gitwtfhub

wtf is metasploitable3?

rapid7/metasploitable3 — explained in plain English

Analysis updated 2026-06-26

5,552HTMLAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TL;DR

A purposely vulnerable virtual machine designed as a safe practice target for learning security testing with Metasploit, available in Windows Server 2008 and Ubuntu 14.04 versions.

Mindmap

mindmap
  root((metasploitable3))
    What it does
      Vulnerable VM
      Practice target
      Security lab
    Versions
      Windows Server 2008
      Ubuntu 14.04
    Setup
      Vagrant download
      Packer build
      VirtualBox required
    Use
      Metasploit practice
      Education only
      Isolated network

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Practice running Metasploit exploits against a real but isolated system without risking damage to live infrastructure.

REASON 2

Learn to identify and exploit common vulnerabilities in both Windows and Linux environments in a local lab.

REASON 3

Set up a classroom or training environment where students can practice penetration testing techniques safely.

What's in the stack?

VagrantPackerVirtualBoxRuby

How it stacks up

rapid7/metasploitable3ngxson/smolvlm-realtime-webcamsteveruizok/perfect-freehand
Stars5,5525,5515,559
LanguageHTMLHTMLHTML
Setup difficultyhardmoderateeasy
Complexity4/52/52/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · hard Time to first run · 1day+

Building from scratch requires 65 GB free disk space, 4.5 GB RAM, plus Packer and Vagrant installed alongside a virtual machine platform.

Use freely for any purpose including commercial use, this is a BSD-style open source license requiring the copyright notice be kept.

Wtf does this do

Metasploitable3 is a virtual machine built specifically to contain a large number of security vulnerabilities. A virtual machine is a software-based computer that runs inside your real computer, isolated from your actual system. This one is designed to be attacked on purpose, making it a safe practice target for learning how security testing tools work. The primary use case is as a target for Metasploit, a widely used security testing framework that helps researchers and security professionals find and test vulnerabilities in systems. Instead of testing against real production systems (which would be illegal and harmful), you run Metasploitable3 in a private environment and practice against it. Two versions of the vulnerable VM are available: one based on Windows Server 2008, and one based on Ubuntu 14.04 (an older version of Linux). You can download pre-built images using a tool called Vagrant, which manages virtual machine setup, or you can build your own copies from scratch using build scripts included in the repository. Building from scratch requires tools called Packer and Vagrant, plus a virtual machine platform like VirtualBox. The whole build needs about 65 GB of disk space and 4.5 GB of RAM. The repository includes build scripts for both Windows and Linux host machines. The default login credentials for the resulting VMs are the username and password "vagrant", and the full list of intentional vulnerabilities is documented on the project's wiki page. This project is intended strictly for security education and authorized testing. Running it inside an isolated local network, not connected to the public internet, is the expected and safe way to use it. It is released under a BSD-style open source license.

Yoink these prompts

Prompt 1
I have Metasploitable3 running in VirtualBox. Walk me through using Metasploit to scan it for open services and exploit a known vulnerability on the Windows Server 2008 image.
Prompt 2
How do I build the Ubuntu 14.04 version of Metasploitable3 from source using Packer and VirtualBox on a Windows host?
Prompt 3
What are five commonly exploited vulnerabilities in Metasploitable3, and how do I find and confirm each one using Metasploit modules?
Prompt 4
How do I configure a host-only network in VirtualBox so Metasploitable3 is isolated from the internet while still reachable from my host machine?
Prompt 5
Where do I find the full list of intentional vulnerabilities in Metasploitable3, and how are they organized by service?

Frequently asked questions

wtf is metasploitable3?

A purposely vulnerable virtual machine designed as a safe practice target for learning security testing with Metasploit, available in Windows Server 2008 and Ubuntu 14.04 versions.

What language is metasploitable3 written in?

Mainly HTML. The stack also includes Vagrant, Packer, VirtualBox.

What license does metasploitable3 use?

Use freely for any purpose including commercial use, this is a BSD-style open source license requiring the copyright notice be kept.

How hard is metasploitable3 to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is metasploitable3 for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.