ruby_smb 3.3.17 → 3.3.19

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3a184f6972edec8968cd3c69c2c4adb46f62f1ebd652c5b0013ba87d074f3cc8
-  data.tar.gz: e48dc3bf1a1a1771672ac7fbce126da175a596ce3fe4951f8b83e4aec2dcca50
+  metadata.gz: e21d9dbff1980df2ec7b1917034f5989ad2ce369f380d2e9035baec86c7e8f30
+  data.tar.gz: 261147a5cd1f625e1b71efde4cc795e0ca01482e9e84f5d14e9657839e0f609e
 SHA512:
-  metadata.gz: bb45e333f0167db6b3a8d9cacb398d10cc2f5f611d4696c98b76f4daa8b2b1ed9ab03c3e1de83d78114d92f25c6803774fd0204a91e509ad755d4ea891986620
-  data.tar.gz: 81e33299c43682283cd663128ac1a765fdc460e04d57468004965662439d4193f2c422de6f20754b4e77f99461ef317b0b373ffd6c4851b014d4504927d3e05f
+  metadata.gz: bf16b49158f0117f7485c94a0a61094c93c05dfdc563fcc7d4852d243dc2c07be83eef8d31f4500b0c904417cf14b6219b4fe78a1188c2d5952e4256c7990952
+  data.tar.gz: 448ab8fdd1237825646c3328d6e8268ff38b039126cee2a6987748fdcdb6203121f3df3fc53fe906c9cd6df1f4ca64e47a717ae1b6687816694251780758a351

data/lib/ruby_smb/client/authentication.rb

@@ -15,6 +15,10 @@ module RubySMB
         if smb1
           if username.empty? && password.empty?
             smb1_anonymous_auth
+          elsif @smb1_negotiate_challenge
+            # Non-extended security negotiated (e.g. Windows 95/98). Use legacy
+            # LM/NTLM challenge-response rather than NTLMSSP.
+            smb1_legacy_authenticate
           else
             smb1_authenticate
           end
@@ -200,6 +204,55 @@ module RubySMB
         [type2_blob].pack('m')
       end
 
+      # Handles SMB1 authentication against servers that negotiated non-extended
+      # (legacy) security — Windows 95/98/ME and old Samba builds. These hosts
+      # provide a raw 8-byte challenge in the Negotiate response and expect
+      # LM + NTLM hash responses in SessionSetupLegacyRequest.
+      def smb1_legacy_authenticate
+        challenge  = @smb1_negotiate_challenge
+        lm_hash    = Net::NTLM.lm_hash(@password)
+        ntlm_hash  = Net::NTLM.ntlm_hash(@password)
+        lm_resp    = Net::NTLM.lm_response(lm_hash: lm_hash, challenge: challenge)
+        ntlm_resp  = Net::NTLM.ntlm_response(ntlm_hash: ntlm_hash, challenge: challenge)
+
+        packet       = smb1_legacy_auth_request(lm_resp, ntlm_resp)
+        raw_response = send_recv(packet)
+        response     = smb1_legacy_auth_response(raw_response)
+        response_code = response.status_code
+
+        if response_code == WindowsError::NTStatus::STATUS_SUCCESS
+          self.user_id        = response.smb_header.uid
+          self.peer_native_os = response.data_block.native_os.to_s
+          self.peer_native_lm = response.data_block.native_lan_man.to_s
+          self.primary_domain = response.data_block.primary_domain.to_s
+        end
+
+        response_code
+      end
+
+      def smb1_legacy_auth_request(lm_response, ntlm_response)
+        packet = RubySMB::SMB1::Packet::SessionSetupLegacyRequest.new
+        packet.parameter_block.max_buffer_size = self.max_buffer_size
+        packet.parameter_block.max_mpx_count   = 50
+        packet.data_block.oem_password         = lm_response
+        packet.data_block.unicode_password     = ntlm_response
+        packet.data_block.account_name         = @username.encode('ASCII', invalid: :replace, undef: :replace)
+        packet.data_block.primary_domain       = @domain.encode('ASCII', invalid: :replace, undef: :replace)
+        packet
+      end
+
+      def smb1_legacy_auth_response(raw_response)
+        packet = RubySMB::SMB1::Packet::SessionSetupLegacyResponse.read(raw_response)
+        unless packet.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB1::Packet::SessionSetupLegacyResponse::COMMAND,
+            packet:         packet
+          )
+        end
+        packet
+      end
+
       #
       # SMB 2 Methods
       #

data/lib/ruby_smb/client/negotiation.rb

@@ -106,7 +106,8 @@ module RubySMB
       # @return [String] The SMB version as a string ('SMB1', 'SMB2')
       def parse_negotiate_response(packet)
         case packet
-        when RubySMB::SMB1::Packet::NegotiateResponseExtended
+        when RubySMB::SMB1::Packet::NegotiateResponse,
+             RubySMB::SMB1::Packet::NegotiateResponseExtended
           self.smb1 = true
           self.smb2 = false
           self.smb3 = false
@@ -118,7 +119,14 @@ module RubySMB
           self.server_max_buffer_size = packet.parameter_block.max_buffer_size - 260
           self.negotiated_smb_version = 1
           self.session_encrypt_data = false
-          self.negotiation_security_buffer = packet.data_block.security_blob
+          self.server_supports_nt_smbs = packet.parameter_block.capabilities.nt_smbs != 0
+          if packet.is_a?(RubySMB::SMB1::Packet::NegotiateResponseExtended)
+            self.negotiation_security_buffer = packet.data_block.security_blob
+          else
+            # Non-extended security (e.g. Windows 95/98/ME, old Samba). Server provides a raw
+            # 8-byte challenge instead of a SPNEGO blob; store it so auth can compute LM/NTLM responses.
+            @smb1_negotiate_challenge = packet.data_block.challenge.to_s
+          end
           'SMB1'
         when RubySMB::SMB2::Packet::NegotiateResponse
           self.smb1 = false

data/lib/ruby_smb/client/tree_connect.rb

@@ -11,10 +11,17 @@ module RubySMB
       # {RubySMB::SMB1::Tree}
       #
       # @param share [String] the share path to connect to
+      # @param password [String, nil] share-level password for servers using
+      #   share-level authentication (e.g. Windows 95/98/ME)
       # @return [RubySMB::SMB1::Tree] the connected Tree
-      def smb1_tree_connect(share)
+      def smb1_tree_connect(share, password: nil)
         request = RubySMB::SMB1::Packet::TreeConnectRequest.new
         request.smb_header.tid = 65_535
+        if password
+          pass_bytes = password + "\x00".b
+          request.parameter_block.password_length = pass_bytes.length
+          request.data_block.password = pass_bytes
+        end
         request.data_block.path = share
         raw_response = send_recv(request)
         response = RubySMB::SMB1::Packet::TreeConnectResponse.read(raw_response)

data/lib/ruby_smb/client.rb

@@ -309,6 +309,14 @@ module RubySMB
     #   @return [String] The raw security buffer bytes
     attr_accessor :negotiation_security_buffer
 
+    # Whether the negotiated SMB1 server supports the "NT SMBs" capability
+    # (i.e. SMB_COM_NT_CREATE_ANDX). Set false for Windows 95/98/ME and other
+    # LAN Manager-era servers, which must use SMB_COM_OPEN_ANDX instead.
+    # Always true for SMB2/3.
+    # @!attribute [rw] supports_nt_smbs
+    #   @return [Boolean]
+    attr_accessor :server_supports_nt_smbs
+
     # @param dispatcher [RubySMB::Dispatcher::Socket] the packet dispatcher to use
     # @param smb1 [Boolean] whether or not to enable SMB1 support
     # @param smb2 [Boolean] whether or not to enable SMB2 support
@@ -338,10 +346,11 @@ module RubySMB
       @max_buffer_size   = MAX_BUFFER_SIZE
       # These sizes will be modified during negotiation
       @server_max_buffer_size = SERVER_MAX_BUFFER_SIZE
-      @server_max_read_size   = RubySMB::SMB2::File::MAX_PACKET_SIZE
-      @server_max_write_size  = RubySMB::SMB2::File::MAX_PACKET_SIZE
+      @server_max_read_size = RubySMB::SMB2::File::MAX_PACKET_SIZE
+      @server_max_write_size = RubySMB::SMB2::File::MAX_PACKET_SIZE
       @server_max_transact_size = RubySMB::SMB2::File::MAX_PACKET_SIZE
       @server_supports_multi_credit = false
+      @server_supports_nt_smbs = true
 
       # SMB 3.x options
       # this merely initializes the default value for session encryption, it may be changed as necessary when a
@@ -615,13 +624,15 @@ module RubySMB
     # Connects to the supplied share
     #
     # @param share [String] the path to the share in `\\server\share_name` format
+    # @param password [String, nil] share-level password (SMB1 only, for
+    #   servers using share-level auth such as Windows 95/98/ME)
     # @return [RubySMB::SMB1::Tree] if talking over SMB1
     # @return [RubySMB::SMB2::Tree] if talking over SMB2
-    def tree_connect(share)
+    def tree_connect(share, password: nil)
       connected_tree = if smb2 || smb3
         smb2_tree_connect(share)
       else
-        smb1_tree_connect(share)
+        smb1_tree_connect(share, password: password)
       end
       @tree_connects << connected_tree
       connected_tree
@@ -684,7 +695,7 @@ module RubySMB
     # @return [RubySMB::Nbss::SessionRequest] the SessionRequest packet
     def session_request_packet(name = '*SMBSERVER')
       called_name = "#{name.upcase.ljust(15)}\x20"
-      calling_name = "#{''.ljust(15)}\x00"
+      calling_name = "#{@local_workstation.upcase.ljust(15)}\x00"
 
       session_request = RubySMB::Nbss::SessionRequest.new
       session_request.session_header.session_packet_type = RubySMB::Nbss::SESSION_REQUEST

data/lib/ruby_smb/rap/net_share_enum.rb

@@ -0,0 +1,166 @@
+module RubySMB
+  module Rap
+    # NetShareEnum (RAP opcode 0), as defined in [MS-RAP 3.3.4.1](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rap/48dd86d2-4092-49a4-9024-308f0ed77520).
+    # Carried over `\PIPE\LANMAN` using SMB_COM_TRANSACTION. Request parameters
+    # describe the shape of the data the server returns; response parameters
+    # carry the RAP status, entry count, and buffer sizing hint, and the
+    # response data block is an array of `share_info_1` records.
+    module NetShareEnum
+      OPCODE = 0
+
+      # Parameter descriptor for the RAP call itself: (W)ord info level,
+      # (r)eturn buffer pointer, (L)ength hint, (e)ntry count, (h)andle.
+      PARAM_DESCRIPTOR = 'WrLeh'.freeze
+
+      # Data descriptor for `share_info_1`: (B)13 name, (B)yte pad, (W)ord type,
+      # (z) pointer to remark. See MS-RAP 3.2.4 for descriptor syntax.
+      DATA_DESCRIPTOR_LEVEL_1 = 'B13BWz'.freeze
+
+      # Default server receive-buffer size.
+      DEFAULT_RECEIVE_BUFFER_SIZE = 0x1000
+
+      # Share type codes carried in the low bits of `share_info_1.shi1_type`
+      # per MS-RAP 2.5.14. The RAP field is 16 bits wide, unlike the 32-bit
+      # SRVSVC variant in {RubySMB::Dcerpc::Srvsvc::SHARE_TYPES}.
+      SHARE_TYPES = {
+        0x0000 => 'DISK',
+        0x0001 => 'PRINTER',
+        0x0002 => 'DEVICE',
+        0x0003 => 'IPC'
+      }.freeze
+      STYPE_SPECIAL   = 0x8000
+      STYPE_TEMPORARY = 0x4000
+
+      # Single share entry (`share_info_1`) as it appears on the wire.
+      # MS-RAP 2.5.21. Fixed 20-byte layout.
+      class ShareInfo1 < BinData::Record
+        endian :little
+
+        string :netname,        length: 13, trim_padding: true
+        uint8  :pad1
+        uint16 :share_type
+        uint32 :remark_offset
+      end
+
+      # Parameters block of the RAP request (sent in SMB trans_parameters).
+      # Variable-length because of the null-terminated descriptor strings.
+      class Request < BinData::Record
+        endian :little
+
+        uint16   :opcode,              asserted_value: OPCODE
+        stringz  :param_descriptor,    initial_value: PARAM_DESCRIPTOR
+        stringz  :data_descriptor,     initial_value: DATA_DESCRIPTOR_LEVEL_1
+        uint16   :info_level,          initial_value: 1
+        uint16   :receive_buffer_size, initial_value: DEFAULT_RECEIVE_BUFFER_SIZE
+      end
+
+      # Parameters block of the RAP response.
+      # MS-RAP 3.3.5.1 NetShareEnum Response.
+      class Response < BinData::Record
+        endian :little
+
+        uint16 :status
+        uint16 :converter
+        uint16 :entry_count
+        uint16 :available
+      end
+
+      # Sends a RAP NetShareEnum over `\PIPE\LANMAN` using the tree's
+      # existing SMB1 connection. Does not rely on having an opened pipe FID
+      # because Win9x does not permit OPEN_ANDX on `\PIPE\LANMAN`; RAP trans
+      # is accepted directly against the IPC$ tree.
+      #
+      # @return [Array<Hash>] each entry has :name (String) and :type (Integer).
+      # @raise [RubySMB::Error::InvalidPacket] on a malformed SMB response.
+      # @raise [RubySMB::Error::UnexpectedStatusCode] on a non-success SMB status.
+      # @raise [RubySMB::Error::RubySMBError] on a non-zero RAP status.
+      def net_share_enum
+        request = build_net_share_enum_request
+        raw_response = rap_client.send_recv(request)
+        response = RubySMB::SMB1::Packet::Trans::Response.read(raw_response)
+        validate_trans_response!(response)
+        parse_net_share_enum_response(response, raw_response)
+      end
+
+      private
+
+      # The SMB1 tree used to carry RAP traffic. `self` when this module is
+      # mixed into {RubySMB::SMB1::Tree}; the pipe's `tree` when mixed into
+      # {RubySMB::SMB1::Pipe}.
+      def rap_tree
+        is_a?(RubySMB::SMB1::Tree) ? self : tree
+      end
+
+      def rap_client
+        rap_tree.client
+      end
+
+      def build_net_share_enum_request
+        request = RubySMB::SMB1::Packet::Trans::Request.new
+        request.smb_header.tid           = rap_tree.id
+        request.smb_header.flags2.unicode = 0
+        request.data_block.name          = "\\PIPE\\LANMAN\x00".b
+        request.data_block.trans_parameters = Request.new.to_binary_s
+        request.parameter_block.max_parameter_count = 8
+        request.parameter_block.max_data_count      = DEFAULT_RECEIVE_BUFFER_SIZE
+        request
+      end
+
+      def validate_trans_response!(response)
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB1::Packet::Trans::Response::COMMAND,
+            packet:         response
+          )
+        end
+        unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
+        end
+      end
+
+      def parse_net_share_enum_response(response, raw_response)
+        # Slice the parameter and data sections using the offsets the server
+        # reported, not the ones BinData computed. Win9x packs trans_parameters
+        # right after byte_count with no 4-byte-alignment padding, which
+        # confuses Trans::Response::DataBlock#pad1_length and shifts the
+        # trans_parameters window by 1 byte.
+        params_bytes = raw_response[response.parameter_block.parameter_offset,
+                                    response.parameter_block.parameter_count].to_s
+        data_bytes   = raw_response[response.parameter_block.data_offset,
+                                    response.parameter_block.data_count].to_s
+
+        if params_bytes.bytesize < Response.new.num_bytes
+          raise RubySMB::Error::InvalidPacket,
+                "Truncated RAP NetShareEnum response parameters: #{params_bytes.unpack1('H*')}"
+        end
+        params = Response.read(params_bytes)
+        unless params.status.zero?
+          raise RubySMB::Error::RubySMBError,
+                "RAP NetShareEnum failed with status 0x#{params.status.to_i.to_s(16)}"
+        end
+
+        params.entry_count.times.map do |i|
+          offset = i * ShareInfo1.new.num_bytes
+          break [] if offset + ShareInfo1.new.num_bytes > data_bytes.bytesize
+          entry = ShareInfo1.read(data_bytes[offset, ShareInfo1.new.num_bytes])
+          {
+            name: entry.netname.to_s.delete("\x00"),
+            type: format_share_type(entry.share_type.to_i)
+          }
+        end.compact
+      end
+
+      # Format a RAP `share_info_1.shi1_type` value as a pipe-joined string in
+      # the same style as {RubySMB::Dcerpc::Srvsvc#net_share_enum_all}, so
+      # callers can consume both APIs uniformly.
+      def format_share_type(share_type)
+        base_bits = share_type & ~(STYPE_SPECIAL | STYPE_TEMPORARY)
+        parts     = [SHARE_TYPES[base_bits] || format('UNKNOWN(0x%04x)', base_bits)]
+        parts << 'SPECIAL'   unless (share_type & STYPE_SPECIAL).zero?
+        parts << 'TEMPORARY' unless (share_type & STYPE_TEMPORARY).zero?
+        parts.join('|')
+      end
+    end
+  end
+end

data/lib/ruby_smb/rap.rb

@@ -0,0 +1,10 @@
+module RubySMB
+  # Remote Administration Protocol (RAP), as defined in [MS-RAP]
+  # (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rap/).
+  # RAP is the LAN Manager remote-administration API, carried over the
+  # `\PIPE\LANMAN` named pipe using SMB1 SMB_COM_TRANSACTION. It is the only
+  # share-enumeration path supported by pre-NT servers (e.g. Windows 95/98/ME).
+  module Rap
+    require 'ruby_smb/rap/net_share_enum'
+  end
+end

data/lib/ruby_smb/smb1/commands.rb

@@ -4,6 +4,7 @@ module RubySMB
       SMB_COM_CLOSE                   = 0x04
       SMB_COM_TRANSACTION             = 0x25
       SMB_COM_ECHO                    = 0x2B
+      SMB_COM_OPEN_ANDX               = 0x2D
       SMB_COM_READ_ANDX               = 0x2E
       SMB_COM_WRITE_ANDX              = 0x2F
       SMB_COM_TRANSACTION2            = 0x32

data/lib/ruby_smb/smb1/packet/negotiate_response.rb

@@ -22,10 +22,21 @@ module RubySMB
         end
 
         # An SMB_Data Block as defined by the {NegotiateResponse}
+        # Windows 95/98/ME may only return the challenge with no domain/server names.
         class DataBlock < RubySMB::SMB1::DataBlock
           string        :challenge,     label: 'Auth Challenge', length: 8
           stringz16     :domain_name,   label: 'Primary Domain'
           stringz16     :server_name,   label: 'Server Name'
+
+          # Override to handle Win95 responses that only contain the challenge
+          # (byte_count=8) without domain_name or server_name fields.
+          def do_read(io)
+            byte_count.do_read(io)
+            challenge.do_read(io)
+            return unless byte_count > 8
+            domain_name.do_read(io)
+            server_name.do_read(io)
+          end
         end
 
         smb_header        :smb_header

data/lib/ruby_smb/smb1/packet/nt_create_andx_response.rb

@@ -2,8 +2,8 @@ module RubySMB
   module SMB1
     module Packet
       # A SMB1 SMB_COM_NT_CREATE_ANDX Response Packet as defined in
-      # [2.2.4.64.2 Response](https://msdn.microsoft.com/en-us/library/ee441612.aspx) and
-      # [2.2.4.9.2 Server Response Extensions](https://msdn.microsoft.com/en-us/library/cc246334.aspx)
+      # [MS-CIFS: 2.2.4.64.2 Response](https://msdn.microsoft.com/en-us/library/ee441612.aspx) and
+      # [MS-SMB : 2.2.4.9.2 Server Response Extensions](https://msdn.microsoft.com/en-us/library/cc246334.aspx)
       class NtCreateAndxResponse < RubySMB::GenericPacket
         COMMAND = RubySMB::SMB1::Commands::SMB_COM_NT_CREATE_ANDX
 
@@ -35,15 +35,28 @@ module RubySMB
           end
 
           uint8                   :directory,           label: 'Directory'
-          string                  :volume_guid,         label: 'Volume GUID', length: 16
-          uint64                  :file_id,             label: 'File ID'
+          # MS-CIFS: 2.2.4.64.2 (WC=34)
+          # MS-SMB:  2.2.4.9.2  (WC=42) - VolumeGUID only, per the spec (so we get the right WordCount, WC)
+          # MS-SMB:  2.2.4.9.2  (WC=50) - all four fields as per spec (but then the spec is then wrong for the WC)
+          #                               VolumeGUID, FileId, MaximalAccessRights & GuestMaximalAccessRights
+          # MS-SMB 2.2.4.9.2 (WC=42): VolumeGUID
+          string                  :volume_guid,         label: 'Volume GUID', length: 16,
+                                   onlyif: -> { word_count >= 42 }
 
-          choice :maximal_access_rights, selection: -> { ext_file_attributes.directory } do
+          # MS-SMB 2.2.4.9.2 (WC=50): FileId
+          uint64                  :file_id,             label: 'File ID',
+                                   onlyif: -> { word_count >= 50 }
+
+          # MS-SMB 2.2.4.9.2 (WC=50): MaximalAccessRights
+          choice :maximal_access_rights, selection: -> { ext_file_attributes.directory },
+                                   onlyif: -> { word_count >= 50 } do
             file_access_mask      0, label: 'Maximal Access Rights'
             directory_access_mask 1, label: 'Maximal Access Rights'
           end
 
-          choice :guest_maximal_access_rights, selection: -> { ext_file_attributes.directory } do
+          # MS-SMB 2.2.4.9.2 (WC=50): GuestMaximalAccessRights
+          choice :guest_maximal_access_rights, selection: -> { ext_file_attributes.directory },
+                                   onlyif: -> { word_count >= 50 } do
             file_access_mask      0, label: 'Guest Maximal Access Rights'
             directory_access_mask 1, label: 'Guest Maximal Access Rights'
           end

data/lib/ruby_smb/smb1/packet/open_andx_request.rb

@@ -0,0 +1,39 @@
+module RubySMB
+  module SMB1
+    module Packet
+      # A SMB1 SMB_COM_OPEN_ANDX Request Packet as defined in
+      # [MS-CIFS 2.2.4.41.1 Request](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/3a760987-f60d-4012-930b-fe90328775cc)
+      #
+      # This is the LANMAN 1.0 file-open command, supported by all SMB1 servers
+      # including Windows 95/98/ME which lack NT_CREATE_ANDX (0xA2).
+      class OpenAndxRequest < RubySMB::GenericPacket
+        COMMAND = RubySMB::SMB1::Commands::SMB_COM_OPEN_ANDX
+
+        # A SMB1 Parameter Block as defined by the {OpenAndxRequest}
+        class ParameterBlock < RubySMB::SMB1::ParameterBlock
+          endian :little
+
+          and_x_block :andx_block
+          uint16      :flags,             label: 'Flags'
+          uint16      :access_mode,       label: 'Access Mode'
+          smb_file_attributes  :search_attributes, label: 'Search Attributes'
+          smb_file_attributes  :file_attributes,   label: 'File Attributes'
+          uint32      :creation_time,     label: 'Creation Time'
+          uint16      :open_mode,         label: 'Open Mode'
+          uint32      :allocation_size,   label: 'Allocation Size'
+          uint32      :timeout,           label: 'Timeout'
+          uint32      :reserved,          label: 'Reserved'
+        end
+
+        # Represents the specific layout of the DataBlock for an {OpenAndxRequest} Packet.
+        class DataBlock < RubySMB::SMB1::DataBlock
+          stringz :file_name, label: 'File Name'
+        end
+
+        smb_header      :smb_header
+        parameter_block :parameter_block
+        data_block      :data_block
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/open_andx_response.rb

@@ -0,0 +1,40 @@
+module RubySMB
+  module SMB1
+    module Packet
+      # A SMB1 SMB_COM_OPEN_ANDX Response Packet as defined in
+      # [MS-CIFS 2.2.4.41.2 Response](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/dbce00e7-68a1-41c6-982d-9483c902ad9b)
+      class OpenAndxResponse < RubySMB::GenericPacket
+        COMMAND = RubySMB::SMB1::Commands::SMB_COM_OPEN_ANDX
+
+        # A SMB1 Parameter Block as defined by the {OpenAndxResponse}.
+        # Field names and layout follow MS-CIFS 2.2.4.41.2.
+        class ParameterBlock < RubySMB::SMB1::ParameterBlock
+          endian :little
+
+          and_x_block         :andx_block
+          uint16              :fid,             label: 'FID'
+          smb_file_attributes :file_attributes, label: 'File Attributes'
+          utime               :last_write_time, label: 'Last Write Time'
+          uint32              :file_data_size,  label: 'File Data Size'
+          uint16              :access_rights,   label: 'Access Rights'
+          uint16              :resource_type,   label: 'Resource Type'
+          smb_nmpipe_status   :nmpipe_status,   label: 'Named Pipe Status'
+          uint16              :open_results,    label: 'Open Results'
+          array               :reserved,        type: :uint16, initial_length: 3
+        end
+
+        class DataBlock < RubySMB::SMB1::DataBlock
+        end
+
+        smb_header      :smb_header
+        parameter_block :parameter_block
+        data_block      :data_block
+
+        def initialize_instance
+          super
+          smb_header.flags.reply = 1
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/session_setup_legacy_request.rb

@@ -27,8 +27,8 @@ module RubySMB
           string      :oem_password,      label: 'OEM Password'
           string      :unicode_password,  label: 'Unicode password'
           string      :padding,           label: 'Padding'
-          string      :account_name,      label: 'Account Name(username)',  length: 2
-          string      :primary_domain,    label: 'Primary Domain',          length: 2
+          stringz     :account_name,      label: 'Account Name(username)'
+          stringz     :primary_domain,    label: 'Primary Domain'
           stringz     :native_os,         label: 'Native OS',               initial_value: 'Windows 7 Ultimate N 7601 Service Pack 1'
           stringz     :native_lan_man,    label: 'Native LAN Manager',      initial_value: 'Windows 7 Ultimate N 6.1'
         end

data/lib/ruby_smb/smb1/packet/session_setup_legacy_response.rb

@@ -13,11 +13,22 @@ module RubySMB
         end
 
         # Represents the specific layout of the DataBlock for a {SessionSetupResponse} Packet.
+        # Windows 95/98/ME may return byte_count=0 with no string fields.
         class DataBlock < RubySMB::SMB1::DataBlock
           string      :pad,            label: 'Padding', length: 0
           stringz     :native_os,      label: 'Native OS'
           stringz     :native_lan_man, label: 'Native LAN Manager'
           stringz     :primary_domain, label: 'Primary Domain'
+
+          # Override to handle Win95 responses with byte_count=0.
+          def do_read(io)
+            byte_count.do_read(io)
+            return unless byte_count > 0
+            pad.do_read(io)
+            native_os.do_read(io)
+            native_lan_man.do_read(io)
+            primary_domain.do_read(io)
+          end
         end
 
         smb_header        :smb_header

data/lib/ruby_smb/smb1/packet/trans2/find_first2_response.rb

@@ -41,6 +41,8 @@ module RubySMB
         # This class represents an SMB1 Trans2 FIND_FIRST2 Response Packet as defined in
         # [2.2.6.2.2 Response](https://msdn.microsoft.com/en-us/library/ee441704.aspx)
         class FindFirst2Response < RubySMB::GenericPacket
+          include RubySMB::SMB1::Packet::Trans2::Win9xFraming
+
           COMMAND = RubySMB::SMB1::Commands::SMB_COM_TRANSACTION2
 
           class ParameterBlock < RubySMB::SMB1::Packet::Trans2::Response::ParameterBlock
@@ -60,30 +62,68 @@ module RubySMB
           # structs for the given FileInformationClass. Pulled out of
           # the string buffer.
           #
+          # Info levels that carry a leading NextEntryOffset (e.g.
+          # FindFileFullDirectoryInfo) are framed by that field. Info levels
+          # without one (e.g. SMB_INFO_STANDARD, used by Win95/98/ME) are
+          # packed sequentially; each entry's length is derived from the
+          # record itself, and servers may insert an optional single NULL
+          # pad byte between entries (see MS-CIFS Appendix A, note <153>).
+          #
           # @param klass [Class] the FileInformationClass class to read the data as
+          # @param buffer [String, nil] raw trans2_data bytes to parse instead of
+          #   the BinData-parsed buffer. Used by callers that detect a padding
+          #   mismatch between BinData's expected layout and what a Win9x-era
+          #   server actually sent (no 4-byte alignment pad before the data),
+          #   and want to re-feed the bytes from the server-reported data_offset.
           # @return [array<BinData::Record>] An array of structs holding the requested information
           # @raise [RubySMB::Error::InvalidPacket] if the string buffer is not a valid File Information packet
-          def results(klass, unicode:)
-            information_classes = []
-            blob = data_block.trans2_data.buffer.to_binary_s.dup
-            until blob.empty?
-              length = blob[0, 4].unpack('V').first
+          def results(klass, unicode:, buffer: nil)
+            blob = (buffer || data_block.trans2_data.buffer.to_binary_s).dup
+            if klass.new.respond_to?(:next_offset)
+              read_next_offset_entries(klass, blob, unicode: unicode)
+            else
+              read_sequential_entries(klass, blob, unicode: unicode)
+            end
+          end
 
-              data = if length.zero?
-                       blob.slice!(0, blob.length)
-                     else
-                       blob.slice!(0, length)
-                     end
+          private
 
+          def read_next_offset_entries(klass, blob, unicode:)
+            entries = []
+            until blob.empty?
+              length = blob[0, 4].unpack1('V')
+              data = length.zero? ? blob.slice!(0, blob.length) : blob.slice!(0, length)
+              file_info = klass.new
+              file_info.unicode = unicode if file_info.respond_to?(:unicode=)
+              begin
+                entries << file_info.read(data)
+              rescue IOError
+                raise RubySMB::Error::InvalidPacket, "Invalid #{klass} File Information packet in the string buffer"
+              end
+            end
+            entries
+          end
+
+          def read_sequential_entries(klass, blob, unicode:)
+            entries = []
+            until blob.empty?
               file_info = klass.new
-              file_info.unicode = unicode
+              file_info.unicode = unicode if file_info.respond_to?(:unicode=)
               begin
-                information_classes << file_info.read(data)
+                file_info.read(blob)
               rescue IOError
                 raise RubySMB::Error::InvalidPacket, "Invalid #{klass} File Information packet in the string buffer"
               end
+              consumed = file_info.num_bytes
+              break if consumed.zero?
+              blob.slice!(0, consumed)
+              # An entry with an empty file_name is a buffer-padding artifact, not a real entry; stop here.
+              break if file_info.respond_to?(:file_name_length) && file_info.file_name_length.zero?
+              entries << file_info
+              # Skip optional single NULL pad byte inserted by some servers between entries.
+              blob.slice!(0, 1) if blob.bytesize > 0 && blob.getbyte(0) == 0
             end
-            information_classes
+            entries
           end
         end
       end