First don’t try any of the attacks against machines you don’t have permission to. To download metasploitable: https://information.rapid7.com/download-metasploitable-2017.html
A vulnerable service is discovered using a scanner tool like zenmap, but this a whole process. The Ethical Hacking or the Website Hcking courses show this kind of techniques.
Hope it helps!