For any aspiring ethical hacker or cybersecurity professional, the “golden rule” is simple: Never test your skills on a network you don’t own. This is where a penetration testing lab becomes your most valuable asset. To master the art of exploitation, you need a target—a system intentionally riddled with security holes.
In the world of cybersecurity training, Metasploitable is the undisputed king of vulnerable virtual machines (VMs). In this guide, we will walk you through finding the best vulnerable machines and provide a detailed installation guide for Metasploitable 2.
Why You Need a Pentest Lab
A penetration testing lab allows you to simulate real-world attacks in a sandbox environment. Using tools like Kali Linux or Parrot OS against targets like Metasploitable helps you understand:
- How vulnerabilities are discovered.
- How exploit payloads are delivered.
- How to pivot through a network.
- How to patch systems effectively.
Where to Find Vulnerable Machines for Penetration Testing
Before we dive into the installation, you should know where the cybersecurity community sources their targets. There are three primary hubs:
- VulnHub: A massive repository of community-created “Boot2Root” machines.
- Hack The Box (HTB) / TryHackMe: Cloud-based platforms for guided learning.
- SourceForge (Rapid7): The official home of Metasploitable.
What is Metasploitable 2?
Metasploitable 2 is an intentionally vulnerable Linux virtual machine created by the team at Rapid7. Unlike “Capture the Flag” (CTF) machines that focus on one specific puzzle, Metasploitable 2 is designed to be vulnerable in dozens of ways. It runs outdated services like FTP, Telnet, and old versions of Apache that are susceptible to classic exploits found in the Metasploit Framework.
Step-by-Step Guide: How to Download and Install Metasploitable 2
1. System Requirements & Preparation
Before starting, ensure your host machine (Windows, macOS, or Linux) has the following:
- Virtualization Software: Oracle VirtualBox (Free) or VMware Workstation/Player. See how to install Kali Linux on Oracle VirtualBox for free.
- RAM: At least 4GB (though Metasploitable only needs 512MB).
- Kali Linux: Your “attacker” machine should already be installed on the same hypervisor.
2. Downloading the Metasploitable 2 File
Do not download Metasploitable from untrusted third-party sites. Use the official source:
- Source: Rapid7 Metasploitable 2 Download
- The download will be a .zip file containing a Virtual Disk (.vmdk).
3. Setting Up the VM in VirtualBox
- Extract the Zip: Unzip the folder to a permanent location on your hard drive.
- Create New VM: Open VirtualBox and click “New.”
- Name: Metasploitable-Lab
- Type: Linux
- Version: Ubuntu (64-bit)
- Memory Allocation: Set the RAM to 512MB or 1024MB.
- Hard Disk (Crucial Step): Do not create a new virtual hard disk. Select “Use an existing virtual hard disk file.”
- Click the folder icon, click “Add,” and navigate to the .vmdk file you extracted in Step 1.
- Finish: Click “Create.”
4. Configuring the Network (Safety First)
Warning: Metasploitable is extremely vulnerable. Do not expose it to the internet using a “Bridged” adapter.
- Go to Settings > Network.
- Attached to: Select “Host-only Adapter” or “Internal Network.”
- This ensures that the vulnerable machine can only talk to your Kali Linux VM and your host, protecting your home network from potential cross-infection.
5. First Boot and Login
Launch the VM. Once the command prompt appears, log in using the default credentials:
- Username: msfadmin
- Password: msfadmin
To find your IP address, type ifconfig. You will use this IP as your “RHOST” (Remote Host) inside Metasploit on your Kali machine.
Analyzing the Vulnerability Surface
Once Metasploitable is running, go to your Kali Linux terminal and run an Nmap scan:
nmap -sV [Metasploitable_IP]
You will see an alarming number of open ports:
- Port 21 (FTP): Often contains backdoors.
- Port 23 (Telnet): Insecure plain-text communication.
- Port 80 (HTTP): Hosts several vulnerable web applications like DVWA (Damn Vulnerable Web App) and Mutillidae.
Advanced Lab Tip: Using VulnHub for Variety
While Metasploitable is great for learning the Metasploit Framework, VulnHub is better for practicing “privilege escalation.” Once you’ve mastered Metasploitable, download machines like “Kioptrix” or “Tr0ll” to test your manual exploitation skills.
Safety and Ethical Considerations
As a member of the Cybersecuritynation.com community, remember that these tools are for education. Accessing a computer system without explicit permission is illegal. Always conduct your research within the confines of your private virtual network.
Conclusion
Setting up a Kali Linux lab with Metasploitable is a rite of passage for every security researcher. It provides a safe, legal, and controlled environment to fail, learn, and eventually succeed in complex exploit chains.
What was the first exploit you successfully ran on Metasploitable? Are you running into issues with your VirtualBox network settings? Let’s discuss in the comments below!If you found this guide helpful, please share it with your fellow students and security enthusiasts to help grow our community.
Leave a Reply