🗂️

SMB Honeypot

Detect unauthorized access attempts targeting Windows file sharing.

445

Default Port

TCP

Protocol

Username

Detection

About SMB

SMB (Server Message Block) is the standard Windows file sharing protocol used across virtually all Windows enterprise networks. SMB credentials enable access to file shares, printers, and can facilitate lateral movement through techniques like pass-the-hash attacks.

What Gets Captured

When an attacker attempts to connect using your SMB honeypot credentials, Tripwires captures:

Username - The NTLMSSP username from the authentication exchange
Source IP - The attacker's IP address
Timestamp - Exact time of the connection
Domain - The Windows domain provided in the NTLMSSP negotiation

Connection Formats

SMB credentials can be planted in various formats depending on your environment:

Windows NET USE

net use \\smb-xxx.gettripwires.com\share /user:DOMAIN\user password

smbclient (Linux)

smbclient //smb-xxx.gettripwires.com/share -U user%password

PowerShell

$cred = Get-Credential
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\smb-xxx.gettripwires.com\share" -Credential $cred

Python (smbprotocol)

from smbclient import register_session
register_session("smb-xxx.gettripwires.com", username="user", password="password")

Strategic Placement Ideas

Group Policy Scripts

Leave as 'file server migration' credentials in GPO logon scripts.

Backup Configuration

Add as 'network backup destination' in backup software settings.

Department Shares Documentation

Include as 'finance department archive' share in IT documentation.