ruby_smb 3.3.18 → 3.3.20

data/lib/ruby_smb/rap/net_share_enum.rb

@@ -0,0 +1,166 @@
+module RubySMB
+  module Rap
+    # NetShareEnum (RAP opcode 0), as defined in [MS-RAP 3.3.4.1](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rap/48dd86d2-4092-49a4-9024-308f0ed77520).
+    # Carried over `\PIPE\LANMAN` using SMB_COM_TRANSACTION. Request parameters
+    # describe the shape of the data the server returns; response parameters
+    # carry the RAP status, entry count, and buffer sizing hint, and the
+    # response data block is an array of `share_info_1` records.
+    module NetShareEnum
+      OPCODE = 0
+
+      # Parameter descriptor for the RAP call itself: (W)ord info level,
+      # (r)eturn buffer pointer, (L)ength hint, (e)ntry count, (h)andle.
+      PARAM_DESCRIPTOR = 'WrLeh'.freeze
+
+      # Data descriptor for `share_info_1`: (B)13 name, (B)yte pad, (W)ord type,
+      # (z) pointer to remark. See MS-RAP 3.2.4 for descriptor syntax.
+      DATA_DESCRIPTOR_LEVEL_1 = 'B13BWz'.freeze
+
+      # Default server receive-buffer size.
+      DEFAULT_RECEIVE_BUFFER_SIZE = 0x1000
+
+      # Share type codes carried in the low bits of `share_info_1.shi1_type`
+      # per MS-RAP 2.5.14. The RAP field is 16 bits wide, unlike the 32-bit
+      # SRVSVC variant in {RubySMB::Dcerpc::Srvsvc::SHARE_TYPES}.
+      SHARE_TYPES = {
+        0x0000 => 'DISK',
+        0x0001 => 'PRINTER',
+        0x0002 => 'DEVICE',
+        0x0003 => 'IPC'
+      }.freeze
+      STYPE_SPECIAL   = 0x8000
+      STYPE_TEMPORARY = 0x4000
+
+      # Single share entry (`share_info_1`) as it appears on the wire.
+      # MS-RAP 2.5.21. Fixed 20-byte layout.
+      class ShareInfo1 < BinData::Record
+        endian :little
+
+        string :netname,        length: 13, trim_padding: true
+        uint8  :pad1
+        uint16 :share_type
+        uint32 :remark_offset
+      end
+
+      # Parameters block of the RAP request (sent in SMB trans_parameters).
+      # Variable-length because of the null-terminated descriptor strings.
+      class Request < BinData::Record
+        endian :little
+
+        uint16   :opcode,              asserted_value: OPCODE
+        stringz  :param_descriptor,    initial_value: PARAM_DESCRIPTOR
+        stringz  :data_descriptor,     initial_value: DATA_DESCRIPTOR_LEVEL_1
+        uint16   :info_level,          initial_value: 1
+        uint16   :receive_buffer_size, initial_value: DEFAULT_RECEIVE_BUFFER_SIZE
+      end
+
+      # Parameters block of the RAP response.
+      # MS-RAP 3.3.5.1 NetShareEnum Response.
+      class Response < BinData::Record
+        endian :little
+
+        uint16 :status
+        uint16 :converter
+        uint16 :entry_count
+        uint16 :available
+      end
+
+      # Sends a RAP NetShareEnum over `\PIPE\LANMAN` using the tree's
+      # existing SMB1 connection. Does not rely on having an opened pipe FID
+      # because Win9x does not permit OPEN_ANDX on `\PIPE\LANMAN`; RAP trans
+      # is accepted directly against the IPC$ tree.
+      #
+      # @return [Array<Hash>] each entry has :name (String) and :type (Integer).
+      # @raise [RubySMB::Error::InvalidPacket] on a malformed SMB response.
+      # @raise [RubySMB::Error::UnexpectedStatusCode] on a non-success SMB status.
+      # @raise [RubySMB::Error::RubySMBError] on a non-zero RAP status.
+      def net_share_enum
+        request = build_net_share_enum_request
+        raw_response = rap_client.send_recv(request)
+        response = RubySMB::SMB1::Packet::Trans::Response.read(raw_response)
+        validate_trans_response!(response)
+        parse_net_share_enum_response(response, raw_response)
+      end
+
+      private
+
+      # The SMB1 tree used to carry RAP traffic. `self` when this module is
+      # mixed into {RubySMB::SMB1::Tree}; the pipe's `tree` when mixed into
+      # {RubySMB::SMB1::Pipe}.
+      def rap_tree
+        is_a?(RubySMB::SMB1::Tree) ? self : tree
+      end
+
+      def rap_client
+        rap_tree.client
+      end
+
+      def build_net_share_enum_request
+        request = RubySMB::SMB1::Packet::Trans::Request.new
+        request.smb_header.tid           = rap_tree.id
+        request.smb_header.flags2.unicode = 0
+        request.data_block.name          = "\\PIPE\\LANMAN\x00".b
+        request.data_block.trans_parameters = Request.new.to_binary_s
+        request.parameter_block.max_parameter_count = 8
+        request.parameter_block.max_data_count      = DEFAULT_RECEIVE_BUFFER_SIZE
+        request
+      end
+
+      def validate_trans_response!(response)
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB1::Packet::Trans::Response::COMMAND,
+            packet:         response
+          )
+        end
+        unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
+        end
+      end
+
+      def parse_net_share_enum_response(response, raw_response)
+        # Slice the parameter and data sections using the offsets the server
+        # reported, not the ones BinData computed. Win9x packs trans_parameters
+        # right after byte_count with no 4-byte-alignment padding, which
+        # confuses Trans::Response::DataBlock#pad1_length and shifts the
+        # trans_parameters window by 1 byte.
+        params_bytes = raw_response[response.parameter_block.parameter_offset,
+                                    response.parameter_block.parameter_count].to_s
+        data_bytes   = raw_response[response.parameter_block.data_offset,
+                                    response.parameter_block.data_count].to_s
+
+        if params_bytes.bytesize < Response.new.num_bytes
+          raise RubySMB::Error::InvalidPacket,
+                "Truncated RAP NetShareEnum response parameters: #{params_bytes.unpack1('H*')}"
+        end
+        params = Response.read(params_bytes)
+        unless params.status.zero?
+          raise RubySMB::Error::RubySMBError,
+                "RAP NetShareEnum failed with status 0x#{params.status.to_i.to_s(16)}"
+        end
+
+        params.entry_count.times.map do |i|
+          offset = i * ShareInfo1.new.num_bytes
+          break [] if offset + ShareInfo1.new.num_bytes > data_bytes.bytesize
+          entry = ShareInfo1.read(data_bytes[offset, ShareInfo1.new.num_bytes])
+          {
+            name: entry.netname.to_s.delete("\x00"),
+            type: format_share_type(entry.share_type.to_i)
+          }
+        end.compact
+      end
+
+      # Format a RAP `share_info_1.shi1_type` value as a pipe-joined string in
+      # the same style as {RubySMB::Dcerpc::Srvsvc#net_share_enum_all}, so
+      # callers can consume both APIs uniformly.
+      def format_share_type(share_type)
+        base_bits = share_type & ~(STYPE_SPECIAL | STYPE_TEMPORARY)
+        parts     = [SHARE_TYPES[base_bits] || format('UNKNOWN(0x%04x)', base_bits)]
+        parts << 'SPECIAL'   unless (share_type & STYPE_SPECIAL).zero?
+        parts << 'TEMPORARY' unless (share_type & STYPE_TEMPORARY).zero?
+        parts.join('|')
+      end
+    end
+  end
+end

data/lib/ruby_smb/rap.rb

@@ -0,0 +1,10 @@
+module RubySMB
+  # Remote Administration Protocol (RAP), as defined in [MS-RAP]
+  # (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rap/).
+  # RAP is the LAN Manager remote-administration API, carried over the
+  # `\PIPE\LANMAN` named pipe using SMB1 SMB_COM_TRANSACTION. It is the only
+  # share-enumeration path supported by pre-NT servers (e.g. Windows 95/98/ME).
+  module Rap
+    require 'ruby_smb/rap/net_share_enum'
+  end
+end

data/lib/ruby_smb/smb1/commands.rb

@@ -4,6 +4,7 @@ module RubySMB
       SMB_COM_CLOSE                   = 0x04
       SMB_COM_TRANSACTION             = 0x25
       SMB_COM_ECHO                    = 0x2B
+      SMB_COM_OPEN_ANDX               = 0x2D
       SMB_COM_READ_ANDX               = 0x2E
       SMB_COM_WRITE_ANDX              = 0x2F
       SMB_COM_TRANSACTION2            = 0x32

data/lib/ruby_smb/smb1/packet/negotiate_response.rb

@@ -22,10 +22,21 @@ module RubySMB
         end
 
         # An SMB_Data Block as defined by the {NegotiateResponse}
+        # Windows 95/98/ME may only return the challenge with no domain/server names.
         class DataBlock < RubySMB::SMB1::DataBlock
           string        :challenge,     label: 'Auth Challenge', length: 8
           stringz16     :domain_name,   label: 'Primary Domain'
           stringz16     :server_name,   label: 'Server Name'
+
+          # Override to handle Win95 responses that only contain the challenge
+          # (byte_count=8) without domain_name or server_name fields.
+          def do_read(io)
+            byte_count.do_read(io)
+            challenge.do_read(io)
+            return unless byte_count > 8
+            domain_name.do_read(io)
+            server_name.do_read(io)
+          end
         end
 
         smb_header        :smb_header

data/lib/ruby_smb/smb1/packet/open_andx_request.rb

@@ -0,0 +1,39 @@
+module RubySMB
+  module SMB1
+    module Packet
+      # A SMB1 SMB_COM_OPEN_ANDX Request Packet as defined in
+      # [MS-CIFS 2.2.4.41.1 Request](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/3a760987-f60d-4012-930b-fe90328775cc)
+      #
+      # This is the LANMAN 1.0 file-open command, supported by all SMB1 servers
+      # including Windows 95/98/ME which lack NT_CREATE_ANDX (0xA2).
+      class OpenAndxRequest < RubySMB::GenericPacket
+        COMMAND = RubySMB::SMB1::Commands::SMB_COM_OPEN_ANDX
+
+        # A SMB1 Parameter Block as defined by the {OpenAndxRequest}
+        class ParameterBlock < RubySMB::SMB1::ParameterBlock
+          endian :little
+
+          and_x_block :andx_block
+          uint16      :flags,             label: 'Flags'
+          uint16      :access_mode,       label: 'Access Mode'
+          smb_file_attributes  :search_attributes, label: 'Search Attributes'
+          smb_file_attributes  :file_attributes,   label: 'File Attributes'
+          uint32      :creation_time,     label: 'Creation Time'
+          uint16      :open_mode,         label: 'Open Mode'
+          uint32      :allocation_size,   label: 'Allocation Size'
+          uint32      :timeout,           label: 'Timeout'
+          uint32      :reserved,          label: 'Reserved'
+        end
+
+        # Represents the specific layout of the DataBlock for an {OpenAndxRequest} Packet.
+        class DataBlock < RubySMB::SMB1::DataBlock
+          stringz :file_name, label: 'File Name'
+        end
+
+        smb_header      :smb_header
+        parameter_block :parameter_block
+        data_block      :data_block
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/open_andx_response.rb

@@ -0,0 +1,40 @@
+module RubySMB
+  module SMB1
+    module Packet
+      # A SMB1 SMB_COM_OPEN_ANDX Response Packet as defined in
+      # [MS-CIFS 2.2.4.41.2 Response](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/dbce00e7-68a1-41c6-982d-9483c902ad9b)
+      class OpenAndxResponse < RubySMB::GenericPacket
+        COMMAND = RubySMB::SMB1::Commands::SMB_COM_OPEN_ANDX
+
+        # A SMB1 Parameter Block as defined by the {OpenAndxResponse}.
+        # Field names and layout follow MS-CIFS 2.2.4.41.2.
+        class ParameterBlock < RubySMB::SMB1::ParameterBlock
+          endian :little
+
+          and_x_block         :andx_block
+          uint16              :fid,             label: 'FID'
+          smb_file_attributes :file_attributes, label: 'File Attributes'
+          utime               :last_write_time, label: 'Last Write Time'
+          uint32              :file_data_size,  label: 'File Data Size'
+          uint16              :access_rights,   label: 'Access Rights'
+          uint16              :resource_type,   label: 'Resource Type'
+          smb_nmpipe_status   :nmpipe_status,   label: 'Named Pipe Status'
+          uint16              :open_results,    label: 'Open Results'
+          array               :reserved,        type: :uint16, initial_length: 3
+        end
+
+        class DataBlock < RubySMB::SMB1::DataBlock
+        end
+
+        smb_header      :smb_header
+        parameter_block :parameter_block
+        data_block      :data_block
+
+        def initialize_instance
+          super
+          smb_header.flags.reply = 1
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/session_setup_legacy_request.rb

@@ -27,8 +27,8 @@ module RubySMB
           string      :oem_password,      label: 'OEM Password'
           string      :unicode_password,  label: 'Unicode password'
           string      :padding,           label: 'Padding'
-          string      :account_name,      label: 'Account Name(username)',  length: 2
-          string      :primary_domain,    label: 'Primary Domain',          length: 2
+          stringz     :account_name,      label: 'Account Name(username)'
+          stringz     :primary_domain,    label: 'Primary Domain'
           stringz     :native_os,         label: 'Native OS',               initial_value: 'Windows 7 Ultimate N 7601 Service Pack 1'
           stringz     :native_lan_man,    label: 'Native LAN Manager',      initial_value: 'Windows 7 Ultimate N 6.1'
         end

data/lib/ruby_smb/smb1/packet/session_setup_legacy_response.rb

@@ -13,11 +13,22 @@ module RubySMB
         end
 
         # Represents the specific layout of the DataBlock for a {SessionSetupResponse} Packet.
+        # Windows 95/98/ME may return byte_count=0 with no string fields.
         class DataBlock < RubySMB::SMB1::DataBlock
           string      :pad,            label: 'Padding', length: 0
           stringz     :native_os,      label: 'Native OS'
           stringz     :native_lan_man, label: 'Native LAN Manager'
           stringz     :primary_domain, label: 'Primary Domain'
+
+          # Override to handle Win95 responses with byte_count=0.
+          def do_read(io)
+            byte_count.do_read(io)
+            return unless byte_count > 0
+            pad.do_read(io)
+            native_os.do_read(io)
+            native_lan_man.do_read(io)
+            primary_domain.do_read(io)
+          end
         end
 
         smb_header        :smb_header

data/lib/ruby_smb/smb1/packet/trans2/find_first2_response.rb

@@ -41,6 +41,8 @@ module RubySMB
         # This class represents an SMB1 Trans2 FIND_FIRST2 Response Packet as defined in
         # [2.2.6.2.2 Response](https://msdn.microsoft.com/en-us/library/ee441704.aspx)
         class FindFirst2Response < RubySMB::GenericPacket
+          include RubySMB::SMB1::Packet::Trans2::Win9xFraming
+
           COMMAND = RubySMB::SMB1::Commands::SMB_COM_TRANSACTION2
 
           class ParameterBlock < RubySMB::SMB1::Packet::Trans2::Response::ParameterBlock
@@ -60,30 +62,68 @@ module RubySMB
           # structs for the given FileInformationClass. Pulled out of
           # the string buffer.
           #
+          # Info levels that carry a leading NextEntryOffset (e.g.
+          # FindFileFullDirectoryInfo) are framed by that field. Info levels
+          # without one (e.g. SMB_INFO_STANDARD, used by Win95/98/ME) are
+          # packed sequentially; each entry's length is derived from the
+          # record itself, and servers may insert an optional single NULL
+          # pad byte between entries (see MS-CIFS Appendix A, note <153>).
+          #
           # @param klass [Class] the FileInformationClass class to read the data as
+          # @param buffer [String, nil] raw trans2_data bytes to parse instead of
+          #   the BinData-parsed buffer. Used by callers that detect a padding
+          #   mismatch between BinData's expected layout and what a Win9x-era
+          #   server actually sent (no 4-byte alignment pad before the data),
+          #   and want to re-feed the bytes from the server-reported data_offset.
           # @return [array<BinData::Record>] An array of structs holding the requested information
           # @raise [RubySMB::Error::InvalidPacket] if the string buffer is not a valid File Information packet
-          def results(klass, unicode:)
-            information_classes = []
-            blob = data_block.trans2_data.buffer.to_binary_s.dup
-            until blob.empty?
-              length = blob[0, 4].unpack('V').first
+          def results(klass, unicode:, buffer: nil)
+            blob = (buffer || data_block.trans2_data.buffer.to_binary_s).dup
+            if klass.new.respond_to?(:next_offset)
+              read_next_offset_entries(klass, blob, unicode: unicode)
+            else
+              read_sequential_entries(klass, blob, unicode: unicode)
+            end
+          end
 
-              data = if length.zero?
-                       blob.slice!(0, blob.length)
-                     else
-                       blob.slice!(0, length)
-                     end
+          private
 
+          def read_next_offset_entries(klass, blob, unicode:)
+            entries = []
+            until blob.empty?
+              length = blob[0, 4].unpack1('V')
+              data = length.zero? ? blob.slice!(0, blob.length) : blob.slice!(0, length)
+              file_info = klass.new
+              file_info.unicode = unicode if file_info.respond_to?(:unicode=)
+              begin
+                entries << file_info.read(data)
+              rescue IOError
+                raise RubySMB::Error::InvalidPacket, "Invalid #{klass} File Information packet in the string buffer"
+              end
+            end
+            entries
+          end
+
+          def read_sequential_entries(klass, blob, unicode:)
+            entries = []
+            until blob.empty?
               file_info = klass.new
-              file_info.unicode = unicode
+              file_info.unicode = unicode if file_info.respond_to?(:unicode=)
               begin
-                information_classes << file_info.read(data)
+                file_info.read(blob)
               rescue IOError
                 raise RubySMB::Error::InvalidPacket, "Invalid #{klass} File Information packet in the string buffer"
               end
+              consumed = file_info.num_bytes
+              break if consumed.zero?
+              blob.slice!(0, consumed)
+              # An entry with an empty file_name is a buffer-padding artifact, not a real entry; stop here.
+              break if file_info.respond_to?(:file_name_length) && file_info.file_name_length.zero?
+              entries << file_info
+              # Skip optional single NULL pad byte inserted by some servers between entries.
+              blob.slice!(0, 1) if blob.bytesize > 0 && blob.getbyte(0) == 0
             end
-            information_classes
+            entries
           end
         end
       end

data/lib/ruby_smb/smb1/packet/trans2/find_information_level/find_info_standard.rb

@@ -0,0 +1,39 @@
+module RubySMB
+  module SMB1
+    module Packet
+      module Trans2
+        module FindInformationLevel
+          # SMB_INFO_STANDARD find result entry, as defined in
+          # [MS-CIFS 2.2.8.1.1 SMB_INFO_STANDARD](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/b7cc0966-f87d-41a6-aa1a-48526a9cc729).
+          # Used by TRANS2_FIND_FIRST2/FIND_NEXT2 on legacy servers
+          # (e.g. Windows 95/98/ME) that don't support NT LANMAN info levels.
+          #
+          # Unlike NT info levels, these entries have no next_offset field;
+          # they are packed sequentially with a variable-length filename.
+          # The optional leading ResumeKey (4 bytes) is only present when the
+          # SMB_FIND_RETURN_RESUME_KEYS flag is set in the request; this
+          # implementation does not set that flag and so omits the field.
+          class FindInfoStandard < BinData::Record
+            CLASS_LEVEL = FindInformationLevel::SMB_INFO_STANDARD
+
+            endian :little
+
+            uint16  :creation_date,    label: 'Creation Date (SMB_DATE)'
+            uint16  :creation_time,    label: 'Creation Time (SMB_TIME)'
+            uint16  :last_access_date, label: 'Last Access Date (SMB_DATE)'
+            uint16  :last_access_time, label: 'Last Access Time (SMB_TIME)'
+            uint16  :last_write_date,  label: 'Last Write Date (SMB_DATE)'
+            uint16  :last_write_time,  label: 'Last Write Time (SMB_TIME)'
+            uint32  :data_size,        label: 'File Data Size'
+            uint32  :allocation_size,  label: 'Allocation Size'
+            uint16  :file_attributes,  label: 'File Attributes'
+            uint8   :file_name_length, label: 'File Name Length',
+                    initial_value: -> { file_name.to_s.bytesize }
+            string  :file_name,        label: 'File Name',
+                    read_length: -> { file_name_length }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/trans2/find_information_level.rb

@@ -38,6 +38,7 @@ module RubySMB
 
           require 'ruby_smb/smb1/packet/trans2/find_information_level/find_file_both_directory_info'
           require 'ruby_smb/smb1/packet/trans2/find_information_level/find_file_full_directory_info'
+          require 'ruby_smb/smb1/packet/trans2/find_information_level/find_info_standard'
         end
       end
     end

data/lib/ruby_smb/smb1/packet/trans2/win9x_framing.rb

@@ -0,0 +1,68 @@
+module RubySMB
+  module SMB1
+    module Packet
+      module Trans2
+        # Shared workaround for pre-NT / LAN Manager-era servers (observed on
+        # Windows 9x / ME) that pack `trans2_parameters` directly after
+        # `byte_count` with no 4-byte-alignment pad, and `trans2_data` with
+        # whatever padding they feel like — always smaller than the NT-style
+        # alignment BinData unconditionally assumes via {DataBlock#pad1_length}
+        # and {DataBlock#pad2_length}. When that happens both sections land in
+        # the wrong place and `eos`, `sid`, `last_name_offset`, and every
+        # entry in the data buffer come back garbled.
+        #
+        # Fixing this in BinData itself (by having pad1/pad2 consult
+        # `parameter_block.parameter_offset` / `data_offset`) is the natural
+        # design, but cross-field lookups during field-read callbacks corrupt
+        # BinData's registered-class resolution cache, causing unrelated
+        # Trans2 responses to round-trip their `parameter_block` / `data_block`
+        # through the base classes instead of the concrete subclasses. So
+        # instead we surface the raw response bytes at the call site and let
+        # the response slice both sections from the offsets the server
+        # reported in its `parameter_block`.
+        #
+        # Mix into any {RubySMB::SMB1::Packet::Trans2} response whose caller
+        # holds on to the raw response bytes. The response itself must have
+        # the standard {Trans2::Response::ParameterBlock} shape
+        # (`parameter_offset` / `parameter_count` / `data_offset` /
+        # `data_count`) and a `data_block` with `trans2_parameters` and
+        # `trans2_data.buffer` fields — every concrete Trans2 response does.
+        #
+        # Same slicing pattern as {RubySMB::Rap::NetShareEnum#parse_net_share_enum_response}
+        # uses for the sibling Trans (not Trans2) response type.
+        module Win9xFraming
+          # Returns `[effective_trans2_parameters, effective_trans2_data_bytes]`
+          # when the server's layout differs from BinData's, or `[nil, nil]`
+          # when BinData already read the full buffer (standard NT-era servers).
+          #
+          # When a non-nil pair is returned, callers should prefer the override
+          # values over the BinData-parsed ones:
+          #
+          #   params_ovr, data_ovr = response.win9x_trans2_overrides(raw)
+          #   params = params_ovr || response.data_block.trans2_parameters
+          #   data   = data_ovr   || response.data_block.trans2_data.buffer.to_binary_s
+          #
+          # @param raw_response [String] the raw bytes the response was read from.
+          # @return [Array(BinData::Record, String), Array(nil, nil)]
+          def win9x_trans2_overrides(raw_response)
+            declared_data = parameter_block.data_count.to_i
+            parsed_data   = data_block.trans2_data.buffer.to_binary_s.bytesize
+            return [nil, nil] if declared_data.zero? || parsed_data == declared_data
+
+            param_offset = parameter_block.parameter_offset.to_i
+            param_count  = parameter_block.parameter_count.to_i
+            data_offset  = parameter_block.data_offset.to_i
+            return [nil, nil] if raw_response.bytesize < data_offset + declared_data
+            return [nil, nil] if raw_response.bytesize < param_offset + param_count
+
+            params_bytes = raw_response.byteslice(param_offset, param_count)
+            params_class = data_block.trans2_parameters.class
+            params       = params_class.read(params_bytes)
+            data_bytes   = raw_response.byteslice(data_offset, declared_data)
+            [params, data_bytes]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/trans2.rb

@@ -8,6 +8,7 @@ module RubySMB
         require 'ruby_smb/smb1/packet/trans2/query_information_level'
         require 'ruby_smb/smb1/packet/trans2/query_fs_information_level'
         require 'ruby_smb/smb1/packet/trans2/data_block'
+        require 'ruby_smb/smb1/packet/trans2/win9x_framing'
         require 'ruby_smb/smb1/packet/trans2/subcommands'
         require 'ruby_smb/smb1/packet/trans2/request'
         require 'ruby_smb/smb1/packet/trans2/request_secondary'

data/lib/ruby_smb/smb1/packet/tree_connect_request.rb

@@ -15,7 +15,7 @@ module RubySMB
 
         # The {RubySMB::SMB1::DataBlock} specific to this packet type.
         class DataBlock < RubySMB::SMB1::DataBlock
-          stringz :password, label: 'Password Field', initial_value: '', length: -> { parent.parameter_block.password_length }
+          string :password, label: 'Password Field', initial_value: "\x00", length: -> { parent.parameter_block.password_length }
           choice  :path, selection: -> { parent.smb_header.flags2.unicode } do
             stringz   0
             stringz16 1

data/lib/ruby_smb/smb1/packet/tree_connect_response.rb

@@ -9,15 +9,24 @@ module RubySMB
         # A SMB1 Parameter Block as defined by the {SessionSetupResponse}
         class ParameterBlock < RubySMB::SMB1::ParameterBlock
           and_x_block                :andx_block
-          optional_support           :optional_support
+          optional_support           :optional_support,    onlyif: -> { word_count >= 3 }
           directory_access_mask      :access_rights,       label: 'Maximal Share Access Rights', onlyif: -> { word_count >= 5 }
           directory_access_mask      :guest_access_rights, label: 'Guest Share Access Rights',   onlyif: -> { word_count == 7 }
         end
 
         # Represents the specific layout of the DataBlock for a {SessionSetupResponse} Packet.
+        # Windows 95/98/ME may return a minimal DataBlock without the native file system.
         class DataBlock < RubySMB::SMB1::DataBlock
           stringz   :service,             label: 'Service Type'
           stringz   :native_file_system,  label: 'Native File System'
+
+          # Override to handle Win95 responses that may omit native_file_system.
+          def do_read(io)
+            byte_count.do_read(io)
+            return unless byte_count > 0
+            service.do_read(io)
+            native_file_system.do_read(io) if byte_count > service.num_bytes
+          end
         end
 
         smb_header        :smb_header

data/lib/ruby_smb/smb1/packet.rb

@@ -22,6 +22,8 @@ module RubySMB
       require 'ruby_smb/smb1/packet/trans'
       require 'ruby_smb/smb1/packet/trans2'
       require 'ruby_smb/smb1/packet/nt_trans'
+      require 'ruby_smb/smb1/packet/open_andx_request'
+      require 'ruby_smb/smb1/packet/open_andx_response'
       require 'ruby_smb/smb1/packet/nt_create_andx_request'
       require 'ruby_smb/smb1/packet/nt_create_andx_response'
       require 'ruby_smb/smb1/packet/read_andx_request'

data/lib/ruby_smb/smb1/pipe.rb

@@ -36,6 +36,8 @@ module RubySMB
           extend RubySMB::Dcerpc::Icpr
         when 'efsrpc', '\\efsrpc'
           extend RubySMB::Dcerpc::Efsrpc
+        when 'lanman', 'LANMAN', '\\PIPE\\LANMAN', '\\lanman'
+          extend RubySMB::Rap::NetShareEnum
         end
         super(tree: tree, response: response, name: name)
       end