Hacking Labs -- Day 2026 of 300
100%

Metasploitable Service Enumeration Lab 2026 — Full Attack Surface Mapping | Hacking Lab 33

Mr Elite 12 min read Hacking Labs -- Day 2026
Metasploitable Service Enumeration Lab 2026 — Full Attack Surface Mapping | Hacking Lab 33
🧪 METASPLOITABLE LAB SERIESFREE

Part of the Metasploitable Lab Series

Lab 3 of 10 · 30% complete

⚠️ Isolated Lab Environment Only. Metasploitable 2 is intentionally vulnerable. Run it only on a host-only network completely isolated from the internet. Every service on this machine is exploitable.
Lab 2 gave me 23 open ports. That’s a list, not an attack plan. Service enumeration turns the port list into an attack priority matrix — I know which services are running vulnerable versions, which have known public exploits, and which I should hit first. Today’s lab runs the NSE scripts that surface exactly that information and builds the document I reference for every subsequent lab in this series.

🎯 What You’ll Master in Lab 3

Run targeted Nmap NSE scripts for service-specific enumeration
Identify vulnerable service versions from fingerprinting output
Enumerate Metasploitable’s web applications on port 80
Build an attack priority matrix from enumeration data
Map services to Metasploit modules before exploitation

⏱️ 40 min · 3 exercises · Lab 3 of 10

✅ Before You Start

  • Lab 2 — Nmap Enumeration — the four-stage scan from Lab 2 confirmed all 23 open ports. Today I take those ports and run targeted NSE scripts to get service versions, CVE indicators, and the full attack surface map.
  • Metasploitable 2 running on host-only network · Kali Linux on same host-only adapter · You know Metasploitable’s IP from Lab 2

📋Metasploitable Service Enumeration Lab – Contents

  1. NSE Scripts — Service-Specific Enumeration
  2. Version Analysis — CVE Mapping
  3. Web Application Enumeration — Port 80
  4. Building the Attack Priority Matrix

The attack surface I build organises the Metasploitable target for every subsequent lab. After Lab 2’s Nmap scan, this lab adds depth. The full exploitation sequence continues in Lab 4 where I run the first Metasploit module against the highest-priority service found today. The Metasploitable hub has the complete series. Use the Port Scanner Tool to verify port status before each lab.

NSE Scripts — Service-Specific Enumeration

Nmap’s NSE (Nmap Scripting Engine) adds targeted checks on top of basic port scanning. The scripts I run on Metasploitable cover the six highest-value service categories: FTP, SSH, SMB, HTTP, databases, and vulnerability detection. Each script category extracts information the basic version scan misses.

NSE SCRIPT ENUMERATION — ALL KEY SERVICES
# FTP enumeration (port 21 — vsftpd 2.3.4)
nmap -sV -p21 –script ftp-anon,ftp-vsftpd-backdoor,ftp-bounce TARGET_IP
# ftp-vsftpd-backdoor: checks for the famous vsftpd 2.3.4 backdoor (CVE-2011-2523)
# SMB enumeration (ports 139,445 — Samba)
nmap -sV -p139,445 –script smb-os-discovery,smb-enum-shares,smb-enum-users,smb-vuln-ms08-067,smb-security-mode TARGET_IP
# HTTP enumeration (port 80 — multiple web apps)
nmap -sV -p80 –script http-title,http-headers,http-methods,http-enum TARGET_IP
# SSH enumeration (port 22)
nmap -sV -p22 –script ssh-auth-methods,ssh-hostkey,ssh2-enum-algos TARGET_IP
# Database enumeration (MySQL port 3306, PostgreSQL 5432)
nmap -sV -p3306 –script mysql-info,mysql-databases,mysql-empty-password TARGET_IP
nmap -sV -p5432 –script pgsql-brute –script-args userdb=/usr/share/wordlists/metasploit/unix_users.txt TARGET_IP
# Full vuln scan (slower — comprehensive)
nmap -sV –script vuln -p21,22,23,25,80,139,445,3306,5432,8180 TARGET_IP -oN vuln_scan.txt

⚡ EXERCISE 1 — KALI TERMINAL (20 MIN · METASPLOITABLE RUNNING)
Run NSE Scripts Against All Key Metasploitable Services

⏱️ 20 minutes · Kali Linux + Metasploitable 2 on host-only network

Run the NSE script chain against each high-priority service. The vsftpd backdoor check and SMB enumeration results will shape the attack plan for Labs 4 and 5.

Set TARGET_IP to your Metasploitable IP from Lab 2.

Step 1: FTP NSE check
nmap -sV -p21 –script ftp-anon,ftp-vsftpd-backdoor TARGET_IP
Did the vsftpd backdoor check trigger? What did it return?
Is anonymous FTP enabled?

Step 2: SMB NSE enumeration
nmap -p139,445 –script smb-os-discovery,smb-enum-shares,smb-security-mode TARGET_IP
What OS did smb-os-discovery return?
What shares are available?
Is SMB signing enforced?

Step 3: HTTP title and enumeration
nmap -p80 –script http-title,http-enum TARGET_IP
List every web path http-enum found.
How many web applications are running on port 80?

Step 4: MySQL empty password check
nmap -p3306 –script mysql-empty-password,mysql-info TARGET_IP
Is the MySQL root account accessible without a password?
What databases are listed?

Step 5: Comprehensive vuln scan
nmap –script vuln -p21,22,23,80,139,445,3306 TARGET_IP -oN vuln_output.txt
cat vuln_output.txt | grep “VULNERABLE\|CVE\|EXPLOIT”
How many vulnerable services does it identify?

Document: full output from each scan. Note: service, version, finding.

✅ The vsftpd backdoor check result is the key finding of this exercise. ftp-vsftpd-backdoor will confirm whether port 6200 is open — the backdoor’s command shell port. If confirmed, the next lab shows exactly how to exploit it. The MySQL empty-password result is almost always positive on Metasploitable — root access without credentials to the database is a Critical finding on any real engagement, and the exploitation path (MySQL → file write → webshell → RCE) is one of the classic chains.

📸 Screenshot showing vsftpd backdoor detection result. Share in #metasploitable-labs.

Version Analysis — CVE Mapping

After version detection, I map each service version to known CVEs. The table I build from this mapping is the attack priority list — services ranked by exploitation likelihood and impact, with the Metasploit module path for each.

METASPLOITABLE 2 — SERVICE CVE MAP
# HIGH PRIORITY — easy exploit, critical impact
Port 21 · vsftpd 2.3.4 → CVE-2011-2523 · Backdoor → MSF: exploit/unix/ftp/vsftpd_234_backdoor
Port 445 · Samba 3.x → CVE-2007-2447 · Usermap script → MSF: exploit/multi/samba/usermap_script
Port 1524 · Bindshell → No CVE · direct shell, no exploit needed
# MEDIUM PRIORITY — exploitable, more effort
Port 23 · Telnet → Cleartext auth · brute force with hydra
Port 3306 · MySQL 5.0.51 → Empty root password · direct access
Port 5900 · VNC → Password: “password” · direct access
Port 6667 · UnrealIRCd → CVE-2010-2075 · Backdoor → MSF: exploit/unix/irc/unreal_ircd_3281_backdoor
# WEB APPLICATIONS — port 80 targets
/dvwa/ → SQL injection, XSS, command injection (all levels)
/phpMyAdmin/ → MySQL admin access (root/empty)
/mutillidae/ → OWASP Top 10 practice app
/tikiwiki/ → CVE-2012-0911 RCE

securityelites.com
Metasploitable 2 — Attack Priority Matrix
Port
Service/Version
Priority
Metasploit Module
21
vsftpd 2.3.4
CRITICAL
exploit/unix/ftp/vsftpd_234_backdoor
445
Samba 3.0.20
CRITICAL
exploit/multi/samba/usermap_script
1524
Bindshell
CRITICAL
nc TARGET_IP 1524
6667
UnrealIRCd 3.2.8.1
HIGH
exploit/unix/irc/unreal_ircd_3281_backdoor

📸 Metasploitable 2 attack priority matrix built from service enumeration output. The four Critical-priority targets are all exploitable with a single Metasploit module and require no credentials, no brute force, and no social engineering — the services themselves have backdoors or critical vulnerabilities built in. Lab 4 starts with the vsftpd 2.3.4 backdoor because it’s the most commonly taught entry point and demonstrates the complete Metasploit module workflow from module selection to shell.

Web Application Enumeration — Port 80

Port 80 on Metasploitable runs Apache hosting multiple intentionally vulnerable web applications. The http-enum NSE script finds most of them, but I always follow up with direct browsing to understand what’s actually exposed.

WEB APPLICATION ENUMERATION
# http-enum finds common paths automatically
nmap -p80 –script http-enum TARGET_IP
# Returns: /dvwa/, /phpMyAdmin/, /mutillidae/, /tikiwiki/, /twiki/
# Manual check — browse directly
curl -s http://TARGET_IP/ | grep -i “href\|src” | head -20
# gobuster directory brute force
gobuster dir -u http://TARGET_IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
# Web apps on Metasploitable port 80
http://TARGET_IP/dvwa/ → DVWA (SQL injection, XSS, command injection)
http://TARGET_IP/phpMyAdmin/ → MySQL admin (root / empty password)
http://TARGET_IP/mutillidae/ → OWASP Top 10 practice
http://TARGET_IP/tikiwiki/ → TikiWiki CMS (CVE-2012-0911 RCE)
http://TARGET_IP/twiki/ → TWiki (CVE-2005-2877 RCE)

⚡ EXERCISE 2 — KALI TERMINAL (15 MIN)
Map All Web Applications on Port 80

⏱️ 15 minutes · Kali + browser

Enumerate every web application running on port 80 and document what attack surface each one offers.

Step 1: http-enum scan
nmap -p80 –script http-enum TARGET_IP
List all paths returned.

Step 2: gobuster directory scan
gobuster dir -u http://TARGET_IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -o web_enum.txt
What paths does gobuster find that http-enum missed?

Step 3: Browse each application
Open browser to each found path.
For each app note:
– What is it? (DVWA, phpMyAdmin, CMS, etc.)
– What are the default credentials? (check online)
– What vulnerability class does it practice?

Step 4: phpMyAdmin — MySQL access
http://TARGET_IP/phpMyAdmin/
Login: root / (empty password)
Does it work?
What databases are visible?

Document: application name, URL path, default credentials, attack surface.

✅ phpMyAdmin with empty root password is a Critical finding on any real engagement. From phpMyAdmin you can: read any database table (all user credentials, sessions, PII), write files to the web root using MySQL’s INTO OUTFILE (webshell upload), and execute system commands if the MySQL user has FILE privilege. In Metasploitable, the MySQL root account is accessible from phpMyAdmin without a password — giving immediate access to the full DVWA database including all user hashes.

📸 Screenshot showing phpMyAdmin logged in as root. Share in #metasploitable-labs.

Building the Attack Priority Matrix

The attack surface document I build from enumeration organises every finding by exploitation difficulty and impact. This is the reference document I carry through every subsequent lab — it tells me which target to hit when I want to demonstrate a specific technique.

⚡ EXERCISE 3 — KALI TERMINAL (10 MIN)
Build Your Complete Metasploitable Attack Matrix

⏱️ 10 minutes · compile and document your findings

Consolidate everything from Labs 2 and 3 into the attack matrix document that drives the rest of the series. This is the deliverable you’d include in a real pentest report’s attack surface section.

Create a file: attack_matrix.txt

For each service/application found, record:
PORT | SERVICE | VERSION | CVE/FINDING | PRIORITY | EXPLOIT METHOD | METASPLOIT MODULE

Template rows (fill in from your scan output):
21 | vsftpd | 2.3.4 | CVE-2011-2523 | CRITICAL | backdoor port 6200 | exploit/unix/ftp/vsftpd_234_backdoor
445 | Samba | 3.0.20 | CVE-2007-2447 | CRITICAL | username map script | exploit/multi/samba/usermap_script
1524 | shell | direct | no CVE needed | CRITICAL | nc TARGET 1524 | manual
[add all others from your scans]

Sort by: CRITICAL first, then HIGH, then MEDIUM.

Final check:
cat attack_matrix.txt
How many CRITICAL priority targets did you find?
Which 3 would you exploit first and why?

✅ A well-built attack matrix from Metasploitable enumeration should have at least 4 Critical targets and 6+ High targets. If you have fewer, rerun the NSE scripts for the services you may have skipped. The matrix is the most important output of the enumeration phase — not because it contains new information, but because organising the information by priority is what makes the exploitation phase efficient. Lab 4 starts with vsftpd because it’s Critical priority, takes under 60 seconds to exploit, and demonstrates the core Metasploit workflow cleanly.

📸 Screenshot your completed attack_matrix.txt. Share in #metasploitable-labs.

📋 Lab 3 Command Reference

nmap -p21 –script ftp-vsftpd-backdoor TARGET_IP # vsftpd backdoor check
nmap -p139,445 –script smb-enum-shares,smb-os-discovery TARGET_IP
nmap -p80 –script http-enum TARGET_IP # web app discovery
nmap –script vuln -p21,22,23,80,445,3306 TARGET_IP # vuln scan
Priority: vsftpd backdoor · Samba usermap · Bindshell 1524 · UnrealIRCd backdoor

🏆 Lab 3 Complete — Service Enumeration

NSE script enumeration, CVE mapping, web application discovery, and the attack priority matrix. Lab 4 is where the work pays off — I take the vsftpd 2.3.4 backdoor finding and run the first complete Metasploit module against a real vulnerable service.


🧠 Quick Check

The NSE script ftp-vsftpd-backdoor returns “State: VULNERABLE”. What does this mean technically and what is the next command?




❓ Frequently Asked Questions

What services run on Metasploitable 2?
Metasploitable 2 runs 23+ intentionally vulnerable services including FTP (vsftpd 2.3.4 backdoor), SSH, Telnet, SMTP, HTTP (Apache + multiple web apps), Samba (usermap script RCE), MySQL (empty root password), PostgreSQL, VNC, IRC (UnrealIRCd backdoor), a direct bind shell on port 1524, and more. The web server on port 80 hosts DVWA, Mutillidae, phpMyAdmin, TikiWiki, and TWiki.
What is the vsftpd 2.3.4 backdoor?
CVE-2011-2523. In 2011, a malicious actor compromised the vsftpd source distribution and inserted a backdoor: sending a username containing “:)” causes the server to open a root shell on port 6200. The backdoored version was available for download for several days before discovery. It’s included in Metasploitable 2 as a teaching example. Metasploit module: exploit/unix/ftp/vsftpd_234_backdoor.
How do you enumerate SMB on Metasploitable?
nmap -p139,445 –script smb-os-discovery,smb-enum-shares,smb-enum-users,smb-security-mode TARGET_IP. This returns OS version, available shares, user accounts, and whether SMB signing is enforced. On Metasploitable, Samba 3.0.20 is vulnerable to CVE-2007-2447 (usermap script command injection) — one of the easiest remote root exploits in the series.
What web applications are on Metasploitable port 80?
DVWA (Damn Vulnerable Web Application — OWASP Top 10 practice), Mutillidae (OWASP Top 10 with 40+ vulnerabilities), phpMyAdmin (MySQL admin with empty root password), TikiWiki CMS (CVE-2012-0911 RCE), TWiki (CVE-2005-2877 RCE), WebDAV (file upload), and the default Apache page. Total: 7+ web applications on a single port.
What Nmap NSE scripts are most useful for Metasploitable?
ftp-vsftpd-backdoor (CVE-2011-2523 check), smb-vuln-ms08-067, smb-enum-shares, smb-os-discovery, http-enum (web app discovery), mysql-empty-password, ftp-anon, ssh-auth-methods, and the vuln category (–script vuln) for comprehensive vulnerability checking. Run targeted service scripts first, then the comprehensive vuln scan which is slower.
What is the attack priority order for Metasploitable?
1. vsftpd 2.3.4 backdoor (port 21) — instant root shell, single module. 2. Samba usermap script (port 445) — instant root shell via username injection. 3. Bindshell (port 1524) — direct root shell, no exploit needed. 4. UnrealIRCd backdoor (port 6667) — root shell via IRC connection. 5. MySQL empty root (port 3306) — full database access + potential webshell via INTO OUTFILE. The first three give root access in under 60 seconds each.
← Previous

Lab 2 — Nmap Enumeration

Next →

Lab 4 — Metasploit First Module

📚 Further Reading

  • Lab 2 — Nmap Enumeration — The four-stage scan that produced the port list this lab’s NSE scripts build on. Required context for understanding why each NSE script targets the specific ports it does.
  • Metasploitable Lab Series Hub — All 10 labs in sequence. The service enumeration output from Lab 3 is referenced in Labs 4 through 10 — every exploitation lab targets a service identified here.
  • Port Scanner Tool — Quick external port verification before starting any Metasploitable lab session — confirms the target is up and the host-only interface is correctly configured.
  • Nmap NSE Documentation — The complete NSE script library reference. Every script used in this lab is documented here with parameters, output examples, and category classification for building targeted scan commands.
  • Rapid7 Vulnerability Database — The CVE database behind Metasploit module targeting. Look up each CVE found in your enumeration output to understand the vulnerability details and available exploitation options.
ME
Mr Elite
Owner, SecurityElites.com
The first time I ran the full NSE suite against Metasploitable, the vsftpd backdoor check result hit different. A malicious actor had compromised a real open-source project and inserted a backdoor that opened a root shell on anyone who triggered the username condition. It was discovered, patched, and documented — but not before an unknown number of servers had been infected. Metasploitable preserves that version deliberately so learners can understand not just how to exploit it, but what it means when supply chain integrity fails. That’s the lesson underneath the technical exercise.

metasploitable 2 enumeration metasploitable attack surface metasploitable services list nmap nse scripts metasploitable service fingerprinting nmap
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free

Leave a Comment

Your email address will not be published. Required fields are marked *