← Back to All Articles

Breaking Into Linux: A Hands-On Ethical Hacking Guide

By Aparna Vinayan kozhipuram aparnavinayank@gmail.com Posted on 04 Jun 2026
Area of Article:
Pen Testing

⚡ Cybersecurity Lab Article

APARNA VINAYAN  |  LECTURER  |  2026

Ethical Hacking Kali Linux Metasploitable 2 SSH & FTP Exploitation rlogin & Telnet





Introduction



Ever wondered how hackers actually break into a computer? No hoodie, no movie magic — just a terminal and a few simple commands. In this hands-on lab we used Kali Linux (the world's favourite hacking operating system) to break into a deliberately vulnerable Linux machine called Metasploitable 2 — four different ways, in one session.


⚠️
Ethical Use Only. This lab was conducted in a completely isolated virtual network for academic purposes only. Never attempt these techniques on systems you do not own or have explicit permission to test. Unauthorised computer access is a criminal offence in Australia under the Criminal Code Act 1995.


The four attacks we demonstrated all succeeded for the same two reasons: default passwords that were never changed, and old protocols with zero security. Understanding how attacks work is the first step to building better defences.






Lab Setup



Both machines run as Virtual Machines (VMs) inside VirtualBox on a Host-Only network — completely isolated from the internet. Think of it as a private arena where the two machines can only talk to each other.



# Lab Environment

Attacker Machine:  Kali Linux 2025.2    IP: 10.175.53.x

Target Machine:    Metasploitable 2     IP: 10.175.53.252

Network:           VirtualBox Host-Only (isolated)

Credentials:       msfadmin / msfadmin  (default — never changed)


Quick Start — Verify Connectivity



# From Kali — confirm the target is reachable

ping 10.175.53.252

PING 10.175.53.252 (10.175.53.252): 56 data bytes

64 bytes from 10.175.53.252: icmp_seq=0 ttl=64 time=0.4 ms


💡
What is Metasploitable 2? It is a fake Linux server that was deliberately built with security holes — like a training dummy for hackers. Created by the Metasploit team for education. Never expose it to a real network.






Step 1 — Find Open Doors with Nmap



Before entering a building you look for open doors and windows. Nmap (Network Mapper) does exactly that for computers — it knocks on every port and reports which services are running.


Host Discovery — Find the Target on the Network



# Scan the entire subnet to find live hosts

nmap -sn 10.175.53.0/24

Nmap scan report for 10.175.53.252

Host is up (0.00040s latency).

MAC Address: 08:00:27:XX:XX:XX (VirtualBox)


Full Service Version Scan



# Discover open ports + what software is running on each

nmap -sV 10.175.53.252

PORT     STATE SERVICE     VERSION

21/tcp   open  ftp         vsftpd 2.3.4

22/tcp   open  ssh         OpenSSH 4.7p1

23/tcp   open  telnet      Linux telnetd

25/tcp   open  smtp        Postfix smtpd

513/tcp  open  login?

514/tcp  open  shell?

3306/tcp open  mysql       MySQL 5.0.51a

...


Aggressive OS + Script Scan



# Full scan: OS detection + default scripts + versions

nmap -A -T4 10.175.53.252



# Check for known vulnerabilities

nmap --script vuln 10.175.53.252



# Scan all 65535 ports (thorough)

nmap -p- 10.175.53.252


🎯
What the scan tells us: Port 22 (SSH), 21 (FTP), 23 (Telnet), and 513 (rlogin) are all open. Every single one is a potential door in. Next we try each one.






Hack 1 — SSH (Port 22)




🔑 SSH — Secure Shell Port 22 Medium Risk

SSH is the modern, encrypted way to log into a remote machine. It is like a locked front door — but if someone never changes the default key, you can still walk right in.



SSH itself is secure. The problem here is that msfadmin is both the username and the password — the factory default that was never changed. It is like buying a safe and never changing the combination from 0-0-0.


Challenge: Legacy Algorithm Mismatch


Modern Kali rejects the ancient SSH algorithms that old Metasploitable uses. You need to explicitly allow them:



# Step 1 — Remove stale host key (if reconnecting)

ssh-keygen -R 10.175.53.252



# Step 2 — Connect with legacy algorithm flags

ssh -o HostKeyAlgorithms=+ssh-rsa \

    -o KexAlgorithms=+diffie-hellman-group1-sha1 \

    msfadmin@10.175.53.252



The authenticity of host '10.175.53.252' can't be established.

RSA key fingerprint is SHA256:...

Are you sure you want to continue connecting? yes

msfadmin@10.175.53.252's password: msfadmin



Linux metasploitable 2.6.24-16-server ...

msfadmin@metasploitable:~$



# We are IN. Verify who we are:

whoami && hostname && uname -a

msfadmin

metasploitable

Linux metasploitable 2.6.24-16-server #1 SMP ...



Why it worked: Default credential msfadmin:msfadmin was never changed. A real attacker would have tried this in the first 30 seconds.






Hack 2 — FTP (Port 21)




📁 FTP — File Transfer Protocol Port 21 High Risk

FTP is an old protocol for transferring files. It sends your username and password over the network in plain text — anyone on the same network can read them with Wireshark.



This version runs vsftpd 2.3.4 — notorious for a backdoor vulnerability (CVE-2011-2523). We demonstrate the straightforward credential-based entry here.



# Connect to FTP server

ftp 10.175.53.252

Connected to 10.175.53.252.

220 (vsFTPd 2.3.4)

Name (10.175.53.252:root): msfadmin

331 Please specify the password.

Password: msfadmin

230 Login successful.



# List files in current directory

ls -la

drwxr-xr-x    2 1000     1000         4096 Mar 17  2010 .



# Upload a test file

put /root/testfile.txt testfile.txt

226 Transfer complete.



# Download a file

get remotefile.txt

226 Transfer complete.



# Exit

bye


🚨
Critical Risk: If you run Wireshark while this FTP session is active, you will see the username and password in plain text in the packet capture. Use SFTP (SSH File Transfer) instead of FTP in any real environment.






Hack 3 — rlogin (Port 513)




🔓 rlogin — Remote Login Port 513 Critical Risk

A 1980s protocol that uses a "trust" system — if your IP or hostname is in the target's ~/.rhosts file, it lets you in with no password at all. Completely insecure by modern standards.



This is the most alarming one. The .rhosts file on Metasploitable 2 trusts all hosts with a wildcard — meaning anyone who asks can walk straight in. No password required.



# Login via rlogin — specify username with -l

rlogin -l msfadmin 10.175.53.252

Last login: Mon Jun 1 12:30:00 2026 from 10.175.53.x



msfadmin@metasploitable:~$



# No password prompt! We are already inside.

whoami

msfadmin



# Also try rsh (Remote Shell — Port 514)

rsh -l msfadmin 10.175.53.252

msfadmin@metasploitable:~$



# Alternatively with netcat (raw TCP test)

nc 10.175.53.252 513


🚨
No password required. The .rhosts wildcard trust is an example of "security by obscurity" that provides zero protection. rlogin and rsh should never be enabled on any production system. They were obsolete by the late 1990s.






Hack 4 — Telnet (Port 23)




📟 Telnet — Terminal Network Protocol Port 23 Critical Risk

The oldest remote-login protocol (1969). Every single keystroke — including your password — is sent over the network in plain text. Completely replaced by SSH in the late 1990s.



One command. No flags. You are inside.



# Connect via Telnet

telnet 10.175.53.252

Trying 10.175.53.252...

Connected to 10.175.53.252.

Escape character is '^]'.



metasploitable login: msfadmin

Password: msfadmin



Last login: Mon Jun  1 2026 ...

msfadmin@metasploitable:~$



# Once inside — check what we can access

cat /etc/passwd

ls /home

id && groups


🚨
Completely transparent to attackers. Running tcpdump or Wireshark on the same network captures every word you type — username, password, and every command — in plain text. SSH replaced Telnet for exactly this reason.






Complete Command Cheat Sheet



All Commands Used in This Lab



# ── NMAP ──────────────────────────────────────────

nmap -sn 10.175.53.0/24           # discover live hosts

nmap -sV 10.175.53.252            # service version scan

nmap -A -T4 10.175.53.252         # OS + scripts + versions

nmap --script vuln 10.175.53.252  # check known vulnerabilities

nmap -p- 10.175.53.252            # scan all 65535 ports



# ── SSH (Port 22) ─────────────────────────────────

ssh-keygen -R 10.175.53.252       # remove stale host key

ssh -o HostKeyAlgorithms=+ssh-rsa \

    -o KexAlgorithms=+diffie-hellman-group1-sha1 \

    msfadmin@10.175.53.252        # connect with legacy flags



# ── FTP (Port 21) ─────────────────────────────────

ftp 10.175.53.252                 # open FTP connection

put /root/testfile.txt            # upload file to remote

get remotefile.txt                # download file from remote



# ── rlogin / rsh (Ports 513 / 514) ───────────────

rlogin -l msfadmin 10.175.53.252  # login — no password!

rsh -l msfadmin 10.175.53.252     # remote shell

nc 10.175.53.252 513              # raw TCP connection test



# ── Telnet (Port 23) ──────────────────────────────

telnet 10.175.53.252              # plaintext terminal session


Protocol Security at a Glance



# Protocol   Port   Encrypted   Verdict

SSH          22     ✅ Yes       Modern standard  → USE THIS

FTP          21     ❌ No        Deprecated       → AVOID

Telnet       23     ❌ No        Obsolete         → DISABLE

rlogin       513    ❌ No        Obsolete         → DISABLE

rsh          514    ❌ No        Obsolete         → DISABLE






Defence — How to Stop These Attacks



Every single attack in this lab could have been prevented. Here is what a sysadmin should do on any Linux server:


1. Disable Legacy Protocols



# Disable Telnet, rlogin, rsh via inetd/xinetd

sudo systemctl disable telnet

sudo systemctl stop telnet



# Remove .rhosts trust files

rm ~/.rhosts

rm /etc/hosts.equiv



# Disable FTP — use SFTP over SSH instead

sudo systemctl disable vsftpd


2. Harden SSH



# Edit /etc/ssh/sshd_config

PermitRootLogin no

PasswordAuthentication no    # Use SSH keys instead

MaxAuthTries 3

AllowUsers youruser



# Restart SSH after changes

sudo systemctl restart ssh


3. Firewall with UFW



sudo ufw enable

sudo ufw default deny incoming

sudo ufw default allow outgoing

sudo ufw allow 22/tcp     # SSH only

sudo ufw deny 21/tcp      # Block FTP

sudo ufw deny 23/tcp      # Block Telnet

sudo ufw deny 513/tcp     # Block rlogin

sudo ufw status verbose


4. Brute-Force Protection with Fail2ban



sudo apt install fail2ban -y

sudo systemctl enable fail2ban

# Blocks IPs after 5 failed SSH attempts for 1 hour

# Configure at /etc/fail2ban/jail.local


🎓
Key Takeaway: The attacker did nothing extraordinary. The system was broken from the inside — default passwords, open ports, obsolete protocols. Fixing those four things would have stopped all four hacks cold.





AV


Aparna Vinayan

Lecturer · Cybersecurity

Cybersecurity educator and practitioner. This article documents a hands-on ethical hacking lab demonstrating common Linux vulnerabilities using Kali Linux.





© 2026 Aparna Vinayan  ·  Published for educational use only


📎 Related Articles