Abstract
Ever wondered how hackers actually break into computers? In this hands-on lab guide, we walk you through exactly how a hacker uses Kali Linux — the world’s most popular hacking operating system — to break into a vulnerable Linux machine called Metasploitable 2. Think of Metasploitable 2 as a “practice dummy” that is deliberately left wide open so you can learn hacking safely and legally. We cover four real hacking techniques: SSH, FTP, rlogin, and Telnet — all explained in plain English with real screenshots at every step. No prior hacking experience needed.
⚠ Important Warning: Everything in this guide is done inside a safe, private lab using a fake “dummy” machine that is designed to be hacked. Never try this on real computers, websites, or networks you do not own. Hacking real systems without permission is a serious crime in Australia and worldwide. This is purely for learning in a classroom environment.
Setting Up: The Attacker & The Victim
Before we start hacking, we need two computers — one to attack from and one to attack. We run both as virtual machines (like apps) inside VirtualBox on the same laptop. Kali Linux is our hacker machine and Metasploitable 2 is our victim. The victim’s address on our private network is 10.175.53.252 — think of this like the victim’s home address we will be knocking on.
kali-linux-2025.2
Metasploitable 2
10.175.53.252
Hypervisor
Default Credentials
Step 1: Finding Open Ports with Nmap
Before a hacker breaks in, they first scan the target machine checking which ports are open. Hackers do exactly the same thing — but with a tool called Nmap. It knocks on every port of the victim machine and tells us which ones are open. Each open port is a potential entry point. Let’s run it and see what we find on our victim machine.
Hack 1: Breaking In via SSH — Port 22
SSH is like a secret back port into a computer. Once you are in, you get a full command line — you can run any command, read files, create users, basically do anything. Our victim machine uses a very old version of SSH with outdated security settings, which means we need a couple of extra tricks to connect. But once we do — we’re in.
msfadmin unchanged — like someone who never changed the factory PIN on their phone. This is one of the most common reasons real systems get hacked. We will also hit a small technical roadblock because our Kali is modern and the victim uses an ancient SSH version — but we fix it easily.
🔎 First: Confirm SSH Port is Open
🚨 The Problem: Old SSH Version on Victim
✅ The Fix: Force Kali to Speak the Old Language
🏗 Save the Fix So You Don’t Retype It Every Time
Why the + prefix? It appends to the existing list rather than replacing it, so modern SSH connections remain secure while adding legacy support for this lab target only.
| Flag | Purpose | Disabled Since |
|---|---|---|
HostKeyAlgorithms=+ssh-rsa | Re-enables RSA host key verification | OpenSSH 8.8 |
KexAlgorithms=+diffie-hellman-group1-sha1 | Allows old key exchange method | OpenSSH 7.0 |
PubkeyAcceptedKeyTypes=+ssh-rsa | Accepts RSA public key auth | OpenSSH 8.8 |
ssh-keygen -R 10.175.53.252 | Clear stale known_hosts entry | — |
ssh -vvv ... | Verbose debug to find failure point | — |
Hack 2: Breaking In via FTP & Accessing Files — Port 21
FTP is used to transfer files between computers. The problem? It sends your username, password, and every file in plain text — like sending a postcard instead of a sealed letter. Anyone watching the network can read it all. Our victim is running an ancient FTP server with the default password still set. We will log in and prove we can upload files directly onto the victim machine.
msfadmin. This is like a bank vault where the combination is written on a sticky note next to the server. We log in, navigate to a writable folder, and drop a file there — proving we have full write access to the victim’s machine.
🔑 Log Into the Victim’s FTP Server
📤 Plant a File on the Victim Machine
Key Point: Always provide the remote filename as the second argument: put /local/path/file.txt remotename.txt. Without it, FTP tries to recreate the full local path on the remote, which fails with error 553.
🔍 Confirm the File is on the Victim
| Command | Description |
|---|---|
put /local/file.txt name.txt | Upload file to current remote directory |
get remotefile.txt | Download file to local machine |
mput *.txt | Upload multiple files |
mget * | Download all remote files |
cd /tmp | Change remote directory |
lcd /root | Change local directory |
ls / !ls | List remote / local files |
passive | Toggle passive mode (fixes bind errors) |
bye | Close FTP session |
vsFTPd 2.3.4 Backdoor (CVE-2011-2523): Appending :) to any username triggers a backdoor that opens a root shell on port 6200. This is a classic Metasploit exercise. Never attempt this on any real system.
Hack 3: The No-Password Backdoor — rlogin Port 513
This one is shocking. rlogin is so old and so insecure that it can let you into a machine with no password at all if the victim trusts your IP address. Even when a password is used, it travels across the network in plain text for anyone to read. Metasploitable 2 has this ancient protocol running on port 513. We walk straight in with a single command.
🔓 Walk Straight Into the Victim
whoami confirms msfadmin shell| Feature | rlogin (513) | SSH (22) |
|---|---|---|
| Encryption | ❌ None — plaintext | ✅ AES / ChaCha20 |
| Authentication | Trust-based or plaintext | Key-pair or encrypted |
| Wireshark visible? | Yes — everything readable | No — fully encrypted |
| Status | Obsolete since ~1995 | Current standard |
Hack 4: The Easiest Hack — Telnet Port 23
This is the easiest hack in the whole guide. One command, no flags, no tricks, and you are inside the victim machine with a full terminal. Telnet is so old (invented in 1969!) that it has absolutely no security built in. Everything — your password, every command you type, every result you see — travels across the network as plain readable text. It is the digital equivalent of shouting your bank PIN in a crowded shopping centre.
Critical Risk: Running tcpdump -i eth0 -A port 23 on the same network during a Telnet session will display every character typed — including passwords — in plaintext. This is why Telnet was replaced by SSH in the late 1990s.
📋 Hacker’s Cheat Sheet — All Commands
| Protocol | Port | Command | Notes |
|---|---|---|---|
| Nmap | — | nmap -sV 10.175.53.252 | Service version detection |
| Nmap | — | nmap -p- 10.175.53.252 | All 65535 ports |
| SSH | 22 | ssh -o HostKeyAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 msfadmin@10.175.53.252 | Legacy flags required |
| SSH | 22 | ssh-keygen -R 10.175.53.252 | Clear stale known_hosts |
| FTP | 21 | ftp 10.175.53.252 | Interactive FTP client |
| FTP | 21 | put /root/testfile.txt testfile.txt | Upload to /tmp |
| FTP | 21 | get remotefile.txt | Download file |
| rlogin | 513 | rlogin -l msfadmin 10.175.53.252 | Needs rsh-client package |
| Telnet | 23 | telnet 10.175.53.252 | No flags needed |
| Netcat | any | nc 10.175.53.252 <port> | Raw TCP probe |
🔒 Which Protocols Are Safe vs Dangerous?
| Protocol | Port | Encrypted | Status | Risk |
|---|---|---|---|---|
| SSH | 22 | ✅ Yes | Current standard | 🟢 Low |
| SFTP/SCP | 22 | ✅ Yes | Replaces FTP | 🟢 Low |
| FTP | 21 | ❌ No | Deprecated | 🔴 High |
| Telnet | 23 | ❌ No | Obsolete | 🔴 Critical |
| rlogin | 513 | ❌ No | Obsolete | 🔴 Critical |
🎉 What Did We Just Learn? We just hacked into the same machine four different ways using four different open ports. Every single entry point we used existed because of the same two reasons: weak default passwords and old unencrypted protocols. In the real world, thousands of servers get hacked every day for exactly these reasons. The fix is simple — change default passwords immediately, disable old protocols like Telnet, FTP and rlogin, and use SSH with strong passwords or key-based authentication instead.