whatisgithub

What is metasploitable3?

rapid7/metasploitable3 — explained in plain English

Analysis updated 2026-06-26

5,552HTMLAudience · ops devopsComplexity · 4/5LicenseSetup · hard

In one sentence

A purposely vulnerable virtual machine designed as a safe practice target for learning security testing with Metasploit, available in Windows Server 2008 and Ubuntu 14.04 versions.

Mindmap

mindmap
  root((metasploitable3))
    What it does
      Vulnerable VM
      Practice target
      Security lab
    Versions
      Windows Server 2008
      Ubuntu 14.04
    Setup
      Vagrant download
      Packer build
      VirtualBox required
    Use
      Metasploit practice
      Education only
      Isolated network
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Practice running Metasploit exploits against a real but isolated system without risking damage to live infrastructure.

USE CASE 2

Learn to identify and exploit common vulnerabilities in both Windows and Linux environments in a local lab.

USE CASE 3

Set up a classroom or training environment where students can practice penetration testing techniques safely.

What is it built with?

VagrantPackerVirtualBoxRuby

How does it compare?

rapid7/metasploitable3ngxson/smolvlm-realtime-webcamsteveruizok/perfect-freehand
Stars5,5525,5515,559
LanguageHTMLHTMLHTML
Setup difficultyhardmoderateeasy
Complexity4/52/52/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Building from scratch requires 65 GB free disk space, 4.5 GB RAM, plus Packer and Vagrant installed alongside a virtual machine platform.

Use freely for any purpose including commercial use, this is a BSD-style open source license requiring the copyright notice be kept.

So what is it?

Metasploitable3 is a virtual machine built specifically to contain a large number of security vulnerabilities. A virtual machine is a software-based computer that runs inside your real computer, isolated from your actual system. This one is designed to be attacked on purpose, making it a safe practice target for learning how security testing tools work. The primary use case is as a target for Metasploit, a widely used security testing framework that helps researchers and security professionals find and test vulnerabilities in systems. Instead of testing against real production systems (which would be illegal and harmful), you run Metasploitable3 in a private environment and practice against it. Two versions of the vulnerable VM are available: one based on Windows Server 2008, and one based on Ubuntu 14.04 (an older version of Linux). You can download pre-built images using a tool called Vagrant, which manages virtual machine setup, or you can build your own copies from scratch using build scripts included in the repository. Building from scratch requires tools called Packer and Vagrant, plus a virtual machine platform like VirtualBox. The whole build needs about 65 GB of disk space and 4.5 GB of RAM. The repository includes build scripts for both Windows and Linux host machines. The default login credentials for the resulting VMs are the username and password "vagrant", and the full list of intentional vulnerabilities is documented on the project's wiki page. This project is intended strictly for security education and authorized testing. Running it inside an isolated local network, not connected to the public internet, is the expected and safe way to use it. It is released under a BSD-style open source license.

Copy-paste prompts

Prompt 1
I have Metasploitable3 running in VirtualBox. Walk me through using Metasploit to scan it for open services and exploit a known vulnerability on the Windows Server 2008 image.
Prompt 2
How do I build the Ubuntu 14.04 version of Metasploitable3 from source using Packer and VirtualBox on a Windows host?
Prompt 3
What are five commonly exploited vulnerabilities in Metasploitable3, and how do I find and confirm each one using Metasploit modules?
Prompt 4
How do I configure a host-only network in VirtualBox so Metasploitable3 is isolated from the internet while still reachable from my host machine?
Prompt 5
Where do I find the full list of intentional vulnerabilities in Metasploitable3, and how are they organized by service?

Frequently asked questions

What is metasploitable3?

A purposely vulnerable virtual machine designed as a safe practice target for learning security testing with Metasploit, available in Windows Server 2008 and Ubuntu 14.04 versions.

What language is metasploitable3 written in?

Mainly HTML. The stack also includes Vagrant, Packer, VirtualBox.

What license does metasploitable3 use?

Use freely for any purpose including commercial use, this is a BSD-style open source license requiring the copyright notice be kept.

How hard is metasploitable3 to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is metasploitable3 for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.