Videos How to Exploit Metasploitable 2 with NMap, Nexpose, Nessus and Metasploit

Published on April 21st, 2019 📆 | 1844 Views ⚑


How to Exploit Metasploitable 2 with NMap, Nexpose, Nessus and Metasploit

Author: Jeremy Druin
Twitter: @webpwnized
Thank you for watching. Please support this channel. Up vote, subscribe or even donate by clicking “Support” at!

Description: This video tutorial covers exploiting Metasploitable-2 to get a root shell and eventually a terminal via a valid “sudo-able” login over SSH.

Two machines; a test host (Backtrack 5-R2) and a target host (Metasploitable-2) are set up on a VirtualBox host-only network. With this lab network set up, the demonstration walks through a practice pen-test using the phases of recon, scanning, exploitation, post-exploitation, and maintaining access. (Covering tracks and reporting are not covered. Recon is assumed because Virtual Box runs a default DHCP server on the 192.168.56/24 network). A video tutorial on installing Metasploitable-2 on VirtualBox can be found at

Initially, nmap is used to locate the Metasploitable-2 machine on the Virtual Box host only network. In the video the Metasploitable-2 host is running at and the Backtrack 5-R2 host at Additionally, open ports are enumerated nmap along with the services running. The nmap default NSE scripts provide additional information on the services and help nmap discover the precise version. Some features of nmap are reviewed and an nmap XML report is generated. This report is viewed in Firefox and imported into Metasploit via msfconsole and using the Metaspoit Comminity Edition web interface which has the functionality of db_import built-in. nmap is run a second time with different options to show how to focus the information in the reports on open services.

With the services listed and versions discovered, it is possible to begin locating vulnerabilites for services. To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. Eventually an exploit suitible for the outdated samba services running on Metasploitable-2 is chosen and metasploit msfconsole is used to configure the samba-usermap exploit. The cmd/unix/bind_netcat payload is selected and sent to Metasploitable-2 via the samba-usermap exploit. A remote root shell is gained.

For post exploitation, the shell is used to gather the usernames and passwords for Metasploitable-2 which are copied back to the testing machine and cracked with john-the-ripper. The two files are “unshadowed” using JTR unshadow and then cracked with JTR MD5 module. The passwords are stored in the JTR pot file for retrieval.

Updates on video in this channel are available on Twitter @webpwnized.

The webpwnized YouTube channel is dedicated to information security, security testing and ethical hacking. There is an emphasis on web application security but many other topics are covers. Some of these include forensics, network security, security testing tools and security testing processes. The channel provides videos to encourage software developers and system administrators to perform security testing. Also, the channel educates the next generation of security testers and bug bounty hunters who want to respectfully, legally and ethically help system owners that allow security testing.

exploit pentest


2012-07-05 19:39:00


Download WordPress Themes
Free Download WordPress Themes
Download Premium WordPress Themes Free
Download Nulled WordPress Themes
udemy course download free

Tagged with:

43 Responses to How to Exploit Metasploitable 2 with NMap, Nexpose, Nessus and Metasploit

  1. jsnow1 says:

    Hey man great video! I do have a question though. I just ran essentially everything you did and everything worked except Nessus didnt pick up the map exploit… Do you know why? I know theres a 5 year difference but still

  2. I only clicked on this video b3couse I miss bt5 and bt5r3 ?

  3. Such a nice effort. Thanks

  4. Austin Coats says:

    This was an amazing introduction video. Thank you.
    I did have to circumvent certain things like using OpenVAS and figuring out how to use the Metasploit plugin to load in the .xml files that way, but it was a great learning experience regardless.

  5. Six years later and this is still the best recourse I have been able to find for a beginner level tutorial of Metasploite.

  6. amazing stuff!!
    subscribed already, waiting for more videos like this.

  7. sam ali says:

    great video webpwnized. learned a lot. one question though – the nmap you initially used, was it running in backtrack or outside the vbox? im running my nmap outside vbox and it cant scan or detect my metasploitable 2 in vbox. can this be an issue in my vbox? thanks man.

  8. Which ip did you write while you setup metaspolitable2 it your local ip ?…

  9. I was using parrot and found the nmap folder in another directory like below:
    sudo cp /usr/share/nmap/nmap.xml .

  10. can we find exploit without that nessus scanner by just that nmap result and then import it and write vulns ?
    Nice video

  11. webpwnized says:

    Please support this channel. Up vote, subscribe or even donate by clicking "Support" at!

  12. Is this still valid in Kali?

  13. shiftey says:

    great video Jeremy, I learned a lot.

  14. Sacky says:

    Nice work Jeremy. Thanks for sharing

  15. Luis Chang says:

    Alguien puede hacer la traducción de este vídeo a castellano o español???

  16. Four years after , this video still the best to teach this subject weld-one bro thanks a million.

  17. thanos966 says:

    JD, that was awesome. I learned so much. TY for taking the time to do these.

  18. I learned more in this one video than any reading that I have done very nice Tut.

  19. i could tell within the first three minutes it was going to be a very good tutorial. did you get a degree in computer science?

  20. Do I have to turn on the metasploitable box to run the test? or can I do it, when it's in hibernate mode?

  21. Excellent tutorial on Metasploit and NeXpose! Thank you.

  22. webpwnized says:

    Since your on the same network as your target, do ifconfig on your own computer to get your gateway address. Then scan that range of addresses to find the target. You will see your own machine plus the target in the nmap output.

  23. webpwnized says:

    You can use whois for public blocks. For local subnets, use ifconfig to check the gateway address and the subnet mask.

  24. Hurri Kaine says:

    Thanks a lot for you vidz, they are really helpfull !

  25. Yes he skipped a step, you need to go into Nessus and export your results in nessus format. Then you import them in to msfconsole using db_import.

  26. Dhruv Seth says:

    well, i didnt tried importing any file! 😛
    Anyways, thanks for the help!
    looking for awesome videos from u in future.! 😀

  27. webpwnized says:

    The version of Metasploit might not support mapping the vulnerabilities to the exploits or perhaps the version does parse the vulnerabilities out of the Nessus XML file. Rapid7 has a community forum in which they might be able to say for sure if you post the details of how you imported the results and post the versions of Nessus, Metasploit, and the Nessus file export you are using.

  28. Dhruv Seth says:

    ok, so why doesnt the msfconsole show any vulnerability?

  29. webpwnized says:

    Nessus can find vulnerabilities on its own. You do not have to import the Nessus file. You can look for the vulnerabilities in the Nessus console or by exporting the Nessus report as HTML. You can also import the Nessus file into msfconsole or into Metasploit Community Edition and look at the imported vulns.

  30. Dhruv Seth says:

    hey man, do we need to import any nessus file for finding the vulnerabilities?
    Because whenever i type 'vulns' it doesnt come up with any!

  31. jit bud says:

    Best Tutorial Ive seen!! Had so many issues doing vulnerability scanning on the Msfconsole until I watched this. For a beginner this is a great tut to point you in the right direction in this awesome field!

  32. webpwnized says:

    I've never seen that error. I dont see anything obvious on Google. Try all these. Try "gems update" to update Nokogirl. Try "msfupdate" to update Metasploit. Try "apt-get update & apt-get upgrade" to update packages including nmap. After all the updates, see if that helps.

  33. Workspace:nmap scan metasploitable 2 Progress:1/4 (25%) Importing data from
    Th error..when i try to import ..
    Database: Importing data from file format 'Nmap XML'
    [ Database: Parsing with 'Nokogiri v1.4.3.1'
    Auxiliary failed: NoMethodError undefined method `[]=' for nil:NilClass

  34. webpwnized says:

    What is the error please?

  35. Leo says:

    thanks Bro !!
    Very nice!

  36. Bro..when i try to import nmap scan (myfilz.xml ) to comunity edition i get an error, however nessus scans are imported successfully. any idea ?

  37. webpwnized says:

    Hello. The reason is that /root is a directory only and not a file name. One example of a way to fix this is

    nmap -O -sV -sC -oX /root/MYFILE.xml

  38. please help me with this, i get an error with nmap when i try to save nmap -O -sV -sC -oX /root/ Failed to open XML output file /root/ for writing.

  39. Th3M4nd3M says:

    1hr 16mins well spent.. thanks for ur time too 😀

Leave a Reply

Back to Top ↑