SMB has a decent history of remote exploitable bugs and is a very popular target for worms. SMB runs directly over TCP (port 445) or over NetBIOS (usually port 139, rarely port 137 or 138). To begin an SMB session, the two participants agree on a dialect, authentication is performed, and the initiator connects to a ‘tree.’ For most intents and purposes, the tree can be thought of as a network share. The default value of the SMB sensor is TCP 445, note that it is not recommended or supported to change the port by SecurityHive. The SMB Sensor currently only support Windows Shares with types; IPC, disktree, disktree special and printq .

By default the SMB sensor is enabled and running on port 445. To fully disable the sensor, click on the dropdown and select no. After clicking the save button it will take a maximum of 5 minutes before the sensor is disabled on your honeypot.

Enable SMB
Enable/disable your SMB sensor

Port
Default value is 445 (note: do not change this port, unless absolutely required for your implementation).

Operating System
The following OS types are supported:

Primary Domain
This is the primary domain that the fake server is part of. It is recommended that the domain name blends in well enough to trick potential hackers in thinking that it is the primary domain. E.g. ACME Company with the primary domain acmecompany.local

OEM Domain Name
Specifies the NetBIOS name of your local domain. The NetBIOS domain name is used to identify the domain by Windows NT 4.0 and earlier and Windows 98 and earlier. E.g. ACME Company with the OEM domain ACMECOMPANY

Server Name
Your Server name usually is created when you install the operating system. The computer name (read; Server name) is also used when users search for server services such as printers, login scripts and file sharing. E.g. A domain controller with the server name DC01 or MISSIONCONTROL01

Native Operating System
The native operating system can be anything, but it is recommended to the default value of: Windows 7 Professional 7600

Native LAN Manager
The native LAN manager can be anything, but it is recommended to the default value of: Windows 7 Professional 6.1

Network shares can be added using the sensor config page in Dashboard under the section “Create new Shares”. We require the following information to successfully add a new SMB share:

Share name
This is the display name of the share as it would be visible in explorer, use a $ sign at the end of the share name to make the share not visible (E.g. ADMIN$). Please note that the share is never actually visible in windows explorer.

Share description
This field is used for a brief description of the share and is limited to 255 characters. E.g. The share ‘Marketing’ could have am description of “Collaboration space for the marketing team”.

Share path (local)
The share path field is used to point to the fake, local, location of the SMB share. E.g. C:\WindowsShares or C:\Shares.

Share Type
The following SMB share types are supported: 1. disktree (behaves like a regular network share) 2. disktree special (behaves like a special network share) 3. IPC (used for Inter Proces Communication by using RPC) 4. printq (behaves like a printer share)