Metasploitable Exploits and Hardening Guide

Updated On: 07/06/2018


As I began working with the Metasploitable virtual machine and testing out different exploits, I grew curious on how to protect against them. Unfortunately, I have not seen a guide like this anywhere on the Internet, which is why I decided to create one. The source code for this site is available on GitHub here so feel free to clone the repository and add on your own findings as well.

I'm structuring the guide so you see the exploit first, and then how to patch it afterwards; I also have screenshots included for your reference. Let's begin!

Network Scan

Depending on your experience or comfort with Kali Linux, you can start with either Zenmap or use an nmap command directly on the command line to scan the Metasploitable machine for any open ports. I started off with Zenmap because of the GUI, but nmap is more robust and I would recommend getting into the habit of using that instead. After a port scan of the Metasploitables IP, the first glaring open port is 23 for Telnet. There are a couple exploits utilizing Telnet so I will outline how to do those below before disabling Telnet on the Metasploitable machine.

Zenmap Scan

Zenmap Output

Ports 23 and 25 - Telnet and SMTP

With Telnet, we can start with something simple; power up Wireshark on your Kali machine. You need to pick a network that you want to capture the network traffic on so pick the one that the Metasploitable machine is running. With Wireshark running, Telnet to the Metasploitable machine from your Kali root command line. I linked the YouTube tutorial I used for your reference.

The next exploit that uses Telnet involves port 25 for SMTP. I linked the tutorial I used for that here.

There is a reason why no one uses Telnet anymore and the exploits above are just a few examples why - the best way to mitigate this is to disable Telnet on the Metasploitable machine (if it was a real server, just use SSH instead). This will be done by going into /etc/inetd.conf and commenting out the Telnet line, and then restarting the machine.


/etc/inetd.conf with Telnet commented out

Side note: While running through this entire guide, I've gotten into the habit of restarting the machine and running another scan to confirm that the port is closed or run the exploit again and ensure that it failed. Obviously this isn't required, but it is a good habit to get into when you're working on something like this.

No Telnet

Zenmap scan with no Telnet

Port 21 - FTP

This exploit is pretty simple; you go into the metasploitable framework, choose the vsftpd_234 backdoor exploit, set the target IP, and run the exploit. This backdoor gives us root access to the Metasploitable machine. Here is the YouTube tutorial I used for this.

Besides the fact that vsftpd is on version 3.0.3 now and the obvious patch would be to update it, I wanted to know how to patch it just for the version we had because in real life, the patches won't always be this simple. For this patch, you need to go into the vsftpd config file located in /etc/vsftpd.conf and disable anonymous upload for the FTP service.

No Anon Upload

/etc/vsftpd.conf with anonymous upload removed

This alone is not enough for the exploit to not work; the reason being is that if you read the write up on the backdoor here, you notice that the attacker is able to log in as ":)" for the username and listen on port 6200. A hardening technique for this particular case is to set up iptables to drop listening on unused ports. For the sake of this, I only did it for port 6200 since that's what the backdoor uses to get in.

No Listen

iptables commands to drop traffic at port 6200

Failed Backdoor

what happens when you try the exploit after using iptables

Ports 139 and 145 - Samba

This is another Metasploitable exploit so you just use exploit/multi/samba/usermap_script and run it to gain access to the victims machine. Samba released a patch here, but another alternative is to comment out the userman script line in the samba config file. This can be found in /etc/samba/smb.conf on the Metasploitable machine.

Samba Conf

Commented out the userman script

No Samba

What happens with the exploit after you comment out the userman script

Port 1524 - Ingreslock Backdoor

Port 1524 has the xinetd super server daemon running on it. This exploit is as simple as using a netcat command to get root access of the machine.

Netcat Exploit

Netcat exploit

This works due to the Ingreslock backdoor placed on the machine. If you go to /etc/inetd.conf, you can see the last line has this.


Ingreslock backdoor code

All that needs to be done here is delete that entire line, and then reboot the machine. Note that if you did find a line like this in your config in the wild, you would have to do some more digging to make sure the backdoor didn't spread elsewhere.

No Ingres Kali

Exploit attempt post removal

Port 2049 - NFS

Note that for this exploit, you need to first install nfs-common with apt-get-install nfs-common on your Kali Linux machine. Here is the tutorial for the exploit. There are many steps you can take to harden the NFS service, however for this particular machine I just added iptables commands to block the Kali machines IP from attempting to mount the Metasploitable machine. The article I referenced is linked here.

IP Tables

IP tables commands

No Mount

Failed mount

Now when you try to mount the Metasploitable machine, the root terminal gets frozen and stuck.

Port 5432 - PostGresSQL

This is another easy Metasploit exploit that allows the attacker direct access into the meterpreter shell.

PostGres Payload

PostGres Exploit

This worked because PostGres is set up to write to the default directory which means that the fix is to change the directory from the default so that the payload won't work. The config file can be found in /etc/postgresql/8.3/main/postgresql.conf. The default directory is /var/lib/postgresql/8.3/main so you can change it to whatever you like. Just know that you actually need to go out and create the new directory because writing it in the config file alone is not enough. Also, make sure you reboot the Metasploitable machine after changing this.

New Directory

changed to new directory called datadir

No PostGres

exploit attempt after directory change

What Can't Be Patched

I also wanted to note the exploits that have no "patches"; I put this in quotes because there are other ways to mitigate these vulnerabilities.

Port 22 - SSH

Good old SSH, Telnet's updated replacement. The biggest issue (and an issue with the Metasploitable machine) is the use of passwords (or lack thereof). Obviously, this was set up for testing purposes, but if you are actually using SSH, it would be way smarter to utilize public/private key pairs for authentication instead of passwords. This is because if we have the victim's SSH login credentials, we can easily log into their machines. They key pairs make for a much more secure connection and here is a YouTube tutorial for how to set that up.

Port 3306 - MySQL

This can be exploited by using auxiliary modules on Metasploit to scan and find usernames and passwords. The YouTube tutorial here outlines how to do so. This was another exploit that demonstrated how passwords are not a strong protection mechanism against attackers. I linked a tutorial on how to create RSA keys on MySQL here as a mitigation technique.

Port 5900 - VNC

This also uses an auxiliary module exploit on Metasploit. Here is the YouTube tutorial on how to do so. For this particular case, since the password was "password", it would be wise to change that to something stronger or even better, use public/private keys for this as well. Instructions are linked here.

Port 6667 - UnrealIRCd

Hooray for another backdoor! Here is the YouTube tutorial I used to test this out. This one actually can't be patched from the Metasploitable machines side (as far as I know). I'm only saying this because after I read this statement released by Unreal, I understood that there was nothing else I can do except the steps outlined in the screenshot below.


Screenshot solution from Unreal

Port 8180 - Apache Tomcat

This is yet another auxiliary module exploit where the attacker can find the victim's login credentials. Here is the tutorial I used to do so. Similar to VNC, the user had weak credentials so the best mitigation would be to have stronger passwords or as I've reiterated multiple times througout this guide, use public/private key pairs instead. Here is a tutorial on how to do so on Apache Tomcat 9.0.

Port 2121 - vsftpd

This exploit also involves weak passwords (shocker, I know). Details on the exploit are here. After some research, I learned that FTP isn't considered secure anymore and that it would be beneficial to switch to SFTP; details on that are here.

The Two Problem Children

I categorized these separately because these two were unique (and frustrating) to me due to the fact that I couldn't make heads or tails of how to patch this without waiting for the developers of the service to release a patch on their own. This knowledge from the dev side would be a strong addition to the guide, especially since I can't bring myself to look at PHP or Ruby code anymore.

Port 80 - Apache

This vulnerability is PHP based (hence my earlier comment). I would post an actual video of how to do this, but I imagine at this point you've figured out how to read through the exploits on rapid7 anyways. Here's the rapid7 link for the php injection exploit.The furthest I got was looking into this webpage detailing how the exploit works codewise.

Port 1099 - Java RMI Registry

The final exploits tutorial is here for your reference. This payload was written in Ruby, which I unfortunately am unfamiliar with. Here is the source code for the exploit; the only thing that stood out to me was that this doesn't work against JMX ports since they do not support class loading so that could be a possibility. I did some research on JMX and how to set it up, but couldn't make much sense of it.


This concludes the guide, sorry that it ended on a defeated note, it would sadden you if I told you how long I spent looking at those last two ports in particular. I hope that this was all useful information and is helpful to whoever reads it; please feel free to add on to it (especially for those last two that stumped me).

Check out my other pen testing walkthroughs here