📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🧪 METASPLOITABLE LAB SERIESFREE
Part of the Metasploitable Lab Series
Lab 3 of 10 · 30% complete
⚠️ Isolated Lab Environment Only. Metasploitable 2 is intentionally vulnerable. Run it only on a host-only network completely isolated from the internet. Every service on this machine is exploitable.
Lab 2 gave me 23 open ports. That’s a list, not an attack plan. Service enumeration turns the port list into an attack priority matrix — I know which services are running vulnerable versions, which have known public exploits, and which I should hit first. Today’s lab runs the NSE scripts that surface exactly that information and builds the document I reference for every subsequent lab in this series.
🎯 What You’ll Master in Lab 3
Run targeted Nmap NSE scripts for service-specific enumeration
Identify vulnerable service versions from fingerprinting output
Enumerate Metasploitable’s web applications on port 80
Build an attack priority matrix from enumeration data
Map services to Metasploit modules before exploitation
⏱️ 40 min · 3 exercises · Lab 3 of 10 #### ✅ Before You Start - Lab 2 — Nmap Enumeration — the four-stage scan from Lab 2 confirmed all 23 open ports. Today I take those ports and run targeted NSE scripts to get service versions, CVE indicators, and the full attack surface map. - Metasploitable 2 running on host-only network · Kali Linux on same host-only adapter · You know Metasploitable’s IP from Lab 2 ### 📋Metasploitable Service Enumeration Lab – Contents 1. NSE Scripts — Service-Specific Enumeration 2. Version Analysis — CVE Mapping 3. Web Application Enumeration — Port 80 4. Building the Attack Priority Matrix The attack surface I build organises the Metasploitable target for every subsequent lab. After Lab 2’s Nmap scan, this lab adds depth. The full exploitation sequence continues in Lab 4 where I run the first Metasploit module against the highest-priority service found today. The Metasploitable hub has the complete series. Use the Port Scanner Tool to verify port status before each lab.
NSE Scripts — Service-Specific Enumeration
Nmap’s NSE (Nmap Scripting Engine) adds targeted checks on top of basic port scanning. The scripts I run on Metasploitable cover the six highest-value service categories: FTP, SSH, SMB, HTTP, databases, and vulnerability detection. Each script category extracts information the basic version scan misses.
NSE SCRIPT ENUMERATION — ALL KEY SERVICESCopy
FTP enumeration (port 21 — vsftpd 2.3.4)
nmap -sV -p21 –script ftp-anon,ftp-vsftpd-backdoor,ftp-bounce TARGET_IP
ftp-vsftpd-backdoor: checks for the famous vsftpd 2.3.4 backdoor (CVE-2011-2523)
SMB enumeration (ports 139,445 — Samba)
nmap -sV -p139,445 –script smb-os-discovery,smb-enum-shares,smb-enum-users,smb-vuln-ms08-067,smb-security-mode TARGET_IP
HTTP enumeration (port 80 — multiple web apps)
nmap -sV -p80 –script http-title,http-headers,http-methods,http-enum TARGET_IP
SSH enumeration (port 22)
nmap -sV -p22 –script ssh-auth-methods,ssh-hostkey,ssh2-enum-algos TARGET_IP
Database enumeration (MySQL port 3306, PostgreSQL 5432)
nmap -sV -p3306 –script mysql-info,mysql-databases,mysql-empty-password TARGET_IP
nmap -sV -p5432 –script pgsql-brute –script-args userdb=/usr/share/wordlists/metasploit/unix_users.txt TARGET_IP
Full vuln scan (slower — comprehensive)
nmap -sV –script vuln -p21,22,23,25,80,139,445,3306,5432,8180 TARGET_IP -oN vuln_scan.txt
⚡ EXERCISE 1 — KALI TERMINAL (20 MIN · METASPLOITABLE RUNNING)
Run NSE Scripts Against All Key Metasploitable Services
⏱️ 20 minutes · Kali Linux + Metasploitable 2 on host-only network
Run the NSE script chain against each high-priority service. The vsftpd backdoor check and SMB enumeration results will shape the attack plan for Labs 4 and 5.
Set TARGET_IP to your Metasploitable IP from Lab 2.
Step 1: FTP NSE check nmap -sV -p21 –script ftp-anon,ftp-vsftpd-backdoor TARGET_IP Did the vsftpd backdoor check trigger? What did it return? Is anonymous FTP enabled?
Step 2: SMB NSE enumeration nmap -p139,445 –script smb-os-discovery,smb-enum-shares,smb-security-mode TARGET_IP What OS did smb-os-discovery return? What shares are available? Is SMB signing enforced?
Step 3: HTTP title and enumeration nmap -p80 –script http-title,http-enum TARGET_IP List every web path http-enum found. How many web applications are running on port 80?
Step 4: MySQL empty password check nmap -p3306 –script mysql-empty-password,mysql-info TARGET_IP Is the MySQL root account accessible without a password? What databases are listed?
Step 5: Comprehensive vuln scan nmap –script vuln -p21,22,23,80,139,445,3306 TARGET_IP -oN vuln_output.txt cat vuln_output.txt | grep “VULNERABLE|CVE|EXPLOIT” How many vulnerable services does it identify?
Document: full output from each scan. Note: service, version, finding.
✅ The vsftpd backdoor check result is the key finding of this exercise. ftp-vsftpd-backdoor will confirm whether port 6200 is open — the backdoor’s command shell port. If confirmed, the next lab shows exactly how to exploit it. The MySQL empty-password result is almost always positive on Metasploitable — root access without credentials to the database is a Critical finding on any real engagement, and the exploitation path (MySQL → file write → webshell → RCE) is one of the classic chains.
📸 Screenshot showing vsftpd backdoor detection result. Share in #metasploitable-labs.
Version Analysis — CVE Mapping
After version detection, I map each service version to known CVEs. The table I build from this mapping is the attack priority list — services ranked by exploitation likelihood and impact, with the Metasploit module path for each.
METASPLOITABLE 2 — SERVICE CVE MAPCopy
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)