🛡️ Ethical Hacking Lab Walkthrough: Website Cloning & SMB Enumeration (Beginner-Friendly)
Source: Dev.to
Lab Context
This article documents a controlled, educational cybersecurity lab completed in a VirtualBox‑based Kali Linux environment. All techniques demonstrated were performed only against intentionally vulnerable lab machines (DVWA & Metasploitable) and never against real‑world systems.
📌 Table of Contents
Part 1: Website Cloning with SEToolkit
Part 2: SMB Vulnerability Scanning with Enum4Linux
- Network Discovery with Nmap
- User Enumeration
- NetBIOS & OS Enumeration
- Share Enumeration
- Password Policy Enumeration
- Full Enumeration (
-a) - SMB Access & File Upload with smbclient
- Key Security Findings
- Defensive Takeaways
- Final Thoughts
Why I Built This Lab
This lab is part of my Parocyber ethical‑hacking training. The instructor’s course design provides hands‑on experience that mirrors real‑world penetration‑testing workflows.
The lab helped me practice:
- Understanding how phishing attacks work behind the scenes.
- Enumerating SMB services and misconfigurations.
- Reading tool output and translating it into meaningful findings.
All activities are framed from a defender’s mindset: learning how attacks work so they can be prevented.
Lab Environment Setup
| Component | Details |
|---|---|
| Attacker Machine | Kali Linux OVA (VirtualBox) |
| Targets | DVWA (http://dvwa.vm) Metasploitable ( 172.17.0.2) |
| Network | Isolated lab network |
| Attacker IP | 10.6.6.1 |
Part 1: Website Cloning with SEToolkit
Understanding Website Cloning
Website cloning is a phishing technique where a legitimate login page is copied and hosted elsewhere to harvest credentials. In this lab the goal is educational – to see how credential harvesting works so we can better defend against it.
SEToolkit Attack Flow
Tool: Social‑Engineer Toolkit (SEToolkit)
Attack Type: Credential Harvester → Site Cloner
High‑level steps:
- Clone a login page (
http://dvwa.vm). - Host it on the Kali attacker machine.
- Capture submitted credentials.
- Review the generated report.
Custom redirect file
<!-- (example redirect file – content omitted for brevity) -->Fake credentials submitted
- Email:
marvelfan@demo.com - Password:
1234
Captured Credentials & XML Report
SEToolkit logged the credentials and exported an XML report:
URL=http://dvwa.vm
username=marvelfan@demo.com
password=1234
Login=Login
user_token=...This clearly shows how form fields are captured during phishing attacks.
Part 2: SMB Vulnerability Scanning with Enum4Linux
Network Discovery with Nmap
A null scan (requires root) was used to locate hosts:
nmap -sN 172.17.0.0/24Result: the Metasploitable host (172.17.0.2) was discovered with SMB‑related ports open:
- 139/tcp
- 445/tcp
User Enumeration
enum4linux -U 172.17.0.2Result
- Dozens of local users discovered.
- Anonymous SMB sessions allowed – a critical misconfiguration.
NetBIOS & OS Enumeration
enum4linux -n 172.17.0.2 # NetBIOS name
enum4linux -o 172.17.0.2 # OS informationKey findings
- Workgroup:
WORKGROUP - OS: Samba 3.0.20 (Debian) – a known vulnerable version.
Share Enumeration
enum4linux -Sv 172.17.0.2Shares discovered
print$tmpoptIPC$ADMIN$
The tmp share allowed anonymous read/write access.
Password Policy Enumeration
enum4linux -P 172.17.0.2Findings
- Minimum password length: 5
- Password complexity: Disabled
- Account lockout: None
These settings facilitate easy brute‑force attacks.
Full Enumeration (-a)
enum4linux -a 172.17.0.2This single command combines all enumeration techniques (users, groups, shares, password policy, RID cycling, etc.) and builds a complete attacker profile of the system without authentication.
SMB Access & File Upload with smbclient
-
List shares
smbclient -L //172.17.0.2Anonymous login succeeded.
-
Connect to the writable share
smbclient //172.17.0.2/tmp -
Upload a file
put virus.exe group_work.txtThe uploaded file appeared in the directory listing, confirming anonymous write access.
⚠️ Note: The local file (
virus.exein the example) must exist in the current directory before usingput, otherwise the upload will fail.
Key Security Findings
| Finding | Impact |
|---|---|
| Anonymous SMB sessions | Allows unauthenticated enumeration and access. |
| Samba 3.0.20 (Debian) | Contains multiple publicly disclosed vulnerabilities. |
Writable tmp share | Enables attackers to drop malicious payloads. |
| Weak password policy | Facilitates credential‑guessing attacks. |
| No account lockout | Increases risk of successful brute‑force attempts. |
Defensive Takeaways
- Disable anonymous SMB access or restrict it to read‑only where absolutely necessary.
- Upgrade Samba to a supported, patched version.
- Secure shared directories – remove write permissions for unauthenticated users.
- Enforce strong password policies (minimum length ≥ 12, complexity, expiration).
- Implement account lockout or throttling mechanisms to mitigate brute‑force attacks.
- Regularly run enumeration tools (e.g.,
enum4linux,nmap) from a defensive perspective to discover misconfigurations before attackers do.
Final Thoughts
This lab demonstrates how quickly an attacker can gather extensive information and gain footholds on a poorly configured SMB service. By reproducing these steps in a safe, isolated environment, defenders can better understand the attack surface and prioritize remediation actions.
Further Reading & Full Outputs
-
🔗 Full raw command outputs (Enum4Linux, smbclient, Nmap, SEToolkit) are available in the accompanying GitHub repository:
https://github.com/yourusername/parocyber-lab-outputs -
Website Clone & SMB Vulnerability Scan repository: https://github.com/ldwit/websiteClone-smbVulScan
Connect
If you enjoyed this article—or you’re also learning DevOps, Linux, Security, or Cloud automation—I’d love to connect, share ideas, and learn.
💬 Feel free to reach out or follow my journey on 👉 LinkedIn