SMB Honeypot Enterprise
The SMB service emulates a Windows file share (Server Message Block). SMB is one of the most targeted protocols in internal networks - attackers use it for lateral movement, credential capture via pass-the-hash, and ransomware propagation.
Any connection attempt to the honeypot share is logged immediately.
Configuration
SMB services are configured from the Enterprise dashboard. Open Trapsters, select a device, go to the Services tab, and enable the SMB service.
VM deployments only
The SMB service is only available on VM deployments (Proxmox, VMware, Hyper-V, KVM). It is not supported on Docker or Kubernetes. See Trapsters: deployment constraints.
Options
| Option | Description |
|---|---|
| Share name | The name of the fake share (e.g. ADMIN$, backup, data) |
| Hostname | The NetBIOS name the share advertises |
| Domain | The Windows domain name |
Make it convincing
Use share names that match your environment: backup, IT-share, finance, or even passwords. Attackers who enumerate shares will prioritize anything that looks valuable.
Pairing with breadcrumbs
Deploy a network share breadcrumb on endpoints to create a saved connection pointing to the honeypot share. When an attacker explores a compromised machine, they find a pre-configured share connection that leads straight to your trap.
What gets captured
| Event | Fields |
|---|---|
| Connection made | Source IP and hostname |
| Login attempt | Username and password (NTLM hash if applicable) |
| Data sent | Share path accessed |
