Learning Hub / Target Machines / Infrastructure Targets / Metasploitable 2

Set up Metasploitable 2

Guide 3.2.1 Difficulty: Beginner ~25 minutes

Metasploitable 2 is a purposely vulnerable Ubuntu Linux server. It ships with weak services, outdated software, and bad configurations — a perfect playground for practising enumeration and exploitation against a realistic host.

Metasploitable is one of the most insecure machines you can run. It must stay on a host-only network. Never bridge it or expose it to the internet, and never reuse its passwords anywhere.

Step 1 — Download Metasploitable 2

Metasploitable 2 is distributed as a ready-made virtual machine (a folder of .vmdk disk files), so there's no OS to install — you just import it.

  1. Get the official archive

    Download the ZIP from the SourceForge project hosted by Rapid7. Verify the file once downloaded.

    verify download
    $ sha1sum metasploitable-linux-2.0.0.zip
  2. Extract it

    Unzip to a folder you'll remember. You'll see Metasploitable.vmdk and a .vmx file.

Step 2 — Import into VirtualBox

Metasploitable ships in VMware format, but VirtualBox reads the .vmdk disk directly — create a new VM and attach it.

  1. Create a new VM

    In VirtualBox click New. Name it Metasploitable2, Type Linux, Version Ubuntu (64-bit). Give it 512–1024 MB RAM.

    VirtualBox new VM dialog configured for Metasploitable as Ubuntu 64-bit
    Figure 1. Creating the Metasploitable VM.
  2. Use the existing disk

    When prompted for a hard disk, choose Use an existing virtual hard disk file and select the extracted Metasploitable.vmdk.

    VirtualBox dialog selecting the existing Metasploitable.vmdk disk file
    Figure 2. Attaching the existing Metasploitable disk.

Step 3 — Isolate it on the lab network

This is the most important step. Attach Metasploitable to the same host-only network as Kali, exactly as covered in guide 1.2.

  1. Set the adapter

    VM Settings → Network → Adapter 1: set Attached to: Host-only Adapter and pick your vboxnet0 network. Ensure no other adapter is enabled.

    VirtualBox network settings showing Metasploitable attached to a host-only adapter
    Figure 3. Confirming host-only isolation.

Step 4 — Boot and log in

  1. Start the VM

    Boot it. At the login prompt use the default credentials msfadmin / msfadmin.

  2. Find its IP address

    Log in and run:

    msfadmin@metasploitable
    $ ip addr
    inet 192.168.56.20/24 ...

    Note this address — it's your target.

Step 5 — Verify Kali can reach it

From your Kali box, confirm connectivity and run a first scan:

kali@kali
$ ping -c 3 192.168.56.20
$ nmap -sV 192.168.56.20

Nmap will list a long set of open ports and old service versions — that's exactly what you want to see.

Nmap version scan from Kali listing many open ports on the Metasploitable target
Figure 4. An Nmap service scan against Metasploitable from Kali.

Checkpoint: Metasploitable boots, is host-only isolated, and Kali's Nmap scan returns its open ports. Your full lab — attacker plus web and infrastructure targets — is complete.

Next, work the Methodology section to turn this scan output into a structured attack: research the service versions, pick an exploit, and document your foothold.