Lets not dive right away into the topic, instead lets know the prerequisite first — the great Metasploit. If you are a hacker, theres no need for an introduction to Metasploit — a framework that is (and should be) present in every hacker’s arsenal. You can understand its importance as it comes installed with most of the famous security based Linux distributions, Kali Linux, BlackArch to name a few.

Wikipedia describes Metasploit project as:

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Heres a screenshot from its website:

Screenshot of www.metasploit.com

As this framework contains a lot of scripts, payloads and exploits, you need a target to practice them against. But running them on (known / unknown) vulnerable machines on the internet / intranet which does not belong to you— is completely ILLEGAL. So how can one learn and familiarize oneself with Metasploit ?

Here comes Metasploitable, an intentionally vulnerable virtual machine designed for training, exploit testing, and general target practice. Unlike other vulnerable virtual machines, Metasploitable focuses on vulnerabilities at the operating system and network services layer instead of custom, vulnerable applications.

The latest metasploitable which you see today, didnt become every hackers favorite practice place overnight, it went through lots of changes — additions and removals of vulnerable software, the process of building the image, etc. Lets have a look at its evolution:

The Evolution:

Metasploitable

Image Source: VulnHub.com

The first version of metasploitable was released on May 19, 2010, the time when most of the servers were running Linux. It was a customized Ubuntu 8.04 server to be installed on VMware 6.5 image. A number of vulnerable packages were included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql. But when compared to the scanners and exploits available in MSF, the first version was very minimal. And also it was created to run on VMware. Even though VirtualBox was present at that time, metasploitable was not tested on it.

Metasploitable 2

Image Source: VulnHub.com

Metasploitable 2 came up next. It was released on June 13, 2012. It was beefed up with vulnerabilities. It had backdoors (vsftpd), unintentional backdoors (distccd), weak passwords and much more. Nearly 30 exposed ports could be seen in a complete Nmap scan. It also had vulnerable web applications: DVWA and Mutillidae, which allowed hackers to practice webapp pentesting which includes getting shells, remote code execution, and also privilege escalation attacks. With these vulnerablilities, metasploitable 2 has come a long way from its first version. It works fine on both VirtualBox and VMware. Even now it is a good practice VM for every newbie. But the hackers’ thirst to have a vulnerable Windows machine to test against is not quenched.

Metasploitable 3 — the latest one

Self made using imgflip.com

Metasploitable 3, was released on the latter half of 2016. As both of its predecessors were vulnerable linux variants and with the increase in Windows products (both desktops and servers), it was time to have some vulnerable Windows version. But heres the hindrance: Microsoft doesn’t allow to redistribute customized versions of Windows. So how can we achieve our goal to get a vulnerable Windows version. The answer is provisioning.

Metasploitable 3 completely uses the power of automation and provisioning to create a vulnerable Windows version. Its build scripts are completely open source and it uses tools like packer and vagrant to provision the box. It automates the download of a Windows server (2008 by default), installs the vulnerable packages, sets up the host-only network connection and also creates a virtual machine in your favorite virtualization software — VirtualBox or VMware (as of now). It has a bunch of vulnerable Windows software, and 13 images of playing cards, sounds crazy? Yes, it comes as a CTF style VM, where the task is to collect as many cards as possible. Trust me, by the end of this CTF, you would end up learning a lot of different techniques of exploitation. Adding to the above information — currently Windows variant is available, and the Linux variant is under development.

Wanna try them all ?

Metasploitable 1 : https://www.vulnhub.com/entry/metasploitable-1,28/

Metasploitable 2 : https://www.vulnhub.com/entry/metasploitable-2,29/

Metasploitable 3 : https://github.com/rapid7/metasploitable3