Before we get started with today's post, a word of caution! Please ensure the Metasploitable VM is never connected directly to a network that is externally accessible.
Metasploitable is an intentionally vulnerable Ubuntu Linux VM, that is designed for testing common vulnerabilities. This is a great starting point for pentest beginners (like me), to go through the various pentesting stages and techniques.
The metasploitable VM is distributed by the makers of Metasploit i.e. Rapid7. Metasploit is a penetration testing and ethical hacking tool, we will look into few test cases in the upcoming blog posts.
The metasploitable VM can be downloaded from this link: https://information.rapid7.com/download-metasploitable-2017.html . You need to enter some basic details before you are re-directed to the download link. It is a freeware. However, the distribution is in the vmx format, which can only be used on VMware Workstations or VMware fusions. It cannot be directly deployed to an ESXi host.
This is not a major issue, just adds an extra step. We would first deploy the VMX VM to a VMware workstation and then export it as OVA file, which can be easily imported into ESXi environments.
Let's look into the steps in more details:
- Download the metasploitable 2.0 zip folder from the Rapid7 download link. Extract the downloaded file:
- On system with VMware Workstation installed, open the VMware worksation.
- From the workstation menu, select file drop down and select 'Open'. Browse to the extracted metasploitable folder and click on the ".vmx" file and click "Open":
- Wait for the VM to get imported. Do not Power ON the VM. You will see the VM has two network adapters. This is because, as previously mentioned, none of the nics should be connected to a network which is externally accessible. Hence Rapid7 has by default provided two nics, one for the Workstation NAT interface and another for the "host only" interface. As long as we ensure WAN connectivity is always via a NAT, we do not need the two NICs on this VM.
- Right click on the imported VM and go to "Settings". Select the "host only" NIC and click on "Remove".
- Now select the VM, click on "File" drop down and select "Export to OVF".
- On the "Export Virtual Machine to OVF" window, ensure you add the file extention ".OVA" when editing the file name and then click on save:
- The VM will be exported in OVA format. You can now use this OVA, like any other OVA to import VMs into ESXi hosts.