Setting Up a Vulnerable Target

A test environment provides a secure place to perform penetration testing and security research. For your test environment, you need a Metasploit instance that can access a vulnerable target. The following sections describe the requirements and instructions for setting up a vulnerable target.

Downloading and Setting Up Metasploitable 3

The easiest way to get a target machine is to use Metasploitable 3, which is a vulnerable virtual machine (offered in both Ubuntu Linux and Windows Server flavors) intentionally designed for testing common vulnerabilities. This virtual machine (VM) is compatible with VMWare, VirtualBox, and other common virtualization platforms.

The Metasploitable 3 project can be found at:

Metasploitable 3 supports Vagrant for easy setup. See the quick-start guide to get up and running. If you prefer, you can build a Metasploitable 3 VM from scratch.

Powering on Metasploitable 3

Once you've set up (or built) your Metasploitable 3 VM, you can power it on using the vagrant up command:

1
cd metasploitable3-workspace
2
vagrant up

And you can easily check the status of the Metasploitable 3 VM to see if it is running or not:

1
cd metasploitable3-workspace
2
vagrant status

Logging into Metasploitable 3

The login for Metasploitable 3 is vagrant:vagrant.

Identifying Metasploitable 3's IP Address

After you log in to Metasploitable 3, you can identify the IP address which has been assigned to the virtual machine. Just enter ifconfig (at a Linux terminal prompt) or ipconfig (at a Windows PowerShell or cmd prompt) to see the details for the virtual machine.

1
msfadmin@metasploitable:~$ ifconfig

The command will return the configuration for eth0. You'll need to take note of the inet address. This will be the address you'll use for testing purposes.

Help with Metasploitable 3

For more information on Metasploitable 3, check out the wiki.