Run Metasploitable in Azure for Test lab

Carl 21 Reputation points

I would like to host an instance of Metasploitable 2 or 3 in the Azure cloud where I can practice attacking without being logged into Microsoft. For instance, if I have a machine running Kali linux outside of Azure, I can ping the IP address of my metasploitable instance and test from anywhere. I hope this makes sense. I saw that @ShashiShailaj-MSFT & @Manu Philip answered questions that are similar but not exactly the same.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,048 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shashi Shailaj 7,551 Reputation points Microsoft Employee

    @Carl ,

    Thank you for your query. As for our recommendations , we ask the user to target the machines/apps only which are owned by them . In this case you own the metasploitable instance and hence you can run tests form it from anywhere. you would have to first allow ICMP protocol for ping on the NSG (Network security group) associated with the VM . In order to reduce the attack surface , azure by default denies any incoming traffic from public internet to Azure VMs . You will need to allow ICMP protocol on the NSG associated with the metasploitable VM instance in order to get the ping command to your instance working from from your remote Kali linux outside azure.


    Metasploitable comes in windows and linux both flavors . On windows you may need to additionally enable the default rule on Windows firewall called "File and printer sharing (Echo Request - ICMPv4 - In)" for the Public profile at least.


    Unless the linux version of metaexploitable have any internal firewall system like firewalld/iptables which has ICMP blocked , you may not face any issue on the linux flavor . Considering that Metasploitable is a highly vulnerable instance created for learning pen testing , its highly unlikely but if you use any modified image you can may have to keep that in mind.

    We also have a pen-testing rules of engagement document which I would strongly recommend you to read before you start your learning adventure. We allow the following types of tests and disallow any kind of Denial of Service attack.

    If this is just for testing in a closed environment and learning pen testing using metasploitable , I would suggest you to check Azure Lab services where we have a detailed guide for setting up a lab for ethical hacking class. If you need to simulate DDoS attack, we have a partner Breakpoint Cloud which can help you test your assumptions of how a denial of service attack on azure protected resource would look like. If the information provided in the post is helpful, please accept as answer which will help improve the relevancy of the answer and in turn help others in the community searching for similar answers. Should you still have any further queries on this or I have missed any details , please feel free to let us know and we will be happy to help you further. I have included multiple links and would strongly recommend you to read through them.

    Thank you.

    0 comments No comments

0 additional answers

Sort by: Most helpful