Metasploitable & DVWA: Safe Targets for Practicing Exploits

By · Updated

You need vulnerable boxes that won’t get you arrested. These two are industry staples—here’s how I wire them up, keep traffic sealed tight, and practice like the pros do.

Disclaimer: The information in this article is provided for educational and informational purposes only and does not constitute legal, financial, or professional advice. All content is offered “as-is” without warranties of any kind. Readers are solely responsible for how they choose to use this information and must ensure that any actions comply with all applicable local, national, and international laws and regulations. We expressly disclaim liability for any losses, damages, or consequences that may arise from misuse or misinterpretation of this material. Always apply the information only within authorized, ethical, and legal contexts.

For more details, see our Terms of Service.

Why Metasploitable and DVWA?

Practicing on random IPs is a one-way ticket to a CFAA violation. You need intentionally vulnerable systems designed for training. That’s where Metasploitable and Damn Vulnerable Web Application (DVWA) shine. Both are built to break safely. Together they cover OS-level and web-app vulnerabilities—the bread and butter of penetration testing.

Rule #1: Practice only on boxes designed to be hacked. No permission, no testing.

Prerequisites

Step-by-Step Setup

  1. Configure host-only network. In VirtualBox, create a new host-only adapter (default: 192.168.56.0/24).
  2. Spin up Kali Linux. Give it at least 4GB RAM and attach it to the host-only adapter.
  3. Launch Metasploitable. Default creds: msfadmin/msfadmin. Keep it host-only.
  4. Deploy DVWA. Either via Docker image or a LAMP stack on Ubuntu.
  5. Verify connectivity. Run ip addr on each VM and ping across. Kali should see both targets.
Kali Linux with vulnerable VMs in a host-only lab
My go-to setup: Kali on the left, Metasploitable and DVWA on the right, all inside an isolated subnet.

What You Can Practice

  • Metasploitable: SSH brute force, vulnerable services, outdated daemons, weak default credentials.
  • DVWA: SQL injection, XSS, CSRF, file upload vulns—classic web app attacks.

Pair this with Nmap scanning basics and how to package results for recruiters. Each vuln you exploit is raw material for a professional-quality writeup.

Quickstart: 30 Minutes to First Exploit

  1. Download Metasploitable, boot it in VirtualBox on 192.168.56.101.
  2. Install DVWA with Docker: docker run -it -p 80:80 vulnerables/web-dvwa.
  3. Run nmap -sV 192.168.56.0/24 from Kali to discover both targets.
  4. Login to DVWA and set security level to “low.”
  5. Attempt a basic SQLi: ' OR '1'='1 on the login form.
  6. Write a one-page report: target, vuln, exploit, remediation.

Helpful References

Where to Go Next

Level up your lab with: Best Hypervisors for Ethical Hacking Labs, Best Legal Platforms to Practice Ethical Hacking, and From Home Lab to Job-Ready.

Spot an error or a better angle? Tell me and I’ll update the piece. I’ll credit you by name—or keep it anonymous if you prefer. Accuracy > ego.

Portrait of Mason Goulding

Mason Goulding · Founder, Maelstrom Web Services

Builder of fast, hand-coded static sites with SEO baked in. Stack: Eleventy · Vanilla JS · Netlify · Figma

With 10 years of writing expertise and currently pursuing advanced studies in computer science and mathematics, Mason blends human behavior insights with technical execution. His Master’s research at CSU–Sacramento examined how COVID-19 shaped social interactions in academic spaces — see his thesis on Relational Interactions in Digital Spaces During the COVID-19 Pandemic . He applies his unique background and skills to create successful builds for California SMBs.

Every build follows Google’s E-E-A-T standards: scalable, accessible, and future-proof.

Start Your Project See Our Work