📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🧪 METASPLOITABLE LABS
FREE
Part of the Metasploitable Labs Series
Lab 1 — Setup Complete
⚠️ Isolated Lab Environment Only. Metasploitable 2 is intentionally vulnerable. It must run on an isolated host-only network with no internet access or connection to your main network. Connecting Metasploitable 2 to any network accessible by other users or systems is dangerous and potentially illegal. Every lab in this series uses the isolated vboxnet0 configuration only.
DVWA gave you web application skills. Metasploitable 2 is where I take those skills into network exploitation — where you learn to exploit services — the FTP server with a backdoor baked into the binary, the Samba share exploitable with a single Metasploit command, the database with no root password. Twenty-plus intentionally vulnerable services on a single VM, all exploitable from Kali Linux across an isolated lab network. This first lab gets the environment running in 20 minutes. After that, every lab in this series focuses exclusively on exploitation.
🎯 What You’ll Build in Lab 1
Metasploitable 2 running in VirtualBox with isolated host-only network
Both Kali Linux and Metasploitable on the same 192.168.56.x subnet
All 20+ vulnerable services confirmed running
Clean snapshot saved for lab restoration
⏱️ 25 min setup · 3 exercises · Lab 1 #### ✅ Before You Start - DVWA Labs Complete — completing the 30-lab DVWA series built the web application pentesting foundation. Metasploitable extends this to network service exploitation and Metasploit framework usage. - VirtualBox 7.x installed. At least 8GB RAM total. 10GB free disk space. Kali Linux VM already working. ### 📋 Hacking Lab 1 — Metasploitable Lab Setup 1. Download and Extract Metasploitable 2 2. Create the VirtualBox VM 3. Configure the Isolated Network 4. Verify Services and Create Snapshot The DVWA lab series covered web application exploitation across 30 labs. Metasploitable shifts the focus to network-layer service exploitation — the techniques covered in the Metasploitable Labs series. The first step is a correct lab environment — everything else depends on it.
Download and Extract Metasploitable 2
DOWNLOAD AND PREPARE METASPLOITABLE 2Copy
Official download location
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
File: Metasploitable2-Linux.zip (~900MB)
Extract the ZIP (Linux/Mac)
unzip Metasploitable2-Linux.zip
Creates: Metasploitable2-Linux/ directory with .vmdk file
ls -lh Metasploitable2-Linux/
Metasploitable.vmdk ~1.8GB uncompressed VMDK disk image
Verify MD5 checksum (optional but recommended)
md5sum Metasploitable2-Linux/Metasploitable.vmdk
Compare against SourceForge listed hash
Create the VirtualBox VM
VIRTUALBOX VM CREATIONCopy
VirtualBox CLI (VBoxManage) — or use the GUI
VBoxManage createvm –name “Metasploitable2” –ostype Ubuntu –register
VBoxManage modifyvm “Metasploitable2” –memory 512 –cpus 1 –vram 16
VBoxManage storagectl “Metasploitable2” –name “IDE” –add ide
VBoxManage storageattach “Metasploitable2” –storagectl “IDE” –port 0 –device 0 –type hdd –medium /path/to/Metasploitable.vmdk
GUI steps (if preferred)
- VirtualBox → New → Name: Metasploitable2
- Type: Linux → Version: Other Linux (64-bit)
- Memory: 512 MB
- Hard Disk: Use an existing virtual hard disk → select Metasploitable.vmdk
- Finish → VM created
Default credentials
OS Login: msfadmin / msfadmin
MySQL root: root / (empty password)
PostgreSQL: postgres / postgres
Tomcat: tomcat / tomcat
⚡ EXERCISE 1 — KALI TERMINAL (15 MIN)
Import and Configure Metasploitable 2 in VirtualBox
⏱️ 15 minutes · VirtualBox installed, VMDK downloaded
Follow the setup steps exactly. The network configuration is the critical step — if Metasploitable reaches the internet, it’s a security risk to you and potentially to others. Verify isolation before starting any exploitation lab.
Step 1: Create the VM
VirtualBox → New → Metasploitable2 → Linux → Other Linux 64-bit
Memory: 512MB
Hard disk: Use existing → select Metasploitable.vmdk
Step 2: Verify VM settings before first boot Settings → System → Boot Order: Hard Disk first Settings → Display → Video Memory: 16MB Settings → Network → (configure in Exercise 2)
Step 3: First boot test Start Metasploitable2 VM Wait for boot (30-60 seconds) Login: msfadmin / msfadmin Run: ifconfig Note the eth0 IP address
Step 4: Verify basic services from console ps aux | grep -E “ftp|ssh|apache|mysql|postgres” Should show multiple services running
Confirm: VM boots, you can login, services are running.
✅ If the ifconfig output shows 10.0.2.x, Metasploitable is currently on NAT (VirtualBox default) — it has internet access and is reachable from your host in a less isolated way than we want. Don’t exploit anything yet. Complete Exercise 2’s network reconfiguration to host-only before any lab work. The 10.0.2.x address is a warning flag — it means the isolation step wasn’t completed.
📸 Screenshot your Metasploitable2 boot screen with msfadmin login. Share in #metasploitable-labs.
Configure the Isolated Network
HOST-ONLY NETWORK SETUP — MANDATORY ISOLATIONCopy
Step 1: Create host-only network in VirtualBox
VBoxManage hostonlyif create
Or GUI: File → Host Network Manager → Create
Creates: vboxnet0 at 192.168.56.1/24
Step 2: Configure Metasploitable2 network adapter
VBoxManage modifyvm “Metasploitable2” –nic1 hostonly –hostonlyadapter1 vboxnet0
Or GUI: Settings → Network → Adapter 1 → Host-Only Adapter → vboxnet0
Step 3: Add host-only adapter to Kali Linux VM
VBoxManage modifyvm “KaliLinux” –nic2 hostonly –hostonlyadapter2 vboxnet0
Or GUI: Kali Settings → Network → Adapter 2 → Enable → Host-Only → vboxnet0
Step 4: Verify isolation — from Metasploitable console
ping 8.8.8.8 -c 3 # Should FAIL (no internet)
ping 192.168.56.1 -c 3 # Should succeed (reaches your host)
Get Metasploitable IP on host-only network
ifconfig eth0 # Should show 192.168.56.x address
securityelites.com
Network Configuration — VirtualBox Host-Only Setup
Kali Linux VM
Adapter 1: NAT (internet access)
Adapter 2: vboxnet0 (192.168.56.0/24)
eth0: 10.0.2.15 (internet via NAT)
eth1: 192.168.56.100 (lab network)
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)