explaingit

rapid7/metasploitable3

5,552HTMLAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

A purposely vulnerable virtual machine designed as a safe practice target for learning security testing with Metasploit, available in Windows Server 2008 and Ubuntu 14.04 versions.

Mindmap

mindmap
  root((metasploitable3))
    What it does
      Vulnerable VM
      Practice target
      Security lab
    Versions
      Windows Server 2008
      Ubuntu 14.04
    Setup
      Vagrant download
      Packer build
      VirtualBox required
    Use
      Metasploit practice
      Education only
      Isolated network
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Practice running Metasploit exploits against a real but isolated system without risking damage to live infrastructure.

USE CASE 2

Learn to identify and exploit common vulnerabilities in both Windows and Linux environments in a local lab.

USE CASE 3

Set up a classroom or training environment where students can practice penetration testing techniques safely.

Tech stack

VagrantPackerVirtualBoxRuby

Getting it running

Difficulty · hard Time to first run · 1day+

Building from scratch requires 65 GB free disk space, 4.5 GB RAM, plus Packer and Vagrant installed alongside a virtual machine platform.

Use freely for any purpose including commercial use, this is a BSD-style open source license requiring the copyright notice be kept.

In plain English

Metasploitable3 is a virtual machine built specifically to contain a large number of security vulnerabilities. A virtual machine is a software-based computer that runs inside your real computer, isolated from your actual system. This one is designed to be attacked on purpose, making it a safe practice target for learning how security testing tools work. The primary use case is as a target for Metasploit, a widely used security testing framework that helps researchers and security professionals find and test vulnerabilities in systems. Instead of testing against real production systems (which would be illegal and harmful), you run Metasploitable3 in a private environment and practice against it. Two versions of the vulnerable VM are available: one based on Windows Server 2008, and one based on Ubuntu 14.04 (an older version of Linux). You can download pre-built images using a tool called Vagrant, which manages virtual machine setup, or you can build your own copies from scratch using build scripts included in the repository. Building from scratch requires tools called Packer and Vagrant, plus a virtual machine platform like VirtualBox. The whole build needs about 65 GB of disk space and 4.5 GB of RAM. The repository includes build scripts for both Windows and Linux host machines. The default login credentials for the resulting VMs are the username and password "vagrant", and the full list of intentional vulnerabilities is documented on the project's wiki page. This project is intended strictly for security education and authorized testing. Running it inside an isolated local network, not connected to the public internet, is the expected and safe way to use it. It is released under a BSD-style open source license.

Copy-paste prompts

Prompt 1
I have Metasploitable3 running in VirtualBox. Walk me through using Metasploit to scan it for open services and exploit a known vulnerability on the Windows Server 2008 image.
Prompt 2
How do I build the Ubuntu 14.04 version of Metasploitable3 from source using Packer and VirtualBox on a Windows host?
Prompt 3
What are five commonly exploited vulnerabilities in Metasploitable3, and how do I find and confirm each one using Metasploit modules?
Prompt 4
How do I configure a host-only network in VirtualBox so Metasploitable3 is isolated from the internet while still reachable from my host machine?
Prompt 5
Where do I find the full list of intentional vulnerabilities in Metasploitable3, and how are they organized by service?
Open on GitHub → Explain another repo

← rapid7 on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.