July 14, 2026
Hacking Metasploitable 3: A Hands-On Penetration Testing Journey — Part 1
Disclaimer: This article is intended strictly for educational purposes and authorized security testing. Only perform these techniques…
By Aneesh Kv
4 min read
Disclaimer: This article is intended strictly for educational purposes and authorized security testing. Only perform these techniques against systems and lab environments that you own or have explicit permission to test.
Introduction
Metasploitable 3 is an intentionally vulnerable virtual machine designed for practicing penetration testing and ethical hacking in a safe environment.
In this first part of the series, we will explore and test services such as FTP, SSH, SMB, and MySQL through reconnaissance, enumeration, and exploitation. The goal is to gain practical experience and understand how weaknesses in network services can be identified and exploited during authorized security testing.
Identifying Services associated with machine
Command: nmap -sV <target_ip>
1. FTP
FTP (File Transfer Protocol) is a network protocol used to transfer files between a client and a server. By default, FTP operates on TCP port 21.
First, let's check whether the FTP service allows anonymous login.
Command: nmap --script ftp-anon.nse -p21 <target_ip>
The above scan confirms that the machine does not support anonymous login. So let's try to crack the password using tool hydra
Command: hydra -L /root/user.txt -P /root/pass.txt ftp://<target_ip>/
2. SSH
SSH (Secure Shell) is an application-layer protocol used to securely access and manage remote systems over an encrypted network connection. By default, SSH operates on TCP port 22.
First, let's check the authentication methods supported by the SSH service on the target machine.
Command: nmap --script ssh-auth-methods.nse -p22 <target_ip>
The above scan confirms that the machine allows password based authentication. So let's try to crack the password using tool hydra
Command: hydra -L /root/user.txt -P /root/pass.txt ssh://<target_ip>/
3. MySQL
MySQL is an open-source relational database management system (RDBMS) used to store, organize, and manage structured data. It uses SQL (Structured Query Language) to interact with databases and typically operates on TCP port 3306.
First, let's check whether the MySQL service allows users to log in with an empty password.
Command: nmap --script mysql-empty-password.nse -p3306 <target_ip>
Next let's gather some information about the MySQL service
Next Let's check available databases for root user
The above scan successfully lists several databases, including information_schema, cards, mysql, performance_schema, test, and wordpress.
4. SMB
SMB (Server Message Block) is an application-layer network protocol used for sharing files, printers, and other resources between devices on a network. SMB typically operates on TCP port 445.
First, let's gather information about the target's operating system through the SMB service using Nmap's smb-os-discovery NSE script.
Command: nmap --script smb-os-discovery.nse -p139,445 192.168.68.120
Next let's crack the password for SMB service using hydra tool.
Command: hydra -L /root/user.txt -P /root/pass.txt smb://<target_ip>/
Next, let's check whether the target is vulnerable to MS17–010, a critical remote code execution vulnerability affecting Microsoft SMBv1 servers.
Command: nmap --script smb-vuln-ms17–010.nse -p139,445 <target_ip>
The above scan confirms that the target is vulnerable to MS17–010 (CVE-2017–0143), with a HIGH risk rating. EternalBlue is an exploit that targets a vulnerability in Microsoft's SMBv1 protocol, identified as MS17–010. It can allow an attacker to remotely execute code on a vulnerable Windows system without authentication.
Let's exploit the above vulnerability using msfconsole tool
Command: search eternalblue
Command: use exploit/windows/smb/ms17_010_eternalblue
Command: show options
Command: set RHOSTS <target_ip>
First, the use exploit/windows/smb/ms17_010_eternalblue command selects the EternalBlue exploit module in Metasploit. The show options command displays the required configuration options for the module, and set RHOSTS <target_ip> sets the IP address of the target machine to be tested.
Command: run
The EternalBlue exploit was successfully executed against the vulnerable Windows Server 2008 R2 target. Metasploit established a connection, exploited the MS17–010 SMBv1 vulnerability, and successfully opened a Meterpreter session, providing remote access to the target system.
Conclusion
In this first part of our Metasploitable 3 penetration testing journey, we explored several network services, including FTP, SSH, MySQL, and SMB. Along the way, we performed service enumeration, tested authentication mechanisms, discovered weak credentials and security misconfigurations, and identified the critical MS17–010 (EternalBlue) vulnerability. We then successfully exploited it to gain a Meterpreter session on the target system.
This lab shows how simple weaknesses, such as default credentials, empty passwords, outdated software, and insecure configurations, can put an entire system at risk. In the next part, we'll continue exploring Metasploitable 3 and uncover more vulnerable services and exploitation techniques.