13 Create a Vulnerable Desktop VM

Mathew J. Heath Van Horn, PhD

Metasploitable is an intentionally vulnerable virtual machine (VM) that can be used to conduct security training, test security tools, and practice common penetration testing techniques.  There are different flavors of Metasploitable (original, 2, and 3) and it offers many features provided by servers and websites except it is completely vulnerable to attacks. Metasploitable 2 is easier to build and based on Linux.  However, it’s outdated and has been replaced by Metasploitable 3 which is based on Windows Server.

Learning Objectives

  • Successfully download, install, and run Metasploitable 2 in VirtualBox and add it to the GNS3 environment.
  • Successfully download, build, and run Metasploitable 3 in VirtualBox and add it to the GNS3 environment.



  • None – this is a preparatory lab that supports other labs in this book


Contributors and Testers

Dante Rocca, Cybersecurity Student, ERAU-Prescott

Phase I – Installing Metasploitable 2 – Sourceforge

This is an easy way to download Metasploitable 2 as a VM.  However, it is an older repository.

NEVER expose this VM to an untrusted network.  Use NAT or Host-Only modes when using this VM.

Metasploitable 2 is VERY old.  It still works as a vulnerable machine, but its usefulness may be limited.

  1. Visit SourceForge and download the Metasploitable 2 zip file here
  2. Once downloaded unzip the file and note where the file is extracted.  In our example, we extracted it to the downloads folder
    Metasploitable 2 in Downloads folder
    Figure 1 – Metasploitable 2 in Downloads folder
  3. Open VirtualBox and create a new virtual machine
    1. On the VirtualBox menu click on Machine then New…
      Picture of creating a new VM in VirtualBox
      Figure 2 – Create a new VM
    2. Choose a name for the new Virtual Machine (VM).  In this case, we will call it Metasploitable 2
    3. Select the folder where you want the VM to reside
    4. Select Type: Linux
      Select Version: Oracle Linux (64-bit)

      VM name and OS selections
      Figure 3 – VM name and operating system selections
    5. Click Next
    6. Base memory: 2048 MB
      Processors: 2

      VM Hardware Selections
      Figure 4 – VM Hardware Selections
    7. Click Next
    8. Click on Use an existing virtual hard disk file
    9. Click on the folder next to the dropdown menu
      Picture of Virtual Hard Disk Selection
      Figure 5 – Use and Existing Virtual Hard Disk
    10. Click on the Add button
      Picture of Virtual Hard Disk Selector
      Figure 6 – Virtual Hard Disk Selector
    11.  Navigate to the location of the file you extracted and select it
      Adding the Metasploitable Virtual Hard Disk File
      Figure 7 – Add the Metasploitable Virtual Hard Disk File
    12. Click on Open and notice it is now in the hard disk selector menu.  Keep it selected and click on Choose
      Selection of the Metasploitable Virtual Hard Disk File
      Figure 8 – Select the Metasploitable Virtual Hard Disk File
    13. It is now selected as our hard disk file, so click Next
      Picture of Virtual Hard Disk menu showing Metasploitable Virtual Hard Disk File being used
      Figure 9 – Use Metasploitable Virtual Hard Disk File
    14. Click Finish and you can see it added to the rest of your VMs
      Metasploitable 2 added to Virtual Machines
      Figure 10 – Metasploitable 2 VM added to Virtual Machines
  4. Now you can start it up like any other VM and the login information is
    USER: msfadmin
    PASSWORD: msfadmin

A note on hardware

Picture of Metasploitable 2 startup error
Figure 11 – Metasploitable 2 startup error

Metasploitable2 is very old and hardware and software have changed.  If you get an error when you try to start the machine, take the following steps:

  1.  Close the virtual machine
  2. Open settings, go to the motherboard settings and disable all the extended features
    Disable Extended Features
    Figure 12 – Disable Extended Features
  3. Press ok
  4. Start the virtual machine and get ready to hit the Esc key as soon as it starts
    Picture of commands
    Figure 13 – Start the VM and press the Esc key
  5. Press e to edit the boot commands
    Picture of commands
    Figure 14 – Edit the boot commands
  6. Press e to edit the root command to add


    Picture of commands
    Figure 15 – Add the noapic command
  7.  Repeat for the kernel command and add


  8. Press b for boot
  9. This is a temporary solution.  But the machine will boot so you can apply a more permanent solution.  Log onto the machine using msfadmin msfadmin.  Then type

    sudo nano /boot/grub/menu.lst

    NOTE: /boot/grub/menu.lst is a lowercase ‘L’ as in list, NOT a ‘1’ as in 1st

    Picture of menu.lst file
    Figure 16 – menu.lst file opened in nano

    This will open the grub boot configuration file called menu.lst


  10.  Use the arrow keys to scroll down after the default options and stop at a line called kernel (highlighted in yellow)
    Picture of kernel line in menu.lst file
    Figure 17 – kernel line in menu.lst file
  11. Use the right arrow key to go to the end of this line and add  –>     noapic (highlighted in yellow) after the word splash
    Picture of commands
    Figure 18 – noapic added to end of kernel line in menu.lst file
  12. Save your change by pressing ^O Write Out (old school way of saying save)
  13. Exit nano by pressing ^X Exit
  14. Reboot the VM and it should boot without having to type noapic twice



Phase II – Installing Metasploitable3

Metasploitable3 comes in two flavors: Windows and Linux.  Because of licensing issues, sharing Metasploitable 3 as a Windows VM is prohibitive, but you may build the image without violating any laws.

  1. Visit Rapid7’s GitHub page for metasploitable3 and read the README file. You will see lots of steps.  We are going to follow the steps for building the VM using Windows
  2. Install some supporting software
    1. Install Packer
      1. Download the precompiled binary (AMD64) for Windows 11 here
      2. Once downloaded, extract it from the zip file.  We are extracting all the supporting software files to the Downloads folder
        Pciture of commands
        Figure 19 – Extract the downloaded file
      3. In the Windows Start menu type “environment variables” and click on the menu item when it appears
        Picture of commands
        Figure 20 – Search environment variables
      4. Click on the Environment Variables button
        Picture of System Properties Window
        Figure 21 – System Properties Window
      5. Scroll down to Path and click on edit
        Picture of Environment Variables Window
        Figure 22 – Environment Variables Window
      6. Click on new then browse then click on the downloads folder
        Picture of adding a folder to the path variable
        Figure 23 – Adding a folder to the path variable
      7. Click ok until the system properties menu closes
      8. Open a new PowerShell window for the changes to take effect
      9. Type packer (highlighted in yellow) and you should get a list of available commands.  This means Packer is working
        Picture of commands
        Figure 24 – Image of packer working
    2. Install Vagrant
      1. Visit the Vagrant downloads page and download the appropriate package
      2. Once downloaded, you can click on the file and install it like any other Windows program
      3. Restart the Computer
      4. Open Windows PowerShell
      5. Type vagrant to see a menu of commands
      6. Create a new vagrant environment by typing

        vagrant init

      7. Install the vagrant reload plugin that allows the reloading of VMs as they are being created by typing

        vagrant plugin install vagrant-reload

      8. Create a new vagrant box by typing

        vagrant box add hashicorp/bionic64

      9. When asked, choose option 2 for VirtualBox
        Picture of commands
        Figure 25 – Select option 2 for VirtualBox
    3. Install both versions of metsasploitable (Windows and Linux) by doing the following:
      1. Create a new directory by typing

        mkdir metasploitable3-workspace

      2. Navigate to the directory by typing

        cd metasploitable-workspace

      3. Extract both versions of metasploitable3 by typing  the following (all on one line)

        Invoke-WebRequest -Uri “https://raw.githubusercontent.com/rapid7/metasploitable3/master/Vagrantfile” -OutFile “Vagrantfile”

      4.   Start the building of the VMs by typing

        vagrant up

        Sleeping 0
        Figure 26 – This could take awhile
    4. This will take a while, but when it is finished, you will have two new VMs in VirtualBox.  The credentials for both machines is:
      USER: vagrant
      PASSWORD: vagrant
  3. Now add them to the GNS3 environment for future use
End of Lab


Icon for the Creative Commons Attribution 4.0 International License

Mastering Enterprise Networks Copyright © 2024 by Mathew J. Heath Van Horn, PhD is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book