Skip to content

SMB Honeypot Enterprise

The SMB service emulates a Windows file share (Server Message Block). SMB is one of the most targeted protocols in internal networks - attackers use it for lateral movement, credential capture via pass-the-hash, and ransomware propagation.

Any connection attempt to the honeypot share is logged immediately.

Configuration

SMB services are configured from the Enterprise dashboard. Open Trapsters, select a device, go to the Services tab, and enable the SMB service.

VM deployments only

The SMB service is only available on VM deployments (Proxmox, VMware, Hyper-V, KVM). It is not supported on Docker or Kubernetes. See Trapsters: deployment constraints.

Options

OptionDescription
Share nameThe name of the fake share (e.g. ADMIN$, backup, data)
HostnameThe NetBIOS name the share advertises
DomainThe Windows domain name

Make it convincing

Use share names that match your environment: backup, IT-share, finance, or even passwords. Attackers who enumerate shares will prioritize anything that looks valuable.

Pairing with breadcrumbs

Deploy a network share breadcrumb on endpoints to create a saved connection pointing to the honeypot share. When an attacker explores a compromised machine, they find a pre-configured share connection that leads straight to your trap.

What gets captured

EventFields
Connection madeSource IP and hostname
Login attemptUsername and password (NTLM hash if applicable)
Data sentShare path accessed