User:Vid2vid/sandbox/Metasploitable

20200327F: "Creating User:Vid2vid/sandbox/Metasploitable" -- doh, had a typo on other SandBox = Metaspolitable, vs it should've been, Metasploitable!.. it happens! --From Peter, a.k.a. Vid2vid (his WP talk page), updated 🖋 on 18:21, 27 March 2020 (UTC)
20200325W: "Creating User:Vid2vid/sandbox/Metaspolitable" --From Peter, a.k.a. Vid2vid (his WP talk page), updated 🖋 on 00:40, 26 March 2020 (UTC)

Metasploitable is/was a discontinued^[1], intentionally unsecured Linux distribution OS and learning tool/utility, geared toward Cybersecurity/computer security students and career IT professionals. It functioned as a tool for observing and studying vulnerabilities in the Linux kernel, and was a popular user space software. It was available as an *.ISO disc image, or optionally as a live DVD, and could be run on a virtual machine within a host operating system and hypervisor.^[1]

The Metasploitable (optionally as a virtual machine) OS is a purposefully vulnerable version of Ubuntu Linux operating system, designed for testing security tools and demonstrating common vulnerabilities and basic computer hacking and cracking (a.k.a. kracking) methods. Version 2 ((OR 3? VISITL)) of this virtual machine is available for download and ships with even more vulnerabilities than the original offering. It is compatible with a myriad popular hypervisors such as:

• VMWare and vSphere a.k.a. vCenter (all formerly owned by Dell Corporation),
• Oracle's VirtualBox,
• Microsoft's Windows Hyper-V software/feature and Azure Cloud offering,
• DigitalOcean,
• Amazon Web Services, and,
• Google Cloud,
• ...as well as some other common virtualization platforms and businesses.

By default, Metasploitable's network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a mission-critical network or placed outside a firewall (e.g. between a SOHO (small office home office) Wi-Fi firewall router appliance and ones ISP a.k.a. the demarcation point. (Note: Several video tutorials showing how to install Metasploitable 2 are available online.) The Rapid7 exploitability guide URL in the "External links" sub-section below outlines many of the (intended!) security flaws in the Metasploitable v2 image. Currently missing is documentation on the web server and web application flaws, as well as vulnerabilities that allow a local user to escalate to root (a.k.a. super-user or Administrator) privileges. This document will continue to expand over time as many of the less obvious flaws with this platform are detailed.

Metasploitable was created by UNKNOWN UNKNOWN, the founder of The UNKNOWN Laboratory at UNKNOWN University,^[1], for use as a training system for his/her University lectures.

Metasploitable was a Debian-based distribution, and used the Gnome((VISITL)) .tgz & apt-get package management system.^[1]

Its usefulness lies in five (5) key aspects:

1. Using outdated versions of various software,
2. Auto-starting at boot-time several unsecured servers, services, settings, and background processes,
3. Running (obsolete/dangerous) packages one should avoid,
4. Maintaining use of unsecure and unpatched operating system components, and lastly,
5. Opening various TCP logical communication ports to deliberately make Metasploitable an extremely vulnerable operating system -- for testing purposes.^[1]

Metasploitable was also distributed as a live CD, allowing it to be booted into RAM directly from the distribution medium *without installation*, on a PC or as a virtual machine.^[1]. This method is useful if a tester does not want to install or touch the storage/SSD/hard-drives at all.

• Linux portal

• Metasploitable Linux official website
• SourceForge's listing for Metasploitable, with download link
• Rapid7's in-depth analysis of all the issues with Metasploitable
• Rapid7's Metasploitable download (registration) website
• Medium.Com May 10, 2017 article about the inception of Metasploitable