From 68599ce14097cfdcfa74b8389b457075b5a9813c Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 7 Jan 2016 20:33:10 +0000
Subject: [PATCH] Solve "unexpected signature" message in SMB extended session
 setup (NTLM type 2 message only sent once)

---
 nselib/smb.lua | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/nselib/smb.lua b/nselib/smb.lua
index c664202f8..1942553e6 100644
--- a/nselib/smb.lua
+++ b/nselib/smb.lua
@@ -1319,6 +1319,7 @@ local function start_session_extended(smb, log_errors, overrides)
     sp_nego = ( oid == "\x2b\x06\x01\x05\x05\x02" ) -- check for SPNEGO OID 1.3.6.1.5.5.2
   end
 
+  local ntlm_challenge_accepted = false
   while result ~= false do
     -- These are loop variables
     local security_blob = nil
@@ -1427,24 +1428,27 @@ local function start_session_extended(smb, log_errors, overrides)
         -- Parse the data
         pos, security_blob, os, lanmanager = bin.unpack(string.format("<A%dzz", security_blob_length), data)
 
-        if ( status_name == "NT_STATUS_MORE_PROCESSING_REQUIRED" and sp_nego ) then
-          local start = security_blob:find("NTLMSSP")
-          security_blob = security_blob:sub(start)
-        end
+        if not ntlm_challenge_accepted then
+          if ( status_name == "NT_STATUS_MORE_PROCESSING_REQUIRED" and sp_nego ) then
+            local start = security_blob:find("NTLMSSP")
+            security_blob = security_blob:sub(start)
+          end
 
-        if(security_blob == nil or lanmanager == nil) then
-          return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [19]"
-        end
-        smb['os']         = os
-        smb['lanmanager'] = lanmanager
+          if(security_blob == nil or lanmanager == nil) then
+            return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [19]"
+          end
+          smb['os']         = os
+          smb['lanmanager'] = lanmanager
 
-        local host_info = smbauth.get_host_info_from_security_blob(security_blob)
-        if ( host_info ) then
-          smb['fqdn'] = host_info['fqdn']
-          smb['domain_dns'] = host_info['dns_domain_name']
-          smb['forest_dns'] = host_info['dns_forest_name']
-          smb['server'] = host_info['netbios_computer_name']
-          smb['domain'] = host_info['netbios_domain_name']
+          local host_info = smbauth.get_host_info_from_security_blob(security_blob)
+          if ( host_info ) then
+            smb['fqdn'] = host_info['fqdn']
+            smb['domain_dns'] = host_info['dns_domain_name']
+            smb['forest_dns'] = host_info['dns_forest_name']
+            smb['server'] = host_info['netbios_computer_name']
+            smb['domain'] = host_info['netbios_domain_name']
+          end
+          ntlm_challenge_accepted = true
         end