Lab Context:
This article documents a controlled, educational cybersecurity lab completed in a VirtualBox-based Kali Linux environment.
All techniques demonstrated were performed only against intentionally vulnerable lab machines (DVWA & Metasploitable) and never against real-world systems.
📌 Table of Contents
- Why I Built This Lab
- Lab Environment Setup
- Part 1: Website Cloning with SEToolkit
- Part 2: SMB Vulnerability Scanning with Enum4Linux
- SMB Access & File Upload with smbclient
- Key Security Findings
- Defensive Takeaways
- Final Thoughts
Why I Built This Lab
This is a part of my Parocyber ethical hacking training. The instructors course design provides opportunities to gain hands-on experience that mirrors real-world penetration testing workflows.
This lab helped me practice:
- Understanding how phishing attacks work behind the scenes
- Enumerating SMB services and misconfigurations
- Reading tool output and translating it into meaningful findings
Everything here is framed from a defender’s mindset: learning how attacks work so they can be prevented.
Lab Environment Setup
- Attacker Machine: Kali Linux OVA (VirtualBox)
-
Targets:
- DVWA (
http://dvwa.vm) - Metasploitable (
172.17.0.2)
- DVWA (
- Network: Isolated lab network
-
Attacker IP:
10.6.6.1
Part 1: Website Cloning with SEToolkit
Understanding Website Cloning
Website cloning is a technique used in phishing attacks where a legitimate login page is copied and hosted elsewhere to harvest credentials.
In this lab, the goal is educational to see how credential harvesting works so we can better defend against it.
SEToolkit Attack Flow
Tool: Social-Engineer Toolkit (SEToolkit)
Attack Type: Credential Harvester → Site Cloner
High-level steps:
- Clone a login page (
http://dvwa.vm) - Host it on the Kali attacker machine
- Capture submitted credentials
- Review the generated report
A custom redirect file was created:
<html>
<head>
<meta http-equiv="refresh" content="0; url=http://10.6.6.1/" />
</head>
</html>
Fake credentials submitted:
- Email: marvelfan@demo.com
- Password: 1234
Captured Credentials & XML Report
SEToolkit logged the credentials and exported an XML report:
<harvester>
URL=http://dvwa.vm
<url>
<param>username=marvelfan@demo.com</param>
<param>password=1234</param>
<param>Login=Login</param>
<param>user_token=...</param>
</url>
</harvester>
This clearly shows how form fields are captured during phishing attacks.
Part 2: SMB Vulnerability Scanning with Enum4Linux
Network Discovery with Nmap
A null scan was used (requires root):
nmap -sN 172.17.0.0/24
This revealed the Metasploitable host (172.17.0.2) with SMB-related ports:
- 139/tcp
- 445/tcp
User Enumeration
enum4linux -U 172.17.0.2
Result:
- Dozens of local users discovered
- Anonymous SMB sessions allowed
This alone is a critical misconfiguration.
NetBIOS & OS Enumeration
enum4linux -n 172.17.0.2
enum4linux -o 172.17.0.2
Key findings:
- Workgroup:
WORKGROUP - OS: Samba 3.0.20 (Debian) — known vulnerable version
Share Enumeration
enum4linux -Sv 172.17.0.2
Shares discovered:
print$tmpoptIPC$ADMIN$
The tmp share allowed anonymous read/write access.
Password Policy Enumeration
enum4linux -P 172.17.0.2
Findings:
- Minimum password length: 5
- Password complexity: Disabled
- Account lockout: None
This configuration allows easy brute-force attacks.
Full Enumeration (-a)
enum4linux -a 172.17.0.2
This combined all enumeration techniques:
- Users
- Groups
- Shares
- Password policy
- RID cycling
A full attacker profile of the system was built without authentication.
SMB Access & File Upload with smbclient
Listing shares:
smbclient -L //172.17.0.2
Anonymous login succeeded.
Connecting to the writable share:
smbclient //172.17.0.2/tmp
Uploading a file:
put virus.exe group_work.txt
The uploaded file appeared in the directory listing, confirming anonymous write access.
⚠️ Note: The local file must exist in your current directory before using
put, or the upload will fail.
Further Reading & Full Outputs
🔗 Full raw command outputs (Enum4Linux, smbclient, SEToolkit) are available on my github:
➡️ Website Clone & SMB Vulnerability Scan
Key Security Findings
- Phishing pages easily capture credentials if users are unaware
- SMB anonymous access exposes:
- Users
- OS details
- Writable shares
- Weak password policies enable brute-force attacks
- SMB1 fallback is still enabled (dangerous)
Defensive Takeaways
To defend against these attacks:
- Enforce MFA and phishing-resistant authentication
- Disable anonymous SMB access
- Remove SMB1 support
- Enforce strong password policies
- Restrict share permissions
- Monitor logs for enumeration activity
Final Thoughts
This lab reinforced how small misconfigurations can lead to full system compromise.
By practicing these techniques in a safe environment, defenders can better recognize, detect, and prevent real-world attacks.
If you’re learning cybersecurity, labs like this bridge the gap between theory and practice.
🤝 Connect
If you enjoyed this article or you’re also learning DevOps, Linux, Security, or Cloud automation, I’d love to connect, share ideas, and learn.
💬 Feel free to reach out or follow my journey on 👉 LinkedIn
Top comments (0)