Set up Metasploitable 2
Metasploitable 2 is a purposely vulnerable Ubuntu Linux server. It ships with weak services, outdated software, and bad configurations — a perfect playground for practising enumeration and exploitation against a realistic host.
Metasploitable is one of the most insecure machines you can run. It must stay on a host-only network. Never bridge it or expose it to the internet, and never reuse its passwords anywhere.
Step 1 — Download Metasploitable 2
Metasploitable 2 is distributed as a ready-made virtual machine (a folder of .vmdk disk files), so there's no OS to install — you just import it.
-
Get the official archive
Download the ZIP from the SourceForge project hosted by Rapid7. Verify the file once downloaded.
verify download$ sha1sum metasploitable-linux-2.0.0.zip -
Extract it
Unzip to a folder you'll remember. You'll see
Metasploitable.vmdkand a.vmxfile.
Step 2 — Import into VirtualBox
Metasploitable ships in VMware format, but VirtualBox reads the .vmdk disk directly — create a new VM and attach it.
-
Create a new VM
In VirtualBox click New. Name it
Metasploitable2, Type Linux, Version Ubuntu (64-bit). Give it 512–1024 MB RAM.
Figure 1. Creating the Metasploitable VM. -
Use the existing disk
When prompted for a hard disk, choose Use an existing virtual hard disk file and select the extracted
Metasploitable.vmdk.
Figure 2. Attaching the existing Metasploitable disk.
Step 3 — Isolate it on the lab network
This is the most important step. Attach Metasploitable to the same host-only network as Kali, exactly as covered in guide 1.2.
-
Set the adapter
VM Settings → Network → Adapter 1: set Attached to: Host-only Adapter and pick your
vboxnet0network. Ensure no other adapter is enabled.
Figure 3. Confirming host-only isolation.
Step 4 — Boot and log in
-
Start the VM
Boot it. At the login prompt use the default credentials
msfadmin/msfadmin. -
Find its IP address
Log in and run:
msfadmin@metasploitable$ ip addr inet 192.168.56.20/24 ...
Note this address — it's your target.
Step 5 — Verify Kali can reach it
From your Kali box, confirm connectivity and run a first scan:
$ ping -c 3 192.168.56.20 $ nmap -sV 192.168.56.20
Nmap will list a long set of open ports and old service versions — that's exactly what you want to see.
Checkpoint: Metasploitable boots, is host-only isolated, and Kali's Nmap scan returns its open ports. Your full lab — attacker plus web and infrastructure targets — is complete.
Next, work the Methodology section to turn this scan output into a structured attack: research the service versions, pick an exploit, and document your foothold.