diff --git a/CHANGELOG b/CHANGELOG
index a0b6393e3..60465b434 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,12 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Applied patch from Chris Woodbury that adds the following additional
+  information to the output of smb-os-discovery:
+  + Forest name
+  + FQDN
+  + NetBIOS computer name
+  + NetBIOS domain name
+
 o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag.
   Additionally ncat listens on both :: and localhost when passed
   -l, or any other listening mode unless a specific listening address is
diff --git a/nselib/smb.lua b/nselib/smb.lua
index 38e71e013..b533ada5a 100644
--- a/nselib/smb.lua
+++ b/nselib/smb.lua
@@ -1,13 +1,16 @@
 ---
--- Implements functionality related to Server Message Block (SMB, also known 
--- as CIFS) traffic, which is a Windows protocol.
+-- Implements functionality related to Server Message Block (SMB, an extension 
+-- of CIFS) traffic, which is a Windows protocol.
 --
 -- SMB traffic is normally sent to/from ports 139 or 445 of Windows systems. Other systems
 -- implement SMB as well, including Samba and a lot of embedded devices. Some of them implement
 -- it properly and many of them not. Although the protocol has been documented decently 
 -- well by Samba and others, many 3rd party implementations are broken or make assumptions. 
 -- Even Samba's and Windows' implementations aren't completely compatiable. As a result, 
--- creating an implementation that accepts everything is a bit of a minefield. 
+-- creating an implementation that accepts everything is a bit of a minefield. Microsoft's
+-- extensive documentation is available at the following URLs:
+-- * SMB: http://msdn.microsoft.com/en-us/library/cc246231(v=prot.13).aspx
+-- * CIFS: http://msdn.microsoft.com/en-us/library/ee442092(v=prot.13).aspx
 --
 -- Where possible, this implementation, since it's intended for scanning, will attempt to 
 -- accept any invalid implementations it can, and fail gracefully if it can't. This has
@@ -554,7 +557,7 @@ function start_netbios(host, port, name)
 			return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [1]"
 		end
 	
-		-- Check for a position session response (0x82)
+		-- Check for a positive session response (0x82)
 		if result == 0x82 then
 			stdnse.print_debug(3, "SMB: Successfully established NetBIOS session with server name %s", name)
 			return true, socket
@@ -932,7 +935,7 @@ end
 --      * 'timezone'         The server's timezone, in hours from UTC
 --      * 'timezone_str'     The server's timezone, as a string
 --      * 'server_challenge' A random string used for challenge/response
---      * 'domain'           The server's primary domain
+--      * 'domain'           The server's primary domain or workgroup
 --      * 'server'           The server's name
 function negotiate_protocol(smb, overrides)
 	local header, parameters, data
@@ -1328,7 +1331,7 @@ local function start_session_extended(smb, log_errors, overrides)
 			status_name = get_status_name(status)
 	
 			-- Only parse the parameters if it's ok or if we're going to keep going
-			if(status_name == "NT_STATUS_OK" or status_name == "NT_STATUS_MORE_PROCESSING_REQUIRED") then
+			if(status_name == "NT_STATUS_SUCCESS" or status_name == "NT_STATUS_MORE_PROCESSING_REQUIRED") then
 				-- Parse the parameters
 				pos, andx_command, andx_reserved, andx_offset, action, security_blob_length = bin.unpack("<CCSSS", parameters)
 				if(andx_command == nil or security_blob_length == nil) then
@@ -1343,9 +1346,19 @@ local function start_session_extended(smb, log_errors, overrides)
 				end
 				smb['os']         = os
 				smb['lanmanager'] = lanmanager
+				
+				local host_info = smbauth.get_host_info_from_security_blob(security_blob)
+				if ( host_info ) then
+					smb['fqdn'] = host_info['fqdn']
+					smb['domain_dns'] = host_info['dns_domain_name']
+					smb['forest_dns'] = host_info['dns_forest_name']
+					smb['server'] = host_info['netbios_computer_name']
+					smb['domain'] = host_info['netbios_domain_name']
+				end
+				
 	
 				-- If it's ok, do a cleanup and return true
-				if(status_name == "NT_STATUS_OK") then
+				if(status_name == "NT_STATUS_SUCCESS") then
 					-- Check if they're using an un-supported system
 					if(os == nil or lanmanager == nil) then
 						stdnse.print_debug(1, "SMB: WARNING: the server is using a non-standard SMB implementation; your mileage may vary (%s)", smb['ip'])
@@ -2920,16 +2933,41 @@ function get_os(host)
 		return false, "Server didn't return OS details"
 	end
 
-	-- Convert blank values to something useful
-	response['os']           = stdnse.string_or_blank(smbstate['os'],           "Unknown")
-	response['lanmanager']   = stdnse.string_or_blank(smbstate['lanmanager'],   "Unknown")
-	response['domain']       = stdnse.string_or_blank(smbstate['domain'],       "Unknown")
-	response['server']       = stdnse.string_or_blank(smbstate['server'],       "Unknown")
-	response['date']         = stdnse.string_or_blank(smbstate['date'],         "Unknown")
-	response['timezone_str'] = stdnse.string_or_blank(smbstate['timezone_str'], "Unknown")
-
+	response['os']           = smbstate['os']
+	response['lanmanager']   = smbstate['lanmanager']
+	response['domain']       = smbstate['domain']
+	response['server']       = smbstate['server']
+	response['date']         = smbstate['date']
+	response['timezone_str'] = smbstate['timezone_str']
+	
     -- Kill SMB
     smb.stop(smbstate)
+    
+    
+    -- Start another session with extended security. This will allow us to get
+    -- additional information about the target.
+    status, smbstate = smb.start_ex(host, true, true, nil, nil, false)
+    if(status == true) then
+		-- See if we actually got something
+		if (smbstate['fqdn'] or smbstate['domain_dns'] or smbstate['forest_dns']) then
+			response['fqdn']         = smbstate['fqdn']
+			response['domain_dns']   = smbstate['domain_dns']
+			response['forest_dns']   = smbstate['forest_dns']
+			-- After a non-extended security negotiation, smbstate['domain'] will
+			-- contain the NetBIOS domain name, or the workgroup name. However,
+			-- after an extended-security session setup, smbstate['domain'] will
+			-- contain the NetBIOS domain name. For hosts in a workgroup, Windows
+			-- uses the NetBIOS hostname as the NetBIOS domain name. Comparing the
+			-- two will reveal whether the target is in a domain or a workgroup.
+			if ( smbstate['domain'] ~= nil and response['domain'] ~= smbstate['domain'] ) then
+				response['workgroup']    = response['domain']
+				response['domain']       = nil
+			end
+		end
+		
+	    -- Kill SMB again
+	    smb.stop(smbstate)
+	end
 
 	return true, response
 end
@@ -3162,13 +3200,13 @@ for i, v in pairs(command_codes) do
 end
 
 
-
+-- see http://msdn.microsoft.com/en-us/library/cc231196(v=prot.10).aspx
 status_codes = 
 {
-	NT_STATUS_OK = 0x0000,
+	NT_STATUS_SUCCESS 							= 0x00000000,
 	NT_STATUS_WERR_BADFILE                      = 0x00000002,
 	NT_STATUS_WERR_ACCESS_DENIED                = 0x00000005,
-	NT_STATUS_WERR_UNKNOWN_57                   = 0x00000057,
+	NT_STATUS_WERR_INVALID_PARAMETER            = 0x00000057,
 	NT_STATUS_WERR_INVALID_NAME                 = 0x0000007b,
 	NT_STATUS_WERR_UNKNOWN_LEVEL                = 0x0000007c,
 	NT_STATUS_WERR_MORE_DATA                    = 0x000000ea,
diff --git a/nselib/smbauth.lua b/nselib/smbauth.lua
index f3aded939..3d8fdf2c4 100644
--- a/nselib/smbauth.lua
+++ b/nselib/smbauth.lua
@@ -322,6 +322,17 @@ local function to_unicode(str)
 	return unicode
 end
 
+local function from_unicode(unicode)
+	local str = ""
+	if ( unicode == nil ) then
+		return nil
+	end
+	for char_itr = 1, unicode:len(), 2 do
+		str = str .. unicode:sub(char_itr, char_itr)
+	end
+	return str
+end
+
 ---Generate the Lanman v1 hash (LMv1). The generated hash is incredibly easy to reverse, because the input
 -- is padded or truncated to 14 characters, then split into two 7-character strings. Each of these strings
 -- are used as a key to encrypt the string, "KGS!@#$%" in DES. Because the keys are no longer than 
@@ -714,6 +725,86 @@ function get_security_blob(security_blob, ip, username, domain, password, passwo
 
 end
 
+function get_host_info_from_security_blob(security_blob)
+	local ntlm_challenge = {}
+	--local pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved, target_info_length, target_info_max, target_info_offset = bin.unpack("<A8ISSIILLSSI", security_blob)
+	local pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved, target_info_length, target_info_max, target_info_offset = bin.unpack("<A8ISSIILLSSI", security_blob)
+	
+	-- Do some validation on the NTLMSSP message
+	if ( identifier ~= "NTLMSSP\0" ) then
+		stdnse.print_debug( 1, "SMB: Invalid NTLM challenge message: unexpected signature." )
+		return false, "Invalid NTLM challenge message"
+	-- Per MS-NLMP, this field must be 2 for an NTLM challenge message
+	elseif ( message_type ~= 0x2 ) then
+		stdnse.print_debug( 1, "SMB: Invalid NTLM challenge message: unexpected message type: %d.", message_type )
+		return false, "Invalid message type in NTLM challenge message"
+	end
+	
+	-- Parse the TargetName data (i.e. the server authentication realm)
+	if ( domain_length > 0 ) then
+		local length = domain_length
+		local pos = domain_offset + 1 -- +1 to convert to Lua's 1-based indexes
+		local target_realm
+		pos, target_realm = bin.unpack( string.format( "A%d", length ), security_blob, pos )
+		ntlm_challenge[ "target_realm" ] = from_unicode( target_realm )
+	end
+	
+	-- Parse the TargetInfo data (Wireshark calls this the "Address List")
+	if ( target_info_length > 0 ) then
+		
+		-- Definition of AvId values (IDs for AV_PAIR (attribute-value pair) structures),
+		-- as definied by the NTLM Authentication Protocol specification [MS-NLMP].
+		local NTLM_AV_ID_VALUES = {
+			MsvAvEOL				= 0x0,
+			MsvAvNbComputerName		= 0x1,
+			MsvAvNbDomainName		= 0x2,
+			MsvAvDnsComputerName	= 0x3,
+			MsvAvDnsDomainName		= 0x4,
+			MsvAvDnsTreeName		= 0x5,
+			MsvAvFlags				= 0x6,
+			MsvAvTimestamp			= 0x7,
+			MsvAvRestrictions		= 0x8,
+			MsvAvTargetName			= 0x9,
+			MsvAvChannelBindings	= 0xA,
+		}
+		-- Friendlier names for AvId values, to be used as keys in the results table
+		-- e.g. ntlm_challenge[ "dns_computer_name" ] -> "host.test.local"
+		local NTLM_AV_ID_NAMES = {
+			[NTLM_AV_ID_VALUES.MsvAvNbComputerName]		= "netbios_computer_name",
+			[NTLM_AV_ID_VALUES.MsvAvNbDomainName]		= "netbios_domain_name",
+			[NTLM_AV_ID_VALUES.MsvAvDnsComputerName]	= "fqdn",
+			[NTLM_AV_ID_VALUES.MsvAvDnsDomainName]		= "dns_domain_name",
+			[NTLM_AV_ID_VALUES.MsvAvDnsTreeName]		= "dns_forest_name",
+			[NTLM_AV_ID_VALUES.MsvAvTimestamp]			= "timestamp",
+		}
+		
+		
+		local length = target_info_length
+		local pos = target_info_offset + 1 -- +1 to convert to Lua's 1-based indexes
+		local target_info
+		pos, target_info = bin.unpack( string.format( "A%d", length ), security_blob, pos )
+		
+		pos = 1 -- reset pos to 1, since we'll be working out of just the target_info
+		repeat
+			local value, av_id, av_len
+			pos, av_id, av_len = bin.unpack( "<SS", target_info, pos )
+			pos, value = bin.unpack( string.format( "A%d", av_len ), target_info, pos )
+			local friendly_name = NTLM_AV_ID_NAMES[ av_id ]
+			
+			if ( av_id == NTLM_AV_ID_VALUES.MsvAvEOL ) then
+				break
+			elseif ( av_id == NTLM_AV_ID_VALUES.MsvAvTimestamp ) then
+				-- this is a FILETIME value (see [MS-DTYP]), representing the time in 100-ns increments since 1/1/1601
+				ntlm_challenge[ friendly_name ] = bin.unpack( "<L", value )
+			elseif ( friendly_name ) then
+				ntlm_challenge[ friendly_name ] = from_unicode( value )
+			end
+		until ( pos >= #target_info )
+	end
+	
+	return ntlm_challenge
+end
+
 ---Create an 8-byte message signature that's sent with all SMB packets. 
 --
 --@param mac_key The key used for authentication. It's the concatination of the session key and the
diff --git a/scripts/smb-brute.nse b/scripts/smb-brute.nse
index 761565491..f1a12ba0a 100644
--- a/scripts/smb-brute.nse
+++ b/scripts/smb-brute.nse
@@ -542,7 +542,7 @@ local function initialize(host)
 
 	-- Get the OS (identifying windows versions tells us which hash to use)
 	result, os = smb.get_os(host)
-	if(result == false) then
+	if(result == false or os['os'] == nil) then
 		hostinfo['os'] = "<Unknown>"
 	else
 		hostinfo['os'] = os['os']
diff --git a/scripts/smb-os-discovery.nse b/scripts/smb-os-discovery.nse
index 578f999a0..05320c1d5 100644
--- a/scripts/smb-os-discovery.nse
+++ b/scripts/smb-os-discovery.nse
@@ -1,10 +1,23 @@
 description = [[
-Attempts to determine the operating system, computer name, domain, and current
+Attempts to determine the operating system, computer name, domain, workgroup, and current
 time over the SMB protocol (ports 445 or 139).
 This is done by starting a session with the anonymous 
 account (or with a proper user account, if one is given; it likely doesn't make
 a difference); in response to a session starting, the server will send back all this
-information. 
+information.
+
+The following fields may be included in the output, depending on the 
+cirumstances (e.g. the workgroup name is mutually exclusive with domain and forest
+names) and the information available:
+* OS
+* Computer name
+* Domain name
+* Forest name
+* FQDN
+* NetBIOS computer name
+* NetBIOS domain name
+* Workgroup
+* System time
 
 Some systems, like Samba, will blank out their name (and only send their domain). 
 Other systems (like embedded printers) will simply leave out the information. Other
@@ -18,7 +31,8 @@ servers that are being poorly maintained (for more information/random thoughts o
 using the time, see http://www.skullsecurity.org/blog/?p=76. 
 
 Although the standard <code>smb*</code> script arguments can be used, 
-they likely won't change the outcome in any meaningful way. 
+they likely won't change the outcome in any meaningful way. However, <code>smbnoguest</code>
+will speed up the script on targets that do not allow guest access.
 ]]
 
 ---
@@ -28,10 +42,15 @@ they likely won't change the outcome in any meaningful way.
 --
 --@output
 -- Host script results:
--- |  smb-os-discovery:
--- |  |  OS: Windows 2000 (Windows 2000 LAN Manager)
--- |  |  Name: WORKGROUP\RON-WIN2K-TEST
--- |_ |_ System time: 2009-11-09 14:33:39 UTC-6
+-- | smb-os-discovery:
+-- |   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
+-- |   Computer name: Sql2008
+-- |   Domain name: lab.test.local
+-- |   Forest name: test.local
+-- |   FQDN: Sql2008.lab.test.local
+-- |   NetBIOS computer name: SQL2008
+-- |   NetBIOS domain name: LAB
+-- |_  System time: 2011-04-20 13:34:06 UTC-5
 -----------------------------------------------------------------------
 
 author = "Ron Bowes"
@@ -62,6 +81,16 @@ function get_windows_version(os)
 
 end
 
+function add_to_output(output_table, label, value, value_if_nil)
+	if (value == nil and value_if_nil ~= nil) then
+		value = value_if_nil
+	end
+	
+	if (value ~= nil) then
+		table.insert(output_table, string.format("%s: %s", label, value) )
+	end
+end
+
 action = function(host)
 	local response = {}
 	local status, result = smb.get_os(host)
@@ -69,10 +98,44 @@ action = function(host)
 	if(status == false) then
 		return stdnse.format_output(false, result)
 	end
-
-	table.insert(response, string.format("OS: %s (%s)", get_windows_version(result['os']), result['lanmanager']))
-	table.insert(response, string.format("Name: %s\\%s", result['domain'], result['server']))
-	table.insert(response, string.format("System time: %s %s", result['date'], result['timezone_str']))
+	
+	local hostname_dns, is_domain_member, os_string, time_string
+	if (result[ "fqdn" ]) then
+		-- Pull the first part of the FQDN as the computer name
+		hostname_dns = string.match( result[ "fqdn" ], "^([^.]+)%.?" )
+		
+		if (result[ "domain_dns" ]) then
+			-- If the computer name doesn't match the domain name, the target is a domain member
+			is_domain_member = ( result[ "fqdn" ] ~= result[ "domain_dns" ] )
+		end
+	end
+	
+	if (result['os'] and result['lanmanager']) then
+		os_string = string.format( "%s (%s)", get_windows_version( result['os'] ), result['lanmanager'] )
+	end
+	if (result['date'] and result['timezone_str']) then
+		time_string = string.format("%s %s", result['date'], result['timezone_str'])
+	end
+	
+	
+	add_to_output( response, "OS", os_string, "Unknown" )
+	add_to_output( response, "Computer name", hostname_dns )
+	
+	if ( is_domain_member ) then
+		add_to_output( response, "Domain name", result[ "domain_dns" ] )
+		add_to_output( response, "Forest name", result[ "forest_dns" ] )
+		add_to_output( response, "FQDN", result[ "fqdn" ] )
+	end
+	
+	add_to_output( response, "NetBIOS computer name", result[ "server" ] )
+	
+	if ( is_domain_member ) then
+		add_to_output( response, "NetBIOS domain name", result[ "domain" ] )
+	else
+		add_to_output( response, "Workgroup", result[ "workgroup" ], result[ "domain" ] )
+	end
+	
+	add_to_output( response, "System time", time_string, "Unknown" )
 
 	return stdnse.format_output(true, response)
 end