What is Metasploitable3?
Metasploitable3 is a VM that is built from the ground up with a large number of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit. Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, technical job interviews, sales demonstrations, or CTF junkies who are looking for kicks, etc 🙂
Prerequisites & Requirements
Metasploitable3 needs to be built manually because it is based on Windows Server 2008, and as per the licensing specified by Windows, it is illegal to distribute any version of Windows in any form regardless of whether it is a VM image or an ISO file. As a result, you must install several virtualization management and deployment tools:
- Packer: https://www.packer.io/docs/install/index.html
- Vagrant: https://www.vagrantup.com/docs/installation/
- Vagrant Reload Plugin: https://github.com/aidanns/vagrant-reload#installation
This specific walkthrough will be targeting the build and installation process with VirtualBox, which can be found here: https://www.virtualbox.org/wiki/Downloads. You can follow along with the various installation steps of the prerequisites in the video tutorial above. After installing the tools we can begin working the build Powershell script.
We first need to download or clone the Metasploitable3 Github repository on to your system, if you have git client for windows, you can clone the repository directly. If you do not have git installed you can download the repository as a zip file and extract it to your working directory.
If you want to install the git client for Windows, you can download the setup here: https://gitforwindows.org/
Note: If you have Hyper-V enabled, please ensure it is disabled as VirtualBox will not work and can cause issues with the build process.
The Github repository is available here: https://github.com/rapid7/metasploitable3/
Once you have cloned the repository on to your system, you need to open a PowerShell session in the Metasploitable3 directory. After you have established a PowerShell session, you need to ensure that you have unrestricted access or privileges to execute scripts with Powershell. To do this we need to run the following command in PowerShell:
We can now begin the automatic build process by running the PowerShell build script. This script will download an evaluation copy of Windows Server 2008 and all the vulnerable services and tools that are required to create the Metasploitable3 VM.
To execute the script we run the following command in the PowerShell:
This will begin the build process for the Windows Server 2008 variant, the process will take up to an hour depending on your internet connection. After the build process has been completed you now need to run the following vagrant command:
After running vagrant Metasploitable3 will be set up in VirtualBox and the build process is complete, you can now start up the VM and login to the vagrant account. The default username and password for the vagrant user account is “vagrant”.
The process is now complete and you can begin the exploitation process. Happy Hacking!