How to set up a Samba Honeypot (SMB) and lure attackers

Samba Honeypot

Creating traps, luring in cyber attackers, and revealing any evidence left behind – in a nutshell, is a honeypot. Think of capturing live malware to debunk and improve one self’s security posture. With this in mind, it becomes quick to realise how critical setting up a honeypot can be within an organisation’s network infrastructure or purely for research.

What is a honeypot?

A honeypot is a simulated decoy environment used to monitor attacker behaviour patterns. It is a popular security mechanism adopted by cyber security experts in creating a virtual trap to lure in cyber attackers. By implementing such an instance, one can understand how cyber attackers work, the steps attackers take and figure out how to stop these intermediary steps in your own network by toughening up your network security posture.

The types of honeypots available

From assessing network protocols to monitoring how attackers take over a live system, honeypots are deployed by the level of sophistication of the decoy. Further broken down into their level of involvement.

These honeypots can be determined by the sophistication of the decoy or if you ever wanted to find out which protocol is the easiest to exploit. With that in mind, it is also ideal to consider the level of interaction you want your honeypot setup as. This can be either a low level, medium or a high interaction. In doing so, all  are useful in providing separate outcomes.

An entry level, low interaction honeypot will emulate a small number of internet protocols and network services – just enough to deceive a hacker and evaluate the footprint left behind. In contrast, a high interaction honeypot provides a threat actor with a real system to attack making it less obvious that  they are being diverted and monitored.

To demonstrate the adverse effects of a low interaction honeypot, I had set up a SMB honeypot.

Setting up a Samba Honeypot

The Server Message Block (SMB) networking protocol (or Samba) is a communication protocol for providing shared access to files, printers, and serial ports between nodes on a network.

A typical example of SMB is connecting to a network drive through file explorer on Windows.

It is now known that threat actors are exploiting this protocol releasing devastating ransomware and trojan malware variants to propagate through an organisation’s network window.

In our best interests as cyber security experts, deploying a honeypot that mimics this protocol allows us to analyse the threats associated and potentially become more aware of how to securely configure the protocol and safe-keep our network.

To start it off, an Azure Virtual Machine (VM)was created running Ubuntu 18.04.

To centralise the Azure VM for management and data collection for low-level honeypots the Modern Honey Network (MHN) was installed and configured. Once installed, it can be accessed with the VM’s IP with HTTP/S.

Samba Honeypot Attacks Report

The low interaction honeypot used to monitor SMB was Dionaea. Additional protocols offered by Dionaea include HTTP, RDP, FTP, MongoDB, etc.

Once deployed, attacks should be logged on port 445 and payloads should be captured. These payloads contain traces of malware – verified by VirusTotal.

Samba Honeypot Payloads Report
Samba Honeypot Payloads Report

Lets take a look at the payload with the md5 hash 7e68310ee0953263920001de94841567. Pasting this hash into VirusTotal displays us with this webpage:

It became evident that 66 ENGINES detected a type of malware called a WannaCry Ransomware.

Samba Honeypot Payloads

In hindsight, honeypots are fun to set-up to lure in harmless attackers and can play a vital role when used to harden internal network infrastructure. We can also assume that an SMB is not as safe as it can be, which can be easily remediated by applying the latest windows updates to your operating system.

Scroll to top