = open_directory_packet(directory: directory, disposition: disposition,
                                                 impersonation: impersonation, read: read, write: write, delete: delete)
-        raw_response    = client.send_recv(create_request)
-        RubySMB::SMB2::Packet::CreateResponse.read(raw_response)
+        raw_response    = client.send_recv(create_request, encrypt: @tree_connect_encrypt_data)
+        response = RubySMB::SMB2::Packet::CreateResponse.read(raw_response)
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB2::Packet::CreateResponse::COMMAND,
+            received_proto: response.smb2_header.protocol,
+            received_cmd:   response.smb2_header.command
+          )
+        end
+        unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
+        end
+
+        response
       end
 
       # Creates the Packet for the #open_directory method.

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '1.0.3'.freeze
+  VERSION = '2.0.1'.freeze
 end

data/ruby_smb.gemspec

@@ -6,8 +6,8 @@ require 'ruby_smb/version'
 Gem::Specification.new do |spec|
   spec.name          = 'ruby_smb'
   spec.version       = RubySMB::VERSION
-  spec.authors       = ['David Maloney', 'James Lee', 'Dev Mohanty', 'Christophe De La Fuente']
-  spec.email         = ['DMaloney@rapid7.com', 'egypt@metasploit.com', 'dev_mohanty@rapid7.com', 'paristvinternet-github@yahoo.com']
+  spec.authors       = ['Metasploit Hackers', 'David Maloney', 'James Lee', 'Dev Mohanty', 'Christophe De La Fuente']
+  spec.email         = ['msfdev@metasploit.com']
   spec.summary       = 'A pure Ruby implementation of the SMB Protocol Family'
   spec.description   = ''
   spec.homepage      = 'https://github.com/rapid7/ruby_smb'
@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
     spec.platform = Gem::Platform::RUBY
   end
 
-  spec.required_ruby_version = '>= 2.2.0'
+  spec.required_ruby_version = '>= 2.5'
 
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'fivemat'
@@ -36,4 +36,6 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'rubyntlm'
   spec.add_runtime_dependency 'windows_error'
   spec.add_runtime_dependency 'bindata'
+  spec.add_runtime_dependency 'openssl-ccm'
+  spec.add_runtime_dependency 'openssl-cmac'
 end

data/spec/lib/ruby_smb/client_spec.rb

@@ -6,9 +6,65 @@ RSpec.describe RubySMB::Client do
   let(:username) { 'msfadmin' }
   let(:password) { 'msfpasswd' }
   subject(:client) { described_class.new(dispatcher, username: username, password: password) }
-  let(:smb1_client) { described_class.new(dispatcher, smb2: false, username: username, password: password) }
-  let(:smb2_client) { described_class.new(dispatcher, smb1: false, username: username, password: password) }
+  let(:smb1_client) { described_class.new(dispatcher, smb2: false, smb3: false, username: username, password: password) }
+  let(:smb2_client) { described_class.new(dispatcher, smb1: false, smb3: false, username: username, password: password) }
+  let(:smb3_client) { described_class.new(dispatcher, smb1: false, smb2: false, username: username, password: password) }
   let(:empty_packet) { RubySMB::SMB1::Packet::EmptyPacket.new }
+  let(:error_packet) { RubySMB::SMB2::Packet::ErrorPacket.new }
+
+  it { is_expected.to respond_to :dispatcher }
+  it { is_expected.to respond_to :domain }
+  it { is_expected.to respond_to :local_workstation }
+  it { is_expected.to respond_to :ntlm_client }
+  it { is_expected.to respond_to :password }
+  it { is_expected.to respond_to :peer_native_os }
+  it { is_expected.to respond_to :peer_native_lm }
+  it { is_expected.to respond_to :primary_domain }
+  it { is_expected.to respond_to :default_name }
+  it { is_expected.to respond_to :default_domain }
+  it { is_expected.to respond_to :dns_host_name }
+  it { is_expected.to respond_to :dns_domain_name }
+  it { is_expected.to respond_to :dns_tree_name }
+  it { is_expected.to respond_to :os_version }
+  it { is_expected.to respond_to :dialect }
+  it { is_expected.to respond_to :sequence_counter }
+  it { is_expected.to respond_to :session_id }
+  it { is_expected.to respond_to :signing_required }
+  it { is_expected.to respond_to :smb1 }
+  it { is_expected.to respond_to :smb2 }
+  it { is_expected.to respond_to :smb3 }
+  it { is_expected.to respond_to :smb2_message_id }
+  it { is_expected.to respond_to :username }
+  it { is_expected.to respond_to :user_id }
+  it { is_expected.to respond_to :max_buffer_size }
+  it { is_expected.to respond_to :server_max_buffer_size }
+  it { is_expected.to respond_to :server_max_write_size }
+  it { is_expected.to respond_to :server_max_read_size }
+  it { is_expected.to respond_to :server_max_transact_size }
+  it { is_expected.to respond_to :preauth_integrity_hash_algorithm }
+  it { is_expected.to respond_to :preauth_integrity_hash_value }
+  it { is_expected.to respond_to :encryption_algorithm }
+  it { is_expected.to respond_to :client_encryption_key }
+  it { is_expected.to respond_to :server_encryption_key }
+  it { is_expected.to respond_to :session_encrypt_data }
+  it { is_expected.to respond_to :server_encryption_algorithms }
+  it { is_expected.to respond_to :server_compression_algorithms }
+  it { is_expected.to respond_to :negotiated_smb_version }
+  it { is_expected.to respond_to :session_key }
+  it { is_expected.to respond_to :tree_connects }
+  it { is_expected.to respond_to :open_files }
+  it { is_expected.to respond_to :use_ntlmv2 }
+  it { is_expected.to respond_to :usentlm2_session }
+  it { is_expected.to respond_to :send_lm }
+  it { is_expected.to respond_to :use_lanman_key }
+  it { is_expected.to respond_to :send_ntlm }
+  it { is_expected.to respond_to :spnopt }
+  it { is_expected.to respond_to :evasion_opts }
+  it { is_expected.to respond_to :native_os }
+  it { is_expected.to respond_to :native_lm }
+  it { is_expected.to respond_to :verify_signature }
+  it { is_expected.to respond_to :auth_user }
+  it { is_expected.to respond_to :last_file_id }
 
   describe '#initialize' do
     it 'should raise an ArgumentError without a valid dispatcher' do
@@ -25,14 +81,21 @@ RSpec.describe RubySMB::Client do
 
     it 'accepts an argument to disable smb1 support' do
       expect(smb2_client.smb1).to be false
+      expect(smb3_client.smb1).to be false
     end
 
     it 'accepts an argument to disable smb2 support' do
       expect(smb1_client.smb2).to be false
+      expect(smb3_client.smb2).to be false
     end
 
-    it 'raises an exception if both SMB1 and SMB2 are disabled' do
-      expect { described_class.new(dispatcher, smb1: false, smb2: false, username: username, password: password) }.to raise_error(ArgumentError, 'You must enable at least one Protocol')
+    it 'accepts an argument to disable smb3 support' do
+      expect(smb1_client.smb3).to be false
+      expect(smb2_client.smb3).to be false
+    end
+
+    it 'raises an exception if SMB1, SMB2 and SMB3 are disabled' do
+      expect { described_class.new(dispatcher, smb1: false, smb2: false, smb3: false, username: username, password: password) }.to raise_error(ArgumentError, 'You must enable at least one Protocol')
     end
 
     it 'sets the username attribute' do
@@ -43,6 +106,11 @@ RSpec.describe RubySMB::Client do
       expect(client.password).to eq password
     end
 
+    it 'sets the session_encrypt_data attribute' do
+      client =  described_class.new(dispatcher, username: username, password: password, always_encrypt: true)
+      expect(client.session_encrypt_data).to eq true
+    end
+
     it 'creates an NTLM client' do
       expect(client.ntlm_client).to be_a Net::NTLM::Client
     end
@@ -57,7 +125,7 @@ RSpec.describe RubySMB::Client do
         expect(opt[:workstation]).to eq(local_workstation)
         expect(opt[:domain]).to eq(domain)
         flags = Net::NTLM::Client::DEFAULT_FLAGS |
-          Net::NTLM::FLAGS[:TARGET_INFO] | 0x02000000
+          Net::NTLM::FLAGS[:TARGET_INFO] | 0x02000000 ^ Net::NTLM::FLAGS[:OEM]
         expect(opt[:flags]).to eq(flags)
       end
 
@@ -75,28 +143,280 @@ RSpec.describe RubySMB::Client do
     end
   end
 
+  describe '#echo' do
+    let(:response) { double('Echo Response') }
+    before :example do
+      allow(response).to receive(:status_code).and_return(WindowsError::NTStatus::STATUS_SUCCESS)
+    end
+
+    context 'with SMB1' do
+      it 'calls #smb1_echo with the expected arguments' do
+        allow(smb1_client).to receive(:smb1_echo).and_return(response)
+        count = 3
+        data  = 'testing...'
+        smb1_client.echo(count: count, data: data)
+        expect(smb1_client).to have_received(:smb1_echo).with(count: count, data: data)
+      end
+    end
+
+    context 'with SMB2' do
+      it 'calls #smb2_echo without arguments' do
+        allow(smb2_client).to receive(:smb2_echo).and_return(response)
+        smb2_client.echo
+        expect(smb2_client).to have_received(:smb2_echo)
+      end
+    end
+
+    context 'with SMB3' do
+      it 'calls #smb2_echo without arguments' do
+        allow(smb3_client).to receive(:smb2_echo).and_return(response)
+        smb3_client.echo
+        expect(smb3_client).to have_received(:smb2_echo)
+      end
+    end
+
+    it 'returns the expected status code' do
+      allow(smb2_client).to receive(:smb2_echo).and_return(response)
+      expect(smb2_client.echo).to eq(WindowsError::NTStatus::STATUS_SUCCESS)
+    end
+  end
+
   describe '#send_recv' do
     let(:smb1_request) { RubySMB::SMB1::Packet::TreeConnectRequest.new }
     let(:smb2_request) { RubySMB::SMB2::Packet::TreeConnectRequest.new }
 
     before(:each) do
-      expect(dispatcher).to receive(:send_packet).and_return(nil)
-      expect(dispatcher).to receive(:recv_packet).and_return('A')
+      allow(client).to receive(:is_status_pending?).and_return(false)
+      allow(dispatcher).to receive(:send_packet).and_return(nil)
+      allow(dispatcher).to receive(:recv_packet).and_return('A')
     end
 
-    it 'checks the packet version' do
-      expect(smb1_request).to receive(:packet_smb_version).and_call_original
-      client.send_recv(smb1_request)
+    context 'when signing' do
+      it 'calls #smb1_sign if it is an SMB1 packet' do
+        expect(client).to receive(:smb1_sign).with(smb1_request).and_call_original
+        client.send_recv(smb1_request)
+      end
+
+      context 'with an SMB2 packet' do
+        it 'does not sign a SessionSetupRequest packet' do
+          expect(smb2_client).to_not receive(:smb2_sign)
+          expect(smb2_client).to_not receive(:smb3_sign)
+          client.send_recv(RubySMB::SMB2::Packet::SessionSetupRequest.new)
+        end
+
+        it 'calls #smb2_sign if it is an SMB2 client' do
+          allow(smb2_client).to receive(:is_status_pending?).and_return(false)
+          expect(smb2_client).to receive(:smb2_sign).with(smb2_request).and_call_original
+          smb2_client.send_recv(smb2_request)
+        end
+
+        it 'calls #smb3_sign if it is an SMB3 client' do
+          allow(smb3_client).to receive(:is_status_pending?).and_return(false)
+          expect(smb3_client).to receive(:smb3_sign).with(smb2_request).and_call_original
+          smb3_client.send_recv(smb2_request)
+        end
+      end
     end
 
-    it 'calls #smb1_sign if it is an SMB1 packet' do
-      expect(client).to receive(:smb1_sign).with(smb1_request).and_call_original
+    it 'sends the expected packet and gets the response' do
+      expect(dispatcher).to receive(:send_packet).with(smb1_request)
+      expect(dispatcher).to receive(:recv_packet)
       client.send_recv(smb1_request)
     end
 
-    it 'calls #smb2_sign if it is an SMB2 packet' do
-      expect(client).to receive(:smb2_sign).with(smb2_request).and_call_original
-      client.send_recv(smb2_request)
+    context 'with SMB1' do
+      it 'does not check if it is a STATUS_PENDING response' do
+        expect(smb1_client).to_not receive(:is_status_pending?)
+        smb1_client.send_recv(smb1_request)
+      end
+    end
+
+    context 'with SMB2' do
+      context 'when receiving a STATUS_PENDING response' do
+        it 'waits 1 second and reads/decrypts again' do
+          allow(smb2_client).to receive(:is_status_pending?).and_return(true, false)
+          expect(smb2_client).to receive(:sleep).with(1)
+          expect(dispatcher).to receive(:recv_packet).twice
+          smb2_client.send_recv(smb2_request)
+        end
+      end
+    end
+
+    context 'with SMB3 and encryption' do
+      before :example do
+        smb3_client.dialect = '0x0300'
+        allow(smb3_client).to receive(:is_status_pending?).and_return(false)
+      end
+
+      context 'with a SessionSetupRequest' do
+        it 'does not encrypt/decrypt' do
+          request = RubySMB::SMB2::Packet::SessionSetupRequest.new
+          expect(smb3_client).to_not receive(:send_encrypt).with(request)
+          expect(smb3_client).to_not receive(:recv_encrypt)
+          expect(dispatcher).to receive(:send_packet).with(request)
+          expect(dispatcher).to receive(:recv_packet)
+          smb3_client.send_recv(request)
+        end
+      end
+
+      context 'with a NegotiateRequest' do
+        it 'does not encrypt/decrypt' do
+          request = RubySMB::SMB2::Packet::NegotiateRequest.new
+          expect(smb3_client).to_not receive(:send_encrypt).with(request)
+          expect(smb3_client).to_not receive(:recv_encrypt)
+          expect(dispatcher).to receive(:send_packet).with(request)
+          expect(dispatcher).to receive(:recv_packet)
+          smb3_client.send_recv(request)
+        end
+      end
+
+      it 'encrypts and decrypts' do
+        expect(smb3_client).to receive(:send_encrypt).with(smb2_request)
+        expect(smb3_client).to receive(:recv_encrypt)
+        smb3_client.send_recv(smb2_request)
+      end
+
+      context 'when receiving a STATUS_PENDING response' do
+        it 'waits 1 second and reads/decrypts again' do
+          allow(smb3_client).to receive(:is_status_pending?).and_return(true, false)
+          expect(smb3_client).to receive(:sleep).with(1)
+          expect(smb3_client).to receive(:send_encrypt).with(smb2_request)
+          expect(smb3_client).to receive(:recv_encrypt).twice
+          smb3_client.send_recv(smb2_request)
+        end
+      end
+    end
+  end
+
+  describe '#is_status_pending?' do
+    let(:response) {
+      res = RubySMB::SMB2::Packet::SessionSetupRequest.new
+      res.smb2_header.nt_status= WindowsError::NTStatus::STATUS_PENDING.value
+      res.smb2_header.flags.async_command = 1
+      res
+    }
+
+    it 'returns true when the response has a STATUS_PENDING status code and the async_command flag set' do
+      expect(client.is_status_pending?(response.to_binary_s)).to be true
+    end
+
+    it 'returns false when the response has a STATUS_PENDING status code and the async_command flag not set' do
+      response.smb2_header.flags.async_command = 0
+      expect(client.is_status_pending?(response.to_binary_s)).to be false
+    end
+
+    it 'returns false when the response has no STATUS_PENDING status code but the async_command flag set' do
+      response.smb2_header.nt_status= WindowsError::NTStatus::STATUS_SUCCESS.value
+      expect(client.is_status_pending?(response.to_binary_s)).to be false
+    end
+  end
+
+  describe '#can_be_encrypted?' do
+    it 'returns true if the packet can be encrypted' do
+      packet = RubySMB::SMB2::Packet::TreeConnectRequest.new
+      expect(client.can_be_encrypted?(packet)).to be true
+    end
+
+    it 'returns false if it is an SMB1 packet' do
+      packet = RubySMB::SMB1::Packet::LogoffRequest.new
+      expect(client.can_be_encrypted?(packet)).to be false
+    end
+
+    [RubySMB::SMB2::Packet::SessionSetupRequest, RubySMB::SMB2::Packet::NegotiateRequest].each do |klass|
+      it "returns false if the packet is a #{klass}" do
+        packet = klass.new
+        expect(client.can_be_encrypted?(packet)).to be false
+      end
+    end
+  end
+
+  describe '#encryption_supported?' do
+    ['0x0300', '0x0302', '0x0311'].each do |dialect|
+      it "returns true if the dialect is #{dialect}" do
+        client.dialect = dialect
+        expect(client.encryption_supported?).to be true
+      end
+    end
+
+    it "returns false if the dialect does not support encryption" do
+      client.dialect = '0x0202'
+      expect(client.encryption_supported?).to be false
+    end
+  end
+
+  describe '#send_encrypt' do
+    let(:packet) { RubySMB::SMB2::Packet::SessionSetupRequest.new }
+    before :example do
+      allow(dispatcher).to receive(:send_packet)
+      client.dialect = '0x0300'
+    end
+
+    it 'creates a Transform request' do
+      expect(client).to receive(:smb3_encrypt).with(packet.to_binary_s)
+      client.send_encrypt(packet)
+    end
+
+    it 'raises an EncryptionError exception if an error occurs while encrypting' do
+      allow(client).to receive(:smb3_encrypt).and_raise(RubySMB::Error::RubySMBError.new('Error'))
+      expect { client.send_encrypt(packet) }.to raise_error(
+        RubySMB::Error::EncryptionError,
+        "Error while encrypting #{packet.class.name} packet (SMB 0x0300): Error"
+      )
+    end
+
+    it 'sends the encrypted packet' do
+      encrypted_packet = double('Encrypted packet')
+      allow(client).to receive(:smb3_encrypt).and_return(encrypted_packet)
+      client.send_encrypt(packet)
+      expect(dispatcher).to have_received(:send_packet).with(encrypted_packet)
+    end
+  end
+
+  describe '#recv_encrypt' do
+    let(:packet) { RubySMB::SMB2::Packet::SessionSetupRequest.new }
+    before :example do
+      allow(dispatcher).to receive(:recv_packet).and_return(packet.to_binary_s)
+      client.dialect = '0x0300'
+      allow(client).to receive(:smb3_decrypt)
+    end
+
+    it 'reads the response packet' do
+      client.recv_encrypt
+      expect(dispatcher).to have_received(:recv_packet)
+    end
+
+    it 'raises an EncryptionError exception if an error occurs while receiving the response' do
+      allow(dispatcher).to receive(:recv_packet).and_raise(RubySMB::Error::CommunicationError)
+      expect { client.recv_encrypt }.to raise_error(
+        RubySMB::Error::EncryptionError,
+        'Communication error with the remote host: RubySMB::Error::CommunicationError. '\
+        'The server supports encryption but was not able to handle the encrypted request.'
+      )
+    end
+
+    it 'parses the response as a Transform response packet' do
+      expect(RubySMB::SMB2::Packet::TransformHeader).to receive(:read).with(packet.to_binary_s)
+      client.recv_encrypt
+    end
+
+    it 'raises an InvalidPacket exception if an error occurs while parsing the response' do
+      allow(RubySMB::SMB2::Packet::TransformHeader).to receive(:read).and_raise(IOError)
+      expect { client.recv_encrypt }.to raise_error(RubySMB::Error::InvalidPacket, 'Not a SMB2 TransformHeader packet')
+    end
+
+    it 'decrypts the Transform response packet' do
+      transform = double('Transform header packet')
+      allow(RubySMB::SMB2::Packet::TransformHeader).to receive(:read).and_return(transform)
+      client.recv_encrypt
+      expect(client).to have_received(:smb3_decrypt).with(transform)
+    end
+
+    it 'raises an EncryptionError exception if an error occurs while decrypting' do
+      allow(client).to receive(:smb3_decrypt).and_raise(RubySMB::Error::RubySMBError)
+      expect { client.recv_encrypt }.to raise_error(
+        RubySMB::Error::EncryptionError,
+        'Error while decrypting RubySMB::SMB2::Packet::TransformHeader packet (SMB 0x0300}): RubySMB::Error::RubySMBError'
+      )
     end
   end
 
@@ -153,6 +473,132 @@ RSpec.describe RubySMB::Client do
     end
   end
 
+  describe '#logoff!' do
+    context 'with SMB1' do
+      let(:raw_response) { double('Raw response') }
+      let(:logoff_response) {
+        RubySMB::SMB1::Packet::LogoffResponse.new(smb_header: {:command => RubySMB::SMB1::Commands::SMB_COM_LOGOFF} )
+      }
+      before :example do
+        allow(smb1_client).to receive(:send_recv).and_return(raw_response)
+        allow(RubySMB::SMB1::Packet::LogoffResponse).to receive(:read).and_return(logoff_response)
+        allow(smb1_client).to receive(:wipe_state!)
+      end
+
+      it 'creates a LogoffRequest packet' do
+        expect(RubySMB::SMB1::Packet::LogoffRequest).to receive(:new).and_call_original
+        smb1_client.logoff!
+      end
+
+      it 'calls #send_recv' do
+        expect(smb1_client).to receive(:send_recv)
+        smb1_client.logoff!
+      end
+
+      it 'reads the raw response as a LogoffResponse packet' do
+        expect(RubySMB::SMB1::Packet::LogoffResponse).to receive(:read).with(raw_response)
+        smb1_client.logoff!
+      end
+
+      it 'raise an InvalidPacket exception when the response is an empty packet' do
+        allow(RubySMB::SMB1::Packet::LogoffResponse).to receive(:read).and_return(RubySMB::SMB1::Packet::EmptyPacket.new)
+        expect {smb1_client.logoff!}.to raise_error(RubySMB::Error::InvalidPacket)
+      end
+
+      it 'raise an InvalidPacket exception when the response is not valid' do
+        allow(logoff_response).to receive(:valid?).and_return(false)
+        expect {smb1_client.logoff!}.to raise_error(RubySMB::Error::InvalidPacket)
+      end
+
+      it 'calls #wipe_state!' do
+        expect(smb1_client).to receive(:wipe_state!)
+        smb1_client.logoff!
+      end
+
+      it 'returns the expected status code' do
+        logoff_response.smb_header.nt_status = WindowsError::NTStatus::STATUS_PENDING.value
+        allow(RubySMB::SMB1::Packet::LogoffResponse).to receive(:read).and_return(logoff_response)
+        expect(smb1_client.logoff!).to eq(WindowsError::NTStatus::STATUS_PENDING)
+      end
+    end
+
+    context 'with SMB2' do
+      let(:raw_response) { double('Raw response') }
+      let(:logoff_response) {
+        RubySMB::SMB2::Packet::LogoffResponse.new(smb_header: {:command => RubySMB::SMB2::Commands::LOGOFF} )
+      }
+      before :example do
+        allow(smb2_client).to receive(:send_recv).and_return(raw_response)
+        allow(RubySMB::SMB2::Packet::LogoffResponse).to receive(:read).and_return(logoff_response)
+        allow(smb2_client).to receive(:wipe_state!)
+      end
+
+      it 'creates a LogoffRequest packet' do
+        expect(RubySMB::SMB2::Packet::LogoffRequest).to receive(:new).and_call_original
+        smb2_client.logoff!
+      end
+
+      it 'calls #send_recv' do
+        expect(smb2_client).to receive(:send_recv)
+        smb2_client.logoff!
+      end
+
+      it 'reads the raw response as a LogoffResponse packet' do
+        expect(RubySMB::SMB2::Packet::LogoffResponse).to receive(:read).with(raw_response)
+        smb2_client.logoff!
+      end
+
+      it 'raise an InvalidPacket exception when the response is an error packet' do
+        allow(RubySMB::SMB2::Packet::LogoffResponse).to receive(:read).and_return(RubySMB::SMB2::Packet::ErrorPacket.new)
+        expect {smb2_client.logoff!}.to raise_error(RubySMB::Error::InvalidPacket)
+      end
+
+      it 'raise an InvalidPacket exception when the response is not a LOGOFF command' do
+        logoff_response.smb2_header.command = RubySMB::SMB2::Commands::ECHO
+        allow(RubySMB::SMB2::Packet::LogoffResponse).to receive(:read).and_return(logoff_response)
+        expect {smb2_client.logoff!}.to raise_error(RubySMB::Error::InvalidPacket)
+      end
+    end
+
+    context 'with SMB3' do
+      let(:raw_response) { double('Raw response') }
+      let(:logoff_response) {
+        RubySMB::SMB2::Packet::LogoffResponse.new(smb_header: {:command => RubySMB::SMB2::Commands::LOGOFF} )
+      }
+      before :example do
+        allow(smb3_client).to receive(:send_recv).and_return(raw_response)
+        allow(RubySMB::SMB2::Packet::LogoffResponse).to receive(:read).and_return(logoff_response)
+        allow(smb3_client).to receive(:wipe_state!)
+      end
+
+      it 'creates a LogoffRequest packet' do
+        expect(RubySMB::SMB2::Packet::LogoffRequest).to receive(:new).and_call_original
+        smb3_client.logoff!
+      end
+
+      it 'calls #send_recv' do
+        expect(smb3_client).to receive(:send_recv)
+        smb3_client.logoff!
+      end
+
+      it 'reads the raw response as a LogoffResponse packet' do
+        expect(RubySMB::SMB2::Packet::LogoffResponse).to receive(:read).with(raw_response)
+        smb3_client.logoff!
+      end
+
+      it 'raise an InvalidPacket exception when the response is an error packet' do
+        allow(RubySMB::SMB2::Packet::LogoffResponse).to receive(:read).and_return(RubySMB::SMB2::Packet::ErrorPacket.new)
+        expect {smb3_client.logoff!}.to raise_error(RubySMB::Error::InvalidPacket)
+      end
+
+      it 'raise an InvalidPacket exception when the response is not a LOGOFF command' do
+        logoff_response.smb2_header.command = RubySMB::SMB2::Commands::ECHO
+        allow(RubySMB::SMB2::Packet::LogoffResponse).to receive(:read).and_return(logoff_response)
+        expect {smb3_client.logoff!}.to raise_error(RubySMB::Error::InvalidPacket)
+      end
+    end
+  end
+
   context 'NetBIOS Session Service' do
     describe '#session_request' do
       let(:session_header)  { RubySMB::Nbss::SessionHeader.new }
@@ -197,6 +643,11 @@ RSpec.describe RubySMB::Client do
         allow(dispatcher).to receive(:recv_packet).and_return(negative_session_response.to_binary_s)
         expect { client.session_request }.to raise_error(RubySMB::Error::NetBiosSessionService)
       end
+
+      it 'raises an InvalidPacket exception when an error occurs while reading' do
+        allow(RubySMB::Nbss::SessionHeader).to receive(:read).and_raise(IOError)
+        expect { client.session_request }.to raise_error(RubySMB::Error::InvalidPacket)
+      end
     end
 
     describe '#session_request_packet' do
@@ -271,7 +722,8 @@ RSpec.describe RubySMB::Client do
       smb1_extended_response.to_binary_s
     }
 
-    let(:smb2_response) { RubySMB::SMB2::Packet::NegotiateResponse.new }
+    let(:smb2_response) { RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x200) }
+    let(:smb3_response) { RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x300) }
 
     describe '#smb1_negotiate_request' do
       it 'returns an SMB1 Negotiate Request packet' do
@@ -279,33 +731,158 @@ RSpec.describe RubySMB::Client do
       end
 
       it 'sets the default SMB1 Dialect' do
-        expect(client.smb1_negotiate_request.dialects).to include(buffer_format: 2, dialect_string: RubySMB::Client::SMB1_DIALECT_SMB1_DEFAULT)
+        expect(client.smb1_negotiate_request.dialects).to include(
+          buffer_format: 2,
+          dialect_string: RubySMB::Client::SMB1_DIALECT_SMB1_DEFAULT
+        )
       end
 
       it 'sets the SMB2.02 dialect if SMB2 support is enabled' do
-        expect(client.smb1_negotiate_request.dialects).to include(buffer_format: 2, dialect_string: RubySMB::Client::SMB1_DIALECT_SMB2_DEFAULT)
+        expect(client.smb1_negotiate_request.dialects).to include(
+          buffer_format: 2,
+          dialect_string: RubySMB::Client::SMB1_DIALECT_SMB2_DEFAULT
+        )
       end
 
       it 'excludes the SMB2.02 Dialect if SMB2 support is disabled' do
-        expect(smb1_client.smb1_negotiate_request.dialects).to_not include(buffer_format: 2, dialect_string: RubySMB::Client::SMB1_DIALECT_SMB2_DEFAULT)
+        expect(smb1_client.smb1_negotiate_request.dialects).to_not include(
+          buffer_format: 2,
+          dialect_string: RubySMB::Client::SMB1_DIALECT_SMB2_DEFAULT
+        )
       end
 
       it 'excludes the default SMB1 Dialect if SMB1 support is disabled' do
-        expect(smb2_client.smb1_negotiate_request.dialects).to_not include(buffer_format: 2, dialect_string: RubySMB::Client::SMB1_DIALECT_SMB1_DEFAULT)
+        expect(smb2_client.smb1_negotiate_request.dialects).to_not include(
+          buffer_format: 2,
+          dialect_string: RubySMB::Client::SMB1_DIALECT_SMB1_DEFAULT
+        )
+      end
+
+      it 'sets the SMB wildcard dialect if SMB2 support is enabled' do
+        expect(client.smb1_negotiate_request.dialects).to include(
+          buffer_format: 2,
+          dialect_string: RubySMB::Client::SMB1_DIALECT_SMB2_WILDCARD
+        )
+      end
+
+      it 'sets the SMB wildcard dialect if SMB3 support is enabled' do
+        expect(smb3_client.smb1_negotiate_request.dialects).to include(
+          buffer_format: 2,
+          dialect_string: RubySMB::Client::SMB1_DIALECT_SMB2_WILDCARD
+        )
+      end
+
+      it 'excludes the SMB wildcard dialect if both SMB2 and SMB3 supports are disabled' do
+        expect(smb1_client.smb1_negotiate_request.dialects).to_not include(
+          buffer_format: 2,
+          dialect_string: RubySMB::Client::SMB1_DIALECT_SMB2_WILDCARD
+        )
       end
     end
 
-    describe '#smb2_negotiate_request' do
+    describe '#smb2_3_negotiate_request' do
       it 'return an SMB2 Negotiate Request packet' do
-        expect(client.smb2_negotiate_request).to be_a(RubySMB::SMB2::Packet::NegotiateRequest)
+        expect(client.smb2_3_negotiate_request).to be_a(RubySMB::SMB2::Packet::NegotiateRequest)
+      end
+
+      it 'sets the default SMB2 Dialect if SMB2 support is enabled' do
+        expect(client.smb2_3_negotiate_request.dialects).to include(
+          *(RubySMB::Client::SMB2_DIALECT_DEFAULT.map {|d| d.to_i(16)})
+        )
       end
 
-      it 'sets the default SMB2 Dialect' do
-        expect(client.smb2_negotiate_request.dialects).to include(RubySMB::Client::SMB2_DIALECT_DEFAULT)
+      it 'does not set the default SMB2 Dialect if SMB2 support is disabled' do
+        expect(smb3_client.smb2_3_negotiate_request.dialects).to_not include(
+          *(RubySMB::Client::SMB2_DIALECT_DEFAULT.map {|d| d.to_i(16)})
+        )
       end
 
       it 'sets the Message ID to 0' do
-        expect(client.smb2_negotiate_request.smb2_header.message_id).to eq 0
+        expect(client.smb2_3_negotiate_request.smb2_header.message_id).to eq 0
+      end
+
+      it 'adds SMB3 dialects if if SMB3 support is enabled' do
+        expect(client.smb2_3_negotiate_request.dialects).to include(
+          *(RubySMB::Client::SMB3_DIALECT_DEFAULT.map {|d| d.to_i(16)})
+        )
+      end
+
+      it 'does not set the default SMB3 Dialect if SMB3 support is disabled' do
+        expect(smb2_client.smb2_3_negotiate_request.dialects).to_not include(
+          *(RubySMB::Client::SMB3_DIALECT_DEFAULT.map {|d| d.to_i(16)})
+        )
+      end
+    end
+
+    describe '#add_smb3_to_negotiate_request' do
+      let(:negotiate_request) { RubySMB::SMB2::Packet::NegotiateRequest.new }
+
+      it 'adds the default SMB3 dialects' do
+        expect(client.add_smb3_to_negotiate_request(negotiate_request).dialects).to include(
+          *(RubySMB::Client::SMB3_DIALECT_DEFAULT.map {|d| d.to_i(16)})
+        )
+      end
+
+      it 'raises the expected exception when the dialects is not an array of strings' do
+        dialects = ['0x0300', 0x0302, '0x0311']
+        expect { client.add_smb3_to_negotiate_request(negotiate_request, dialects) }.to raise_error(ArgumentError)
+      end
+
+      it 'sets encryption capability flag' do
+        expect(client.add_smb3_to_negotiate_request(negotiate_request).capabilities.encryption).to eq(1)
+      end
+
+      context 'when the negotiate packet includes the 0x0311 dialect' do
+        before :example do
+          client.add_smb3_to_negotiate_request(negotiate_request, ['0x0311'])
+        end
+
+        it 'adds 3 Negotiate Contexts' do
+          expect(negotiate_request.negotiate_context_info.negotiate_context_count).to eq(3)
+        end
+
+        it 'adds a Preauth Integrity Negotiate Context with the expected hash algorithms' do
+          nc = negotiate_request.negotiate_context_list.select do |n|
+              n.context_type == RubySMB::SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES
+          end
+          expect(nc.length).to eq(1)
+          expect(nc.first.data.hash_algorithms).to eq([RubySMB::SMB2::PreauthIntegrityCapabilities::SHA_512])
+        end
+
+        it 'adds Encryption Negotiate Contexts with the expected encryption algorithms' do
+          nc = negotiate_request.negotiate_context_list.select do |n|
+              n.context_type == RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+          end
+          expect(nc.length).to eq(1)
+          expect(nc.first.data.ciphers).to eq(
+            [
+              RubySMB::SMB2::EncryptionCapabilities::AES_128_CCM,
+              RubySMB::SMB2::EncryptionCapabilities::AES_128_GCM
+            ]
+          )
+        end
+
+        it 'adds Compression Negotiate Contexts with the expected compression algorithms' do
+          nc = negotiate_request.negotiate_context_list.select do |n|
+              n.context_type == RubySMB::SMB2::NegotiateContext::SMB2_COMPRESSION_CAPABILITIES
+          end
+          expect(nc.length).to eq(1)
+          expect(nc.first.data.compression_algorithms).to eq(
+            [
+              RubySMB::SMB2::CompressionCapabilities::LZNT1,
+              RubySMB::SMB2::CompressionCapabilities::LZ77,
+              RubySMB::SMB2::CompressionCapabilities::LZ77_Huffman,
+              RubySMB::SMB2::CompressionCapabilities::Pattern_V1
+            ]
+          )
+        end
+      end
+
+      context 'when the negotiate packet does not include the 0x0311 dialect' do
+        it 'does not add any Negotiate Context' do
+          client.add_smb3_to_negotiate_request(negotiate_request, ['0x0300', '0x0302'])
+          expect(negotiate_request.negotiate_context_list?). to be false
+        end
       end
     end
 
@@ -320,10 +897,15 @@ RSpec.describe RubySMB::Client do
         client.negotiate_request
       end
 
-      it 'calls #smb2_negotiate_request if SMB2 is enabled' do
-        expect(smb2_client).to receive(:smb2_negotiate_request)
+      it 'calls #smb2_3_negotiate_request if SMB2 is enabled' do
+        expect(smb2_client).to receive(:smb2_3_negotiate_request)
         smb2_client.negotiate_request
       end
+
+      it 'calls #smb2_3_negotiate_request if SMB3 is enabled' do
+        expect(smb3_client).to receive(:smb2_3_negotiate_request)
+        smb3_client.negotiate_request
+      end
     end
 
     describe '#negotiate_response' do
@@ -332,10 +914,15 @@ RSpec.describe RubySMB::Client do
           expect(smb1_client.negotiate_response(smb1_extended_response_raw)).to eq smb1_extended_response
         end
 
-        it 'raises an exception if the Response is invalid' do
+        it 'raises an exception if the response is not a SMB packet' do
           expect { smb1_client.negotiate_response(random_junk) }.to raise_error(RubySMB::Error::InvalidPacket)
         end
 
+        it 'raises an InvalidPacket error if the response is not a valid response' do
+          empty_packet.smb_header.command = RubySMB::SMB2::Commands::NEGOTIATE
+          expect { smb1_client.negotiate_response(empty_packet.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
+        end
+
         it 'considers the response invalid if it is not an actual Negotiate Response' do
           bogus_response = smb1_extended_response
           bogus_response.smb_header.command = 0xff
@@ -357,14 +944,36 @@ RSpec.describe RubySMB::Client do
         it 'raises an exception if the Response is invalid' do
           expect { smb2_client.negotiate_response(random_junk) }.to raise_error(RubySMB::Error::InvalidPacket)
         end
+
+        it 'considers the response invalid if it is not an actual Negotiate Response' do
+          bogus_response = smb2_response
+          bogus_response.smb2_header.command = RubySMB::SMB2::Commands::ECHO
+          expect { smb2_client.negotiate_response(bogus_response.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
+        end
+      end
+
+      context 'with only SMB3' do
+        it 'returns a properly formed packet' do
+          expect(smb3_client.negotiate_response(smb2_response.to_binary_s)).to eq smb2_response
+        end
+
+        it 'raises an exception if the Response is invalid' do
+          expect { smb3_client.negotiate_response(random_junk) }.to raise_error(RubySMB::Error::InvalidPacket)
+        end
+
+        it 'considers the response invalid if it is not an actual Negotiate Response' do
+          bogus_response = smb2_response
+          bogus_response.smb2_header.command = RubySMB::SMB2::Commands::ECHO
+          expect { smb3_client.negotiate_response(bogus_response.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
+        end
       end
 
-      context 'with SMB1 and SMB2 enabled' do
+      context 'with SMB1, SMB2 and SMB3 enabled' do
         it 'returns an SMB1 NegotiateResponse if it looks like SMB1' do
           expect(client.negotiate_response(smb1_extended_response_raw)).to eq smb1_extended_response
         end
 
-        it 'returns an SMB2 NegotiateResponse if it looks like SMB2' do
+        it 'returns an SMB2 NegotiateResponse if it looks like SMB2 or SMB3' do
           expect(client.negotiate_response(smb2_response.to_binary_s)).to eq smb2_response
         end
       end
@@ -372,9 +981,10 @@ RSpec.describe RubySMB::Client do
 
     describe '#parse_negotiate_response' do
       context 'when SMB1 was Negotiated' do
-        it 'turns off SMB2 support' do
+        it 'turns off SMB2 and SMB3 support' do
           client.parse_negotiate_response(smb1_extended_response)
           expect(client.smb2).to be false
+          expect(client.smb3).to be false
         end
 
         it 'sets whether or not signing is required' do
@@ -383,67 +993,427 @@ RSpec.describe RubySMB::Client do
           expect(client.signing_required).to be true
         end
 
-        it 'sets #dialect to the negotiated dialect' do
-          smb1_extended_response.dialects = [
-            RubySMB::SMB1::Dialect.new(dialect_string: 'A'),
-            RubySMB::SMB1::Dialect.new(dialect_string: 'B'),
-            RubySMB::SMB1::Dialect.new(dialect_string: 'C'),
-          ]
-          smb1_extended_response.parameter_block.dialect_index = 1
-          client.parse_negotiate_response(smb1_extended_response)
-          expect(client.dialect).to eq 'B'
-        end
+        it 'sets #dialect to the negotiated dialect' do
+          smb1_extended_response.dialects = [
+            RubySMB::SMB1::Dialect.new(dialect_string: 'A'),
+            RubySMB::SMB1::Dialect.new(dialect_string: 'B'),
+            RubySMB::SMB1::Dialect.new(dialect_string: 'C'),
+          ]
+          smb1_extended_response.parameter_block.dialect_index = 1
+          client.parse_negotiate_response(smb1_extended_response)
+          expect(client.dialect).to eq 'B'
+        end
+
+        it 'returns the string \'SMB1\'' do
+          expect(client.parse_negotiate_response(smb1_extended_response)).to eq ('SMB1')
+        end
+
+        it 'sets #negotiated_smb_version to 1' do
+          client.parse_negotiate_response(smb1_extended_response)
+          expect(client.negotiated_smb_version).to eq(1)
+        end
+      end
+
+      context 'when SMB2 was negotiated' do
+        it 'turns off SMB1 and SMB3 support' do
+          client.parse_negotiate_response(smb2_response)
+          expect(client.smb1).to be false
+          expect(client.smb3).to be false
+        end
+
+        it 'sets whether or not signing is required' do
+          smb2_response.security_mode.signing_required = 1
+          client.parse_negotiate_response(smb2_response)
+          expect(client.signing_required).to be true
+        end
+
+        it 'sets #dialect to the negotiated dialect' do
+          smb2_response.dialect_revision = 2
+          client.parse_negotiate_response(smb2_response)
+          expect(client.dialect).to eq '0x0002'
+        end
+
+        it 'returns the string \'SMB2\'' do
+          expect(client.parse_negotiate_response(smb2_response)).to eq ('SMB2')
+        end
+      end
+
+      context 'when SMB3 was negotiated' do
+        it 'turns off SMB1 and SMB2 support' do
+          client.parse_negotiate_response(smb3_response)
+          expect(client.smb1).to be false
+          expect(client.smb2).to be false
+        end
+
+        it 'sets whether or not signing is required' do
+          smb3_response.security_mode.signing_required = 1
+          client.parse_negotiate_response(smb3_response)
+          expect(client.signing_required).to be true
+        end
+
+        it 'sets #dialect to the negotiated dialect' do
+          client.parse_negotiate_response(smb3_response)
+          expect(client.dialect).to eq '0x0300'
+        end
+
+        it 'returns the string \'SMB2\'' do
+          expect(client.parse_negotiate_response(smb3_response)).to eq ('SMB3')
+        end
+
+        context 'when the server supports encryption' do
+          before :example do
+            smb3_response.capabilities.encryption = 1
+          end
+
+          it 'keeps session encryption enabled if it was already' do
+            client.session_encrypt_data = true
+            client.parse_negotiate_response(smb3_response)
+            expect(client.session_encrypt_data).to be true
+          end
+
+          it 'keeps session encryption disabled if it was already' do
+            client.session_encrypt_data = false
+            client.parse_negotiate_response(smb3_response)
+            expect(client.session_encrypt_data).to be false
+          end
+        end
+
+        context 'when the server does not support encryption' do
+          before :example do
+            smb3_response.capabilities.encryption = 0
+          end
+
+          it 'disables session encryption if it was already enabled' do
+            client.session_encrypt_data = true
+            client.parse_negotiate_response(smb3_response)
+            expect(client.session_encrypt_data).to be false
+          end
+
+          it 'keeps session encryption disabled if it was already' do
+            client.session_encrypt_data = false
+            client.parse_negotiate_response(smb3_response)
+            expect(client.session_encrypt_data).to be false
+          end
+        end
+      end
+
+      context 'when the response contains the SMB2 wildcard revision number dialect' do
+        it 'only turns off SMB1 support' do
+          smb2_response = RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x02ff)
+          client.parse_negotiate_response(smb2_response)
+          expect(client.smb1).to be false
+          expect(client.smb2).to be true
+          expect(client.smb3).to be true
+        end
+      end
+
+      context 'when the negotiation failed' do
+        context 'with a STATUS_NOT_SUPPORTED status code' do
+          before :example do
+            error_packet.smb2_header.nt_status = WindowsError::NTStatus::STATUS_NOT_SUPPORTED.value
+          end
+
+          it 'raises the expected exception with SMB2' do
+            expect { smb2_client.parse_negotiate_response(error_packet) }.to raise_error(
+            RubySMB::Error::NegotiationFailure,
+            'Unable to negotiate with remote host, SMB2 not supported'
+            )
+          end
+
+          it 'raises the expected exception with SMB3' do
+            expect { smb3_client.parse_negotiate_response(error_packet) }.to raise_error(
+            RubySMB::Error::NegotiationFailure,
+            'Unable to negotiate with remote host, SMB3 not supported'
+            )
+          end
+        end
+
+        context 'with an unknown status code' do
+          it 'raises the expected exception' do
+            expect { client.parse_negotiate_response(empty_packet) }.to raise_error(
+            RubySMB::Error::NegotiationFailure,
+            'Unable to negotiate with remote host'
+            )
+          end
+        end
+      end
+    end
+
+    describe '#negotiate' do
+      let(:request_packet) { client.smb1_negotiate_request }
+      before :example do
+        allow(client).to receive(:negotiate_request)
+        allow(client).to receive(:send_recv)
+        allow(client).to receive(:negotiate_response)
+        allow(client).to receive(:parse_negotiate_response)
+      end
+
+      it 'calls the backing methods' do
+        expect(client).to receive(:negotiate_request)
+        expect(client).to receive(:send_recv)
+        expect(client).to receive(:negotiate_response)
+        expect(client).to receive(:parse_negotiate_response)
+        client.negotiate
+      end
+
+      context 'with SMB1' do
+        it 'sets the response-packet #dialects array with the dialects sent in the request' do
+          request_packet = client.smb1_negotiate_request
+          allow(client).to receive(:negotiate_request).and_return(request_packet)
+          allow(client).to receive(:negotiate_response).and_return(smb1_extended_response)
+          expect(smb1_extended_response).to receive(:dialects=).with(request_packet.dialects)
+          client.negotiate
+        end
+      end
+
+      ['0x0300', '0x0302'].each do |dialect|
+        context "with #{dialect} dialect" do
+          before :example do
+            client.dialect = dialect
+          end
+
+          it 'sets the expected encryption algorithm' do
+            client.negotiate
+            expect(client.encryption_algorithm).to eq(RubySMB::SMB2::EncryptionCapabilities::ENCRYPTION_ALGORITHM_MAP[RubySMB::SMB2::EncryptionCapabilities::AES_128_CCM])
+          end
+        end
+      end
+
+      context "with 0x0311 dialect" do
+        it 'calls #parse_smb3_encryption_data' do
+          client.dialect = '0x0311'
+          request_packet = client.smb2_3_negotiate_request
+          allow(client).to receive(:negotiate_request).and_return(request_packet)
+          allow(client).to receive(:negotiate_response).and_return(smb3_response)
+          expect(client).to receive(:parse_smb3_encryption_data).with(request_packet, smb3_response)
+          client.negotiate
+        end
+      end
+
+      context 'with a wildcard revision number response' do
+        before :example do
+          client.dialect = '0x02ff'
+          allow(client).to receive(:smb2_message_id=) do
+            client.dialect = '0x0202'
+          end
+        end
+
+        it 'increments the message ID' do
+          expect(client).to receive(:smb2_message_id=).with(1)
+          client.negotiate
+        end
+
+        it 're-negotiates' do
+          expect(client).to receive(:negotiate_request).twice
+          expect(client).to receive(:send_recv).twice
+          expect(client).to receive(:negotiate_response).twice
+          expect(client).to receive(:parse_negotiate_response).twice
+          client.negotiate
+        end
+      end
+
+      context 'when an error occurs' do
+        before :example do
+          allow(client).to receive(:negotiate_request).and_return(request_packet)
+          allow(client).to receive(:send_recv).and_raise(RubySMB::Error::InvalidPacket)
+          client.smb1 = false
+          client.smb2 = false
+          client.smb3 = false
+        end
+
+        context 'with SMB1' do
+          let(:request_packet) { client.smb1_negotiate_request }
+
+          it 'raise the expected exception' do
+            client.smb1 = true
+            expect { client.negotiate }.to raise_error(
+              RubySMB::Error::NegotiationFailure,
+              "Unable to negotiate SMB1 with the remote host: RubySMB::Error::InvalidPacket"
+            )
+          end
+        end
+
+        context 'with SMB2' do
+          let(:request_packet) { client.smb2_3_negotiate_request }
+
+          it 'raise the expected exception' do
+            client.smb2 = true
+            expect { client.negotiate }.to raise_error(
+              RubySMB::Error::NegotiationFailure,
+              "Unable to negotiate SMB2 with the remote host: RubySMB::Error::InvalidPacket"
+            )
+          end
+        end
+
+        context 'with SMB3' do
+          let(:request_packet) { client.smb2_3_negotiate_request }
 
-        it 'returns the string \'SMB1\'' do
-          expect(client.parse_negotiate_response(smb1_extended_response)).to eq ('SMB1')
+          it 'raise the expected exception' do
+            client.smb3 = true
+            expect { client.negotiate }.to raise_error(
+              RubySMB::Error::NegotiationFailure,
+              "Unable to negotiate SMB3 with the remote host: RubySMB::Error::InvalidPacket"
+            )
+          end
         end
       end
 
-      context 'when SMB2 was negotiated' do
-        it 'turns off SMB1 support' do
-          client.parse_negotiate_response(smb2_response)
-          expect(client.smb1).to be false
+      describe '#parse_smb3_encryption_data' do
+        let(:request_packet) { client.smb2_3_negotiate_request }
+        let(:smb3_response) { RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x311) }
+        let(:nc_encryption) do
+          nc = RubySMB::SMB2::NegotiateContext.new(
+            context_type: RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+          )
+          nc.data.ciphers << RubySMB::SMB2::EncryptionCapabilities::AES_128_CCM
+          nc
         end
-
-        it 'sets whether or not signing is required' do
-          smb2_response.security_mode.signing_required = 1
-          client.parse_negotiate_response(smb2_response)
-          expect(client.signing_required).to be true
+        let(:nc_integrity) do
+          nc = RubySMB::SMB2::NegotiateContext.new(
+            context_type: RubySMB::SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES
+          )
+          nc.data.hash_algorithms << RubySMB::SMB2::PreauthIntegrityCapabilities::SHA_512
+          nc
         end
 
-        it 'sets #dialect to the negotiated dialect' do
-          smb2_response.dialect_revision = 2
-          client.parse_negotiate_response(smb2_response)
-          expect(client.dialect).to eq '0x0002'
+        before :example do
+          allow(smb3_client).to receive(:update_preauth_hash)
+          smb3_response.add_negotiate_context(nc_encryption)
+          smb3_response.add_negotiate_context(nc_integrity)
         end
 
-        it 'returns the string \'SMB2\'' do
-          expect(client.parse_negotiate_response(smb2_response)).to eq ('SMB2')
+        context 'when selecting the integrity hash algorithm' do
+          context 'with one algorithm' do
+            it 'selects the expected algorithm' do
+              smb3_client.parse_smb3_encryption_data(request_packet, smb3_response)
+              expect(smb3_client.preauth_integrity_hash_algorithm).to eq('SHA512')
+            end
+          end
+
+          context 'with multiple algorithms' do
+            it 'selects the first algorithm' do
+              nc = smb3_response.find_negotiate_context(
+                RubySMB::SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES
+              )
+              nc.data.hash_algorithms << 3
+              smb3_client.parse_smb3_encryption_data(request_packet, smb3_response)
+              expect(smb3_client.preauth_integrity_hash_algorithm).to eq('SHA512')
+            end
+          end
+
+          context 'without integrity negotiate context' do
+            it 'raises the expected exception' do
+              smb3_response = RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x311)
+              smb3_response.add_negotiate_context(nc_encryption)
+              expect { smb3_client.parse_smb3_encryption_data(request_packet, smb3_response) }.to raise_error(
+                RubySMB::Error::EncryptionError,
+                'Unable to retrieve the Preauth Integrity Hash Algorithm from the Negotiate response'
+              )
+            end
+          end
+
+          context 'with an unknown integrity hash algorithm' do
+            it 'raises the expected exception' do
+              smb3_response = RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x311)
+              smb3_response.add_negotiate_context(nc_encryption)
+              nc = RubySMB::SMB2::NegotiateContext.new(
+                context_type: RubySMB::SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES
+              )
+              nc.data.hash_algorithms << 5
+              smb3_response.add_negotiate_context(nc)
+              expect { smb3_client.parse_smb3_encryption_data(request_packet, smb3_response) }.to raise_error(
+                RubySMB::Error::EncryptionError,
+                'Unable to retrieve the Preauth Integrity Hash Algorithm from the Negotiate response'
+              )
+            end
+          end
         end
-      end
-    end
 
-    describe '#negotiate' do
-      it 'calls the backing methods' do
-        expect(client).to receive(:negotiate_request)
-        expect(client).to receive(:send_recv)
-        expect(client).to receive(:negotiate_response)
-        expect(client).to receive(:parse_negotiate_response)
-        client.negotiate
-      end
+        context 'when selecting the encryption algorithm' do
+          context 'with one algorithm' do
+            it 'selects the expected algorithm' do
+              smb3_client.parse_smb3_encryption_data(request_packet, smb3_response)
+              expect(smb3_client.encryption_algorithm).to eq('AES-128-CCM')
+            end
+          end
 
-      it 'sets the response-packet #dialects array with the dialects sent in the request' do
-        request_packet = client.smb1_negotiate_request
-        allow(client).to receive(:negotiate_request).and_return(request_packet)
-        allow(client).to receive(:send_recv)
-        allow(client).to receive(:negotiate_response).and_return(smb1_extended_response)
-        expect(smb1_extended_response).to receive(:dialects=).with(request_packet.dialects)
-        client.negotiate
-      end
+          context 'with multiple algorithms' do
+            it 'selects the AES-128-GCM algorithm if included' do
+              nc = smb3_response.find_negotiate_context(
+                RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+              )
+              nc.data.ciphers << RubySMB::SMB2::EncryptionCapabilities::AES_128_GCM
+              smb3_client.parse_smb3_encryption_data(request_packet, smb3_response)
+              expect(smb3_client.encryption_algorithm).to eq('AES-128-GCM')
+            end
+
+            it 'selects the first algorithm if AES-128-GCM is not included' do
+              nc = smb3_response.find_negotiate_context(
+                RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+              )
+              nc.data.ciphers << 3
+              smb3_client.parse_smb3_encryption_data(request_packet, smb3_response)
+              expect(smb3_client.encryption_algorithm).to eq('AES-128-CCM')
+            end
+
+            it 'keep tracks of the server supported algorithms' do
+              nc = smb3_response.find_negotiate_context(
+                RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+              )
+              nc.data.ciphers << RubySMB::SMB2::EncryptionCapabilities::AES_128_GCM
+              smb3_client.parse_smb3_encryption_data(request_packet, smb3_response)
+              expect(smb3_client.server_encryption_algorithms).to eq([1, 2])
+            end
+          end
+
+          context 'without encryption context' do
+            it 'raises the expected exception' do
+              smb3_response = RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x311)
+              smb3_response.add_negotiate_context(nc_integrity)
+              expect { smb3_client.parse_smb3_encryption_data(request_packet, smb3_response) }.to raise_error(
+                RubySMB::Error::EncryptionError,
+                'Unable to retrieve the encryption cipher list supported by the server from the Negotiate response'
+              )
+            end
+          end
+
+          context 'with an unknown encryption algorithm' do
+            it 'raises the expected exception' do
+              smb3_response = RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x311)
+              smb3_response.add_negotiate_context(nc_integrity)
+              nc = RubySMB::SMB2::NegotiateContext.new(
+                context_type: RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+              )
+              nc.data.ciphers << 14
+              smb3_response.add_negotiate_context(nc)
+              expect { smb3_client.parse_smb3_encryption_data(request_packet, smb3_response) }.to raise_error(
+                RubySMB::Error::EncryptionError,
+                'Unable to retrieve the encryption cipher list supported by the server from the Negotiate response'
+              )
+            end
+          end
+        end
+
+        context 'when selecting the compression algorithm' do
+          it 'keep tracks of the server supported algorithms' do
+            nc = RubySMB::SMB2::NegotiateContext.new(
+              context_type: RubySMB::SMB2::NegotiateContext::SMB2_COMPRESSION_CAPABILITIES
+            )
+            nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZNT1
+            nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZ77
+            nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZ77_Huffman
+            nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::Pattern_V1
+            smb3_response.add_negotiate_context(nc)
+            smb3_client.parse_smb3_encryption_data(request_packet, smb3_response)
+            expect(smb3_client.server_compression_algorithms).to eq([1, 2, 3, 4])
+          end
+        end
 
-      it 'raise the expected exception if an error occurs' do
-        allow(client).to receive(:send_recv).and_raise(RubySMB::Error::InvalidPacket)
-        expect { client.negotiate }.to raise_error(RubySMB::Error::NegotiationFailure)
+        it 'updates the preauth hash' do
+          expect(smb3_client).to receive(:update_preauth_hash).with(request_packet)
+          expect(smb3_client).to receive(:update_preauth_hash).with(smb3_response)
+          smb3_client.parse_smb3_encryption_data(request_packet, smb3_response)
+        end
       end
     end
   end
@@ -624,7 +1594,7 @@ RSpec.describe RubySMB::Client do
           expect { smb1_client.smb1_ntlmssp_challenge_packet(response.to_binary_s) }.to raise_error(RubySMB::Error::UnexpectedStatusCode)
         end
 
-        it 'raises an InvalidPacket if the Command field is wrong' do
+        it 'raise an InvalidPacket exception when the response is not valid' do
           expect { smb1_client.smb1_ntlmssp_challenge_packet(wrong_command.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
         end
       end
@@ -645,7 +1615,7 @@ RSpec.describe RubySMB::Client do
           expect(smb1_client.smb1_ntlmssp_final_packet(response.to_binary_s)).to eq response
         end
 
-        it 'raises an InvalidPacket if the Command field is wrong' do
+        it 'raise an InvalidPacket exception when the response is not valid' do
           expect { smb1_client.smb1_ntlmssp_final_packet(wrong_command.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
         end
       end
@@ -717,12 +1687,7 @@ RSpec.describe RubySMB::Client do
             expect(smb1_client.smb1_anonymous_auth_response(anonymous_response.to_binary_s)).to eq anonymous_response
           end
 
-          it 'returns an empty packet if the raw data is not a valid response' do
-            empty_packet.smb_header.command = RubySMB::SMB1::Commands::SMB_COM_SESSION_SETUP
-            expect(smb1_client.smb1_anonymous_auth_response(empty_packet.to_binary_s)).to eq empty_packet
-          end
-
-          it 'raises an InvalidPacket error if the command is wrong' do
+          it 'raise an InvalidPacket exception when the response is not valid' do
             anonymous_response.smb_header.command = RubySMB::SMB1::Commands::SMB_COM_NEGOTIATE
             expect { smb1_client.smb1_anonymous_auth_response(anonymous_response.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
           end
@@ -775,6 +1740,39 @@ RSpec.describe RubySMB::Client do
           smb2_client.smb2_authenticate
           expect(smb2_client.os_version).to eq '6.1.7601'
         end
+
+        ['0x0202', '0x0210', '0x0300', '0x0302'].each do |dialect|
+          it "does not update the preauth hash with dialect #{dialect}" do
+            smb2_client.dialect = dialect
+            expect(smb2_client).to_not receive(:update_preauth_hash)
+            smb2_client.smb2_authenticate
+          end
+        end
+
+        it "updates the preauth hash with dialect 0x0311" do
+          smb2_client.dialect = '0x0311'
+          expect(smb2_client).to receive(:update_preauth_hash).with(response_packet)
+          smb2_client.smb2_authenticate
+        end
+
+        context 'when setting the session_encrypt_data parameter' do
+          before :example do
+            smb2_client.smb3 = true
+            smb2_client.session_encrypt_data = false
+          end
+
+          it 'sets the session_encrypt_data parameter to true if the server requires encryption' do
+            final_response_packet.session_flags.encrypt_data = 1
+            smb2_client.smb2_authenticate
+            expect(smb2_client.session_encrypt_data).to be true
+          end
+
+          it 'does not set the session_encrypt_data parameter if the server does not require encryption' do
+            final_response_packet.session_flags.encrypt_data = 0
+            smb2_client.smb2_authenticate
+            expect(smb2_client.session_encrypt_data).to be false
+          end
+        end
       end
 
       describe '#smb2_ntlmssp_negotiate_packet' do
@@ -790,20 +1788,34 @@ RSpec.describe RubySMB::Client do
           smb2_client.smb2_ntlmssp_negotiate_packet
         end
 
-        it 'sets the message ID in the packet header to 1' do
-          expect(smb2_client.smb2_ntlmssp_negotiate_packet.smb2_header.message_id).to eq 1
-        end
-
-        it 'increments client#smb2_message_id' do
-          expect { smb2_client.smb2_ntlmssp_negotiate_packet }.to change(smb2_client, :smb2_message_id).to(2)
+        it 'enables signing' do
+          expect(smb2_client.smb2_ntlmssp_negotiate_packet.security_mode.signing_enabled).to eq 1
         end
       end
 
       describe '#smb2_ntlmssp_negotiate' do
+        before :example do
+          allow(smb2_client).to receive(:smb2_ntlmssp_negotiate_packet).and_return(negotiate_packet)
+          allow(smb2_client).to receive(:send_recv)
+        end
+
         it 'sends the request packet and receives a response' do
-          expect(smb2_client).to receive(:smb2_ntlmssp_negotiate_packet).and_return(negotiate_packet)
-          expect(dispatcher).to receive(:send_packet).with(negotiate_packet)
-          expect(dispatcher).to receive(:recv_packet)
+          expect(smb2_client).to receive(:smb2_ntlmssp_negotiate_packet)
+          expect(smb2_client).to receive(:send_recv).with(negotiate_packet)
+          smb2_client.smb2_ntlmssp_negotiate
+        end
+
+        ['0x0202', '0x0210', '0x0300', '0x0302'].each do |dialect|
+          it "does not update the preauth hash with dialect #{dialect}" do
+            smb2_client.dialect = dialect
+            expect(smb2_client).to_not receive(:update_preauth_hash)
+            smb2_client.smb2_ntlmssp_negotiate
+          end
+        end
+
+        it "updates the preauth hash with dialect 0x0311" do
+          smb2_client.dialect = '0x0311'
+          expect(smb2_client).to receive(:update_preauth_hash).with(negotiate_packet)
           smb2_client.smb2_ntlmssp_negotiate
         end
       end
@@ -829,7 +1841,7 @@ RSpec.describe RubySMB::Client do
           expect { smb2_client.smb2_ntlmssp_challenge_packet(response.to_binary_s) }.to raise_error(RubySMB::Error::UnexpectedStatusCode)
         end
 
-        it 'raises an InvalidPacket if the Command field is wrong' do
+        it 'raise an InvalidPacket exception when the response is not valid' do
           expect { smb2_client.smb2_ntlmssp_challenge_packet(wrong_command.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
         end
       end
@@ -861,13 +1873,35 @@ RSpec.describe RubySMB::Client do
         it 'sets the session ID on the request packet' do
           expect(smb2_client.smb2_ntlmssp_auth_packet(type3_message, session_id).smb2_header.session_id).to eq session_id
         end
+
+        it 'enables signing' do
+          expect(smb2_client.smb2_ntlmssp_auth_packet(type3_message, session_id).security_mode.signing_enabled).to eq 1
+        end
       end
 
       describe '#smb2_ntlmssp_authenticate' do
+        before :example do
+          allow(smb2_client).to receive(:smb2_ntlmssp_auth_packet).and_return(negotiate_packet)
+          allow(smb2_client).to receive(:send_recv)
+        end
+
         it 'sends the request packet and receives a response' do
-          expect(smb2_client).to receive(:smb2_ntlmssp_auth_packet).and_return(negotiate_packet)
-          expect(dispatcher).to receive(:send_packet).with(negotiate_packet)
-          expect(dispatcher).to receive(:recv_packet)
+          expect(smb2_client).to receive(:smb2_ntlmssp_auth_packet)
+          expect(smb2_client).to receive(:send_recv).with(negotiate_packet)
+          smb2_client.smb2_ntlmssp_authenticate(type3_message, session_id)
+        end
+
+        ['0x0202', '0x0210', '0x0300', '0x0302'].each do |dialect|
+          it "does not update the preauth hash with dialect #{dialect}" do
+            smb2_client.dialect = dialect
+            expect(smb2_client).to_not receive(:update_preauth_hash)
+            smb2_client.smb2_ntlmssp_authenticate(type3_message, session_id)
+          end
+        end
+
+        it "updates the preauth hash with dialect 0x0311" do
+          smb2_client.dialect = '0x0311'
+          expect(smb2_client).to receive(:update_preauth_hash).with(negotiate_packet)
           smb2_client.smb2_ntlmssp_authenticate(type3_message, session_id)
         end
       end
@@ -888,7 +1922,7 @@ RSpec.describe RubySMB::Client do
           expect(smb2_client.smb2_ntlmssp_final_packet(response.to_binary_s)).to eq response
         end
 
-        it 'raises an InvalidPacket if the Command field is wrong' do
+        it 'raise an InvalidPacket exception when the response is not valid' do
           expect { smb2_client.smb2_ntlmssp_final_packet(wrong_command.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
         end
       end
@@ -1003,6 +2037,108 @@ RSpec.describe RubySMB::Client do
         end
       end
     end
+
+    describe '#smb3_sign' do
+      context 'if signing is required and we have a session key' do
+        let(:request) {
+          packet = RubySMB::SMB2::Packet::SessionSetupRequest.new
+          packet.smb2_header.flags.signed = 1
+          packet.smb2_header.signature = "\x00" * 16
+          packet
+        }
+        let(:session_key) { 'Session Key' }
+        before :example do
+          smb3_client.session_key = session_key
+          smb3_client.signing_required = true
+        end
+
+        ['0x0300', '0x0302'].each do |dialect|
+          context "with #{dialect} dialect" do
+            it 'generates the signing key based on the session key and specific strings, and sign the packet with CMAC' do
+              smb3_client.dialect = dialect
+              fake_hash = "\x34\xc0\x40\xfe\x87\xcf\x49\x3d\x37\x87\x52\xd0\xd5\xf5\xfb\x86".b
+              signing_key = RubySMB::Crypto::KDF.counter_mode(session_key, "SMB2AESCMAC\x00", "SmbSign\x00")
+              expect(RubySMB::Crypto::KDF).to receive(:counter_mode).with(session_key, "SMB2AESCMAC\x00", "SmbSign\x00").and_call_original
+              expect(OpenSSL::CMAC).to receive(:digest).with('AES', signing_key, request.to_binary_s).and_call_original
+              expect(smb3_client.smb3_sign(request).smb2_header.signature).to eq fake_hash
+            end
+          end
+        end
+
+        context "with 0x0311 dialect" do
+          it 'generates the signing key based on the session key, the preauth integrity hash and specific strings, and sign the packet with CMAC' do
+            smb3_client.dialect = '0x0311'
+            preauth_integrity_hash_value = 'Preauth Integrity Hash'
+            fake_hash = "\x0e\x49\x6f\x8e\x74\x7c\xf2\xa0\x88\x5e\x9d\x54\xff\x0d\x0d\xfa".b
+            smb3_client.preauth_integrity_hash_value = preauth_integrity_hash_value
+            signing_key = RubySMB::Crypto::KDF.counter_mode(session_key, "SMBSigningKey\x00", preauth_integrity_hash_value)
+            expect(RubySMB::Crypto::KDF).to receive(:counter_mode).with(session_key, "SMBSigningKey\x00", preauth_integrity_hash_value).and_call_original
+            expect(OpenSSL::CMAC).to receive(:digest).with('AES', signing_key, request.to_binary_s).and_call_original
+            expect(smb3_client.smb3_sign(request).smb2_header.signature).to eq fake_hash
+          end
+        end
+
+        context 'with an incompatible dialect' do
+          it 'raises the expected exception' do
+            smb3_client.dialect = '0x0202'
+            expect { smb3_client.smb3_sign(request) }.to raise_error(
+              RubySMB::Error::SigningError,
+              'Dialect is incompatible with SMBv3 signing'
+            )
+          end
+        end
+      end
+
+      context 'if signing is not required but it is a TreeConnectRequest and we have a session key' do
+        let(:request) {
+          packet = RubySMB::SMB2::Packet::TreeConnectRequest.new
+          packet.smb2_header.flags.signed = 1
+          packet.smb2_header.signature = "\x00" * 16
+          packet
+        }
+        let(:session_key) { 'Session Key' }
+        before :example do
+          smb3_client.session_key = session_key
+          smb3_client.signing_required = false
+        end
+
+        ['0x0300', '0x0302'].each do |dialect|
+          context "with #{dialect} dialect" do
+            it 'generates the signing key based on the session key and specific strings, and sign the packet with CMAC' do
+              smb3_client.dialect = dialect
+              fake_hash = "\x34\x9e\x28\xb9\x50\x08\x34\x31\xc0\x83\x9d\xba\x56\xa5\x70\xa4".b
+              signing_key = RubySMB::Crypto::KDF.counter_mode(session_key, "SMB2AESCMAC\x00", "SmbSign\x00")
+              expect(RubySMB::Crypto::KDF).to receive(:counter_mode).with(session_key, "SMB2AESCMAC\x00", "SmbSign\x00").and_call_original
+              expect(OpenSSL::CMAC).to receive(:digest).with('AES', signing_key, request.to_binary_s).and_call_original
+              expect(smb3_client.smb3_sign(request).smb2_header.signature).to eq fake_hash
+            end
+          end
+        end
+
+        context "with 0x0311 dialect" do
+          it 'generates the signing key based on the session key, the preauth integrity hash and specific strings, and sign the packet with CMAC' do
+            smb3_client.dialect = '0x0311'
+            preauth_integrity_hash_value = 'Preauth Integrity Hash'
+            fake_hash = "\x83\xd9\x31\x39\x60\x46\xbe\x1e\x29\x34\xc8\xcf\x8c\x8e\xb4\x73".b
+            smb3_client.preauth_integrity_hash_value = preauth_integrity_hash_value
+            signing_key = RubySMB::Crypto::KDF.counter_mode(session_key, "SMBSigningKey\x00", preauth_integrity_hash_value)
+            expect(RubySMB::Crypto::KDF).to receive(:counter_mode).with(session_key, "SMBSigningKey\x00", preauth_integrity_hash_value).and_call_original
+            expect(OpenSSL::CMAC).to receive(:digest).with('AES', signing_key, request.to_binary_s).and_call_original
+            expect(smb3_client.smb3_sign(request).smb2_header.signature).to eq fake_hash
+          end
+        end
+
+        context 'with an incompatible dialect' do
+          it 'raises the expected exception' do
+            smb3_client.dialect = '0x0202'
+            expect { smb3_client.smb3_sign(request) }.to raise_error(
+              RubySMB::Error::SigningError,
+              'Dialect is incompatible with SMBv3 signing'
+            )
+          end
+        end
+      end
+    end
   end
 
   context '#increment_smb_message_id' do
@@ -1056,7 +2192,10 @@ RSpec.describe RubySMB::Client do
 
         it 'raises an UnexpectedStatusCode exception if we do not get STATUS_SUCCESS' do
           response.smb_header.nt_status = 0xc0000015
-          expect { smb1_client.smb1_tree_from_response(path, response) }.to raise_error(RubySMB::Error::UnexpectedStatusCode, 'STATUS_NONEXISTENT_SECTOR')
+          expect { smb1_client.smb1_tree_from_response(path, response) }.to raise_error(
+            RubySMB::Error::UnexpectedStatusCode,
+            'The server responded with an unexpected status code: STATUS_NONEXISTENT_SECTOR'
+          )
         end
 
         it 'creates a new Tree from itself, the share path, and the response packet' do
@@ -1077,11 +2216,14 @@ RSpec.describe RubySMB::Client do
       }
 
       describe '#smb2_tree_connect' do
-        it 'builds and sends a TreeconnectRequest for the supplied share' do
+        it 'builds and sends the expected TreeconnectRequest for the supplied share' do
           allow(RubySMB::SMB2::Packet::TreeConnectRequest).to receive(:new).and_return(request)
-          modified_request = request
-          modified_request.encode_path(path)
-          expect(smb2_client).to receive(:send_recv).with(modified_request).and_return(response.to_binary_s)
+          expect(smb2_client).to receive(:send_recv) do |req|
+            expect(req).to eq(request)
+            expect(req.smb2_header.tree_id).to eq(65_535)
+            expect(req.path).to eq(path.encode('UTF-16LE'))
+            response.to_binary_s
+          end
           smb2_client.smb2_tree_connect(path)
         end
 
@@ -1100,11 +2242,20 @@ RSpec.describe RubySMB::Client do
 
         it 'raises an UnexpectedStatusCode exception if we do not get STATUS_SUCCESS' do
           response.smb2_header.nt_status = 0xc0000015
-          expect { smb2_client.smb2_tree_from_response(path, response) }.to raise_error(RubySMB::Error::UnexpectedStatusCode, 'STATUS_NONEXISTENT_SECTOR')
+          expect { smb2_client.smb2_tree_from_response(path, response) }.to raise_error(
+            RubySMB::Error::UnexpectedStatusCode,
+            'The server responded with an unexpected status code: STATUS_NONEXISTENT_SECTOR'
+          )
         end
 
         it 'creates a new Tree from itself, the share path, and the response packet' do
-          expect(RubySMB::SMB2::Tree).to receive(:new).with(client: smb2_client, share: path, response: response)
+          expect(RubySMB::SMB2::Tree).to receive(:new).with(client: smb2_client, share: path, response: response, encrypt: false)
+          smb2_client.smb2_tree_from_response(path, response)
+        end
+
+        it 'creates a new with encryption set if the response requires it' do
+          response.share_flags.encrypt = 1
+          expect(RubySMB::SMB2::Tree).to receive(:new).with(client: smb2_client, share: path, response: response, encrypt: true)
           smb2_client.smb2_tree_from_response(path, response)
         end
       end
@@ -1199,6 +2350,12 @@ RSpec.describe RubySMB::Client do
         expect(smb1_client).to receive(:send_recv).and_return(echo_response.to_binary_s)
         expect(smb1_client.echo).to eq WindowsError::NTStatus::STATUS_ABANDONED
       end
+
+      it 'raise an InvalidPacket exception when the response is not valid' do
+        echo_response.smb_header.command = RubySMB::SMB1::Commands::SMB_COM_SESSION_SETUP_ANDX
+        allow(smb1_client).to receive(:send_recv).and_return(echo_response.to_binary_s)
+        expect { smb1_client.echo }.to raise_error(RubySMB::Error::InvalidPacket)
+      end
     end
 
     context 'with SMB2' do
@@ -1210,8 +2367,355 @@ RSpec.describe RubySMB::Client do
         expect(smb2_client).to receive(:send_recv).with(echo_request).and_return(echo_response.to_binary_s)
         expect(smb2_client.smb2_echo).to eq echo_response
       end
+
+      it 'raise an InvalidPacket exception when the response is not valid' do
+        echo_response.smb2_header.command = RubySMB::SMB2::Commands::SESSION_SETUP
+        allow(smb2_client).to receive(:send_recv).and_return(echo_response.to_binary_s)
+        expect { smb2_client.smb2_echo }.to raise_error(RubySMB::Error::InvalidPacket)
+      end
+    end
+  end
+
+  context 'Winreg' do
+    describe '#connect_to_winreg' do
+      let(:host)       { '1.2.3.4' }
+      let(:share)      { "\\\\#{host}\\IPC$" }
+      let(:ipc_tree)   { double('IPC$ tree') }
+      let(:named_pipe) { double('Named pipe') }
+      before :example do
+        allow(ipc_tree).to receive_messages(
+          :share     => share,
+          :open_file => named_pipe
+        )
+        allow(client).to receive(:tree_connect).and_return(ipc_tree)
+      end
+
+      context 'when the client is already connected to the IPC$ share' do
+        before :example do
+          client.tree_connects << ipc_tree
+          allow(ipc_tree).to receive(:share).and_return(share)
+        end
+
+        it 'does not connect to the already connected tree' do
+          client.connect_to_winreg(host)
+          expect(client).to_not have_received(:tree_connect)
+        end
+      end
+
+      it 'calls #tree_connect' do
+        client.connect_to_winreg(host)
+        expect(client).to have_received(:tree_connect).with(share)
+      end
+
+      it 'open \'winreg\' file on the IPC$ Tree' do
+        client.connect_to_winreg(host)
+        expect(ipc_tree).to have_received(:open_file).with(filename: "winreg", write: true, read: true)
+      end
+
+      it 'returns the expected opened named pipe' do
+        expect(client.connect_to_winreg(host)).to eq(named_pipe)
+      end
+
+      context 'when a block is given' do
+        before :example do
+          allow(named_pipe).to receive(:close)
+        end
+
+        it 'yields the expected named_pipe' do
+          client.connect_to_winreg(host) do |np|
+            expect(np).to eq(named_pipe)
+          end
+        end
+
+        it 'closes the named pipe' do
+          client.connect_to_winreg(host) { |np| }
+          expect(named_pipe).to have_received(:close)
+        end
+
+        it 'returns the block return value' do
+          result = double('Result')
+          expect(client.connect_to_winreg(host) { |np| result }).to eq(result)
+        end
+      end
+    end
+
+    describe '#has_registry_key?' do
+      let(:host)       { '1.2.3.4' }
+      let(:key)        { 'HKLM\\Registry\\Key' }
+      let(:named_pipe) { double('Named pipe') }
+      let(:result)     { double('Result') }
+      before :example do
+        allow(client).to receive(:connect_to_winreg).and_yield(named_pipe)
+        allow(named_pipe).to receive(:has_registry_key?).and_return(result)
+      end
+
+      it 'calls #connect_to_winreg to wrap the main logic around' do
+        client.has_registry_key?(host, key)
+        expect(client).to have_received(:connect_to_winreg).with(host)
+      end
+
+      it 'calls Pipe #has_registry_key?' do
+        client.has_registry_key?(host, key)
+        expect(named_pipe).to have_received(:has_registry_key?).with(key)
+      end
+    end
+
+    describe '#read_registry_key_value' do
+      let(:host)        { '1.2.3.4' }
+      let(:key)         { 'HKLM\\Registry\\Key' }
+      let(:value_name)  { 'Value' }
+      let(:named_pipe)  { double('Named pipe') }
+      let(:result)      { double('Result') }
+      before :example do
+        allow(client).to receive(:connect_to_winreg).and_yield(named_pipe)
+        allow(named_pipe).to receive(:read_registry_key_value).and_return(result)
+      end
+
+      it 'calls #connect_to_winreg to wrap the main logic around' do
+        client.read_registry_key_value(host, key, value_name)
+        expect(client).to have_received(:connect_to_winreg).with(host)
+      end
+
+      it 'calls Pipe #read_registry_key_value' do
+        client.read_registry_key_value(host, key, value_name)
+        expect(named_pipe).to have_received(:read_registry_key_value).with(key, value_name)
+      end
+    end
+
+    describe '#enum_registry_key' do
+      let(:host)       { '1.2.3.4' }
+      let(:key)        { 'HKLM\\Registry\\Key' }
+      let(:named_pipe) { double('Named pipe') }
+      let(:result)     { double('Result') }
+      before :example do
+        allow(client).to receive(:connect_to_winreg).and_yield(named_pipe)
+        allow(named_pipe).to receive(:enum_registry_key).and_return(result)
+      end
+
+      it 'calls #connect_to_winreg to wrap the main logic around' do
+        client.enum_registry_key(host, key)
+        expect(client).to have_received(:connect_to_winreg).with(host)
+      end
+
+      it 'calls Pipe #enum_registry_key' do
+        client.enum_registry_key(host, key)
+        expect(named_pipe).to have_received(:enum_registry_key).with(key)
+      end
+    end
+
+    describe '#enum_registry_values' do
+      let(:host)       { '1.2.3.4' }
+      let(:key)        { 'HKLM\\Registry\\Key' }
+      let(:named_pipe) { double('Named pipe') }
+      let(:result)     { double('Result') }
+      before :example do
+        allow(client).to receive(:connect_to_winreg).and_yield(named_pipe)
+        allow(named_pipe).to receive(:enum_registry_values).and_return(result)
+      end
+
+      it 'calls #connect_to_winreg to wrap the main logic around' do
+        client.enum_registry_values(host, key)
+        expect(client).to have_received(:connect_to_winreg).with(host)
+      end
+
+      it 'calls Pipe #enum_registry_values' do
+        client.enum_registry_values(host, key)
+        expect(named_pipe).to have_received(:enum_registry_values).with(key)
+      end
     end
   end
 
+  describe '#update_preauth_hash' do
+    it 'raises an EncryptionError exception if the preauth integrity hash algorithm is not known' do
+      expect { client.update_preauth_hash('Test') }.to raise_error(
+        RubySMB::Error::EncryptionError,
+        'Cannot compute the Preauth Integrity Hash value: Preauth Integrity Hash Algorithm is nil'
+      )
+    end
+
+    it 'computes the hash value' do
+      packet = RubySMB::SMB2::Packet::EchoRequest.new
+      data = 'Previous hash'
+      algo = RubySMB::SMB2::PreauthIntegrityCapabilities::HASH_ALGORITM_MAP[
+        RubySMB::SMB2::PreauthIntegrityCapabilities::SHA_512
+      ]
+      client.preauth_integrity_hash_algorithm = algo
+      client.preauth_integrity_hash_value = data
+      hash = OpenSSL::Digest.digest(algo, data + packet.to_binary_s)
+      client.update_preauth_hash(packet)
+      expect(client.preauth_integrity_hash_value).to eq(hash)
+    end
+  end
+
+  context 'Encryption' do
+    describe '#smb3_encrypt' do
+      let(:transform_packet) { double('TransformHeader packet') }
+      let(:session_key) { "\x5c\x00\x4a\x3b\xf0\xa2\x4f\x75\x4c\xb2\x74\x0a\xcf\xc4\x8e\x1a".b }
+      let(:data) { RubySMB::SMB2::Packet::TreeConnectRequest.new.to_binary_s }
+
+      before :example do
+        allow(RubySMB::SMB2::Packet::TransformHeader).to receive(:new).and_return(transform_packet)
+        allow(transform_packet).to receive(:encrypt)
+        client.session_key = session_key
+      end
+
+      it 'does not generate a new client encryption key if it already exists' do
+        client.client_encryption_key = 'key'
+        expect(RubySMB::Crypto::KDF).to_not receive(:counter_mode)
+        expect(client.client_encryption_key).to eq('key')
+        client.smb3_encrypt(data)
+      end
+
+      ['0x0300', '0x0302'].each do |dialect|
+        context "with #{dialect} dialect" do
+          before :example do
+            client.dialect = dialect
+          end
+
+          it 'generates the client encryption key with the expected parameters' do
+            expect(RubySMB::Crypto::KDF).to receive(:counter_mode).with(
+              session_key,
+              "SMB2AESCCM\x00",
+              "ServerIn \x00"
+            ).and_call_original
+            client.smb3_encrypt(data)
+          end
+        end
+      end
+
+      context 'with 0x0311 dialect' do
+        it 'generates the client encryption key with the expected parameters' do
+          client.preauth_integrity_hash_value = ''
+          client.dialect = '0x0311'
+          expect(RubySMB::Crypto::KDF).to receive(:counter_mode).with(
+            session_key,
+            "SMBC2SCipherKey\x00",
+            ''
+          ).and_call_original
+          client.smb3_encrypt(data)
+        end
+      end
+
+      it 'raises the expected exception if the dialect is incompatible' do
+        client.dialect = '0x0202'
+        expect { client.smb3_encrypt(data) }.to raise_error(RubySMB::Error::EncryptionError)
+      end
+
+      it 'creates a TransformHeader packet and encrypt the data' do
+        client.dialect = '0x0300'
+        client.encryption_algorithm = 'AES-128-CCM'
+        client.session_id = 123
+        client.smb3_encrypt(data)
+        expect(RubySMB::SMB2::Packet::TransformHeader).to have_received(:new).with(flags: 1, session_id: 123)
+        expect(transform_packet).to have_received(:encrypt).with(data, client.client_encryption_key, algorithm: 'AES-128-CCM')
+      end
+
+      it 'generates the expected client encryption key with 0x0302 dialect' do
+        client.dialect = '0x0302'
+        expected_enc_key =
+          "\xa4\xfa\x23\xc1\xb0\x65\x84\xce\x47\x08\x5b\xe0\x64\x98\xd7\x87".b
+        client.smb3_encrypt(data)
+        expect(client.client_encryption_key).to eq expected_enc_key
+      end
+
+      it 'generates the expected client encryption key with 0x0311 dialect' do
+        client.dialect = '0x0311'
+        client.session_key =
+          "\x5c\x00\x4a\x3b\xf0\xa2\x4f\x75\x4c\xb2\x74\x0a\xcf\xc4\x8e\x1a".b
+        client.preauth_integrity_hash_value =
+          "\x57\x77\x7d\x47\xc2\xa9\xc8\x23\x6e\x8a\xfa\x39\xe8\x77\x2f\xb0\xb6"\
+          "\x01\xba\x85\x58\x77\xf5\x01\xa0\xf0\x31\x69\x6a\x64\x49\x1c\x61\xdb"\
+          "\x57\x34\x19\x1b\x80\x33\x9a\xfa\x1d\x6c\x3f\xca\x44\x68\x78\x5b\xb9"\
+          "\xda\x41\xfa\x83\xe5\xa9\x6f\xcf\x44\xbc\xe5\x26\x6e".b
+        expected_enc_key =
+          "\xc7\x4e\xfe\x4d\x15\x48\x5b\x0b\x71\x45\x49\x26\x8a\xd9\x6c\xaa".b
+        client.smb3_encrypt(data)
+        expect(client.client_encryption_key).to eq expected_enc_key
+      end
+    end
+
+    describe '#smb3_decrypt' do
+      let(:transform_packet) { double('TransformHeader packet') }
+      let(:session_key) { "\x5c\x00\x4a\x3b\xf0\xa2\x4f\x75\x4c\xb2\x74\x0a\xcf\xc4\x8e\x1a".b }
+
+      before :example do
+        allow(transform_packet).to receive(:decrypt)
+        client.session_key = session_key
+      end
+
+      it 'does not generate a new server encryption key if it already exists' do
+        client.server_encryption_key = 'key'
+        expect(RubySMB::Crypto::KDF).to_not receive(:counter_mode)
+        expect(client.server_encryption_key).to eq('key')
+        client.smb3_decrypt(transform_packet)
+      end
+
+      ['0x0300', '0x0302'].each do |dialect|
+        context "with #{dialect} dialect" do
+          before :example do
+            client.dialect = dialect
+          end
+
+          it 'generates the client encryption key with the expected parameters' do
+            expect(RubySMB::Crypto::KDF).to receive(:counter_mode).with(
+              session_key,
+              "SMB2AESCCM\x00",
+              "ServerOut\x00"
+            ).and_call_original
+            client.smb3_decrypt(transform_packet)
+          end
+        end
+      end
+
+      context 'with 0x0311 dialect' do
+        it 'generates the client encryption key with the expected parameters' do
+          client.preauth_integrity_hash_value = ''
+          client.dialect = '0x0311'
+          expect(RubySMB::Crypto::KDF).to receive(:counter_mode).with(
+            session_key,
+            "SMBS2CCipherKey\x00",
+            ''
+          ).and_call_original
+          client.smb3_decrypt(transform_packet)
+        end
+      end
+
+      it 'raises the expected exception if the dialect is incompatible' do
+        client.dialect = '0x0202'
+        expect { client.smb3_decrypt(transform_packet) }.to raise_error(RubySMB::Error::EncryptionError)
+      end
+
+      it 'creates a TransformHeader packet and encrypt the data' do
+        client.dialect = '0x0300'
+        client.encryption_algorithm = 'AES-128-CCM'
+        client.session_id = 123
+        client.smb3_decrypt(transform_packet)
+        expect(transform_packet).to have_received(:decrypt).with(client.server_encryption_key, algorithm: 'AES-128-CCM')
+      end
+
+      it 'generates the expected server encryption key with 0x0302 dialect' do
+        client.dialect = '0x0302'
+        expected_enc_key =
+          "\x65\x21\xd3\x6d\xe9\xe3\x5a\x66\x09\x61\xae\x3e\xc6\x49\x6b\xdf".b
+        client.smb3_decrypt(transform_packet)
+        expect(client.server_encryption_key).to eq expected_enc_key
+      end
+
+      it 'generates the expected server encryption key with 0x0311 dialect' do
+        client.dialect = '0x0311'
+        client.session_key =
+          "\x5c\x00\x4a\x3b\xf0\xa2\x4f\x75\x4c\xb2\x74\x0a\xcf\xc4\x8e\x1a".b
+        client.preauth_integrity_hash_value =
+          "\x57\x77\x7d\x47\xc2\xa9\xc8\x23\x6e\x8a\xfa\x39\xe8\x77\x2f\xb0\xb6"\
+          "\x01\xba\x85\x58\x77\xf5\x01\xa0\xf0\x31\x69\x6a\x64\x49\x1c\x61\xdb"\
+          "\x57\x34\x19\x1b\x80\x33\x9a\xfa\x1d\x6c\x3f\xca\x44\x68\x78\x5b\xb9"\
+          "\xda\x41\xfa\x83\xe5\xa9\x6f\xcf\x44\xbc\xe5\x26\x6e".b
+        expected_enc_key =
+          "\x8c\x2c\x31\x15\x66\xba\xa9\xab\xcf\xb2\x47\x8d\x72\xd5\xd7\x4a".b
+        client.smb3_decrypt(transform_packet)
+        expect(client.server_encryption_key).to eq expected_enc_key
+      end
+    end
+  end
 end