Test Your Might With The Shiny New Metasploitable3

Today I am excited to announce the debut of our shiny new toy - Metasploitable3.

Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, technical job interviews, sales demonstrations, or CTF junkies who are looking for kicks, etc :-)

If you are already a Metasploitable fan, you would have noticed that we haven't had a new vulnerable image since 2012. To be honest, when James and I took over the project, we didn't even know who was maintaining it anymore. So we decided to do something about it.

After months of planning and building the vulnerable image from scratch, we have something for you all to play :-) Unlike its predecessor, Metasploitable3 has these cool features:

It is Open Source

During development, we recognized one of the drawbacks of Metasploitable2 was maintenance. We figured since we want everyone in the community to play, the community should have the power to influence and contribute. This also allows the vulnerable image to constantly evolve, and hopefully will keep the VM fun to play.

Metasploitable3 can be found as a Github repository here.

Keep in mind, instead of downloading a VM like before, Metasploitable3 requires you to issue a few commands and build for Virtual Box (VMWare will be supported in the future soon). To do so, your machine must install the following requirements:

To build automatically:

Run the build_win2008.sh script if using bash. If you are using Windows, run build_win2008.ps1 . If the command completes successfully, run vagrant up . The the build process takes anywhere between 20 to 40 minutes, depending on your system and Internet connection. After it's done, you should be able to open the VM within VirtualBox and login. The default username is "vagrant" with password "vagrant".

To build manually, please refer to the README documentation.

If you are on Windows, you can also follow these videos to set up Metasploitable3 (Thanks Jeremy Druin)

If you have experience in making vulnerable images, or would like to suggest a type of exploitation scenario for Metasploitable3, your feedback is welcome!

It is for People with Different Skills Levels

Metasploitable2 back then was more of a test environment heavily for Metasploit. It was straight-forward to play, and it didn't take long to find the right exploit to use, and get a high privileged shell.

But you see, we want to make you try a little harder than that :-)

First off, not every type of vulnerability on Metasploitable3 can be exploited with a single module from Metasploit, but some can. Also by default, the image is configured to make use of some mitigations from Windows, such as different permission settings and a firewall.

For example, if you manage to exploit a service in the beginning, you will most likely be rewarded with a lower privileged shell. This part shouldn't be too difficult for young bloods who are new to the game. But if you want more than that, higher privileged services tend to be protected by a firewall, and you must figure out how to get around that.

For special reasons, the firewall can be disabled if you set the MS3_DIFFICULTY environment variable:

$ MS3_DIFFICULTY=easy vagrant up

If the image is already built, you can simply open a command prompt and do:

$ netsh advfirewall set allprofiles state off

It Has Flags

One very common thing about performing a penetration test is going after corporate data. Well, we can't shove any real corporate data in Metasploitable3 without any legal trouble, therefore we have introduced flags throughout the whole system. They serve as "data you want to steal", and each is in the form of a poker card image of a Rapid7/Metasploit developer, and is packaged in one of more of these ways:

Obfuscation

Strict permission settings

File attributes

Embedded files

Getting your hands on these flags exercises your post exploitation muscle, and may require some level of reverse engineering knowledge.

A hint about these flags can be found from one of the services. In the future, we will be publishing more blog posts about how to find these flags.

(Special thanks to Marilyn Marti for the excellent art work!)

It is Expandable

In real world penetration testing, a lot of it involves being able to break into one machine, and leverage the information stolen from there against the next one. Stolen passwords and hashes are perfect examples for this.

Instead of just having one virtual machine, our plan is to also have the capability to build multiple vulnerable images, and create a network of them. This allows the audience to have the opportunity to practice more post exploitation techniques, pivoting, and break into the next box.

Although our first image is Windows, the planning part of the Linux version has already begun. If you would like to jump on this train, please feel free to leave a comment on Github, or contribute.

And that's what our new toy is all about :-)

Last but not least, if you are trying out Metasploitable3 without Metasploit, either you are Neo from the Matrix, or you are nuts. Metasploit consists of thousands of modules, including exploits, auxiliary, post modules, and payloads that allows you to succeed in many kinds of attack scenarios. If you don't have this in your toolkit, please feel free to grab it here.