Kali Linux Series — Part 2: Web Hacking Tools

CHAPTER 01

🔫 Burp Suite — Web Proxy Framework সম্পূর্ণ গাইডWeb Proxy Framework Complete Guide

Web traffic intercept, modify, replay — Web App Hacking-এর সবচেয়ে গুরুত্বপূর্ণ টুলIntercept, modify, replay web traffic — the most important web app hacking tool

🔫

Burp Suite

PortSwigger-এর তৈরি industry-standard web security testing framework — Community ও Professional দুটো version আছেIndustry-standard web security testing framework by PortSwigger — Community and Professional versions available

Web Proxy Vulnerability Scanner Fuzzer Brute Force

🚀 Burp Suite চালু করাLaunching Burp Suite

# Terminal থেকে চালু করো root@kali:~# burpsuite # অথবা GUI থেকে: Applications → Web Application Analysis → burpsuite # Java manually দিয়ে চালু করো (যদি লাগে) root@kali:~# java -jar /usr/bin/burpsuite

⚙️ Proxy Setup — Browser Configure করাProxy Setup — Configure Browser

💡 Burp-এর Proxy কীভাবে কাজ করে?How Burp Proxy Works?

Browser → Burp Proxy (127.0.0.1:8080) → Internet। Browser-এর সব traffic Burp-এর মধ্য দিয়ে যায়, তুমি intercept, modify করতে পারো। Browser → Burp Proxy (127.0.0.1:8080) → Internet. All browser traffic flows through Burp, so you can intercept and modify it.

ধাপStep	কাজAction
1	Burp Suite চালু করো → Proxy → Options → 127.0.0.1:8080 চেক করোLaunch Burp → Proxy → Options → Verify 127.0.0.1:8080
2	Firefox-এ FoxyProxy install করো (recommended) অথবা Manual Proxy → HTTP: 127.0.0.1, Port: 8080Install FoxyProxy in Firefox (recommended) or set Manual Proxy → HTTP: 127.0.0.1, Port: 8080
3	HTTPS intercept-এর জন্য: http://burp → Download certificate → Firefox Cert Manager-এ import করোFor HTTPS: go to http://burp → Download certificate → Import in Firefox Cert Manager
4	Proxy → Intercept → "Intercept is on" করোProxy → Intercept → Enable "Intercept is on"

🎯 Burp Suite-এর Module গুলোBurp Suite Modules

📡 Proxy — Traffic InterceptTraffic Intercept

কাজAction	কীভাবে করবHow to
Request intercept করোIntercept request	Proxy → Intercept → Intercept is on
Request forward করোForward request	Forward button / Ctrl+F
Request drop করোDrop request	Drop button
Request history দেখোView request history	Proxy → HTTP history
Request Repeater-এ পাঠাওSend to Repeater	Right click → Send to Repeater / Ctrl+R
Request Intruder-এ পাঠাওSend to Intruder	Right click → Send to Intruder / Ctrl+I
Match & Replace rule যোগ করোAdd Match & Replace rule	Proxy → Options → Match and Replace

🔁 Repeater — Request ReplayRequest Replay

কাজAction	কীভাবেHow
Request পাঠাওSend request	Send button / Ctrl+Enter
Request manually edit করোManually edit request	Request panel-এ সরাসরি edit করোDirectly edit in request panel
Response দেখোView response	Response panel (right side)
History navigate করোNavigate history	← → buttons
নতুন tab খোলোOpen new tab	+ button
Render করে দেখোRender view	Response → Render tab

🎲 Intruder — Automated AttackAutomated Attack

⚠️ Community Edition-এ Intruder throttled (ধীর) — Professional-এ দ্রুতIntruder is throttled in Community Edition — fast in Professional

Attack Type	কাজFunction	ব্যবহারUse Case
Sniper	একটি payload set, একটি position-এ iterate করেOne payload set iterates through one position	Single field fuzzing
Battering Ram	একই payload সব position-এ একসাথে দেয়Same payload inserted into all positions simultaneously	Username=Password test
Pitchfork	একাধিক payload set, সমান্তরালে iterate করেMultiple payload sets iterate in parallel	Username:Password list
Cluster Bomb	সব payload-এর সব combination চেষ্টা করেTries all combinations of all payload sets	Brute force

# Intruder workflow: # 1. Request intercept করো → Send to Intruder (Ctrl+I) # 2. Positions tab → Attack Type বেছে নাও # 3. যেখানে payload বসাবে সেখানে § mark করো (Add § button) # 4. Payloads tab → Payload type বেছে নাও (Simple list / Wordlist) # 5. Start Attack button চাপো # 6. Results-এ Status code / Length দেখে anomaly খোঁজো

🔬 Scanner (Professional Only)

কাজAction	কীভাবেHow
Active scan চালাওRun active scan	Target → Site map → Right click → Actively scan
Passive scan দেখোView passive scan results	Dashboard → Issue activity
Scan config করোConfigure scan	Scanner → Scan configuration
Vulnerability report বের করোExport vulnerability report	Target → Site map → Issues → Right click → Report

🔎 Other Tools

Tool	কাজFunction	কীভাবে ব্যবহারHow to Use
Decoder	Base64, URL, HTML, Hex encode/decode করোEncode/decode Base64, URL, HTML, Hex	Decoder tab → paste → select encoding
Comparer	দুটো request/response compare করোCompare two requests/responses	Right click → Send to Comparer
Sequencer	Session token randomness analyze করোAnalyze session token randomness	Right click on token → Send to Sequencer
Target → Site Map	পুরো target-এর structure দেখোView entire target structure	Target tab → Site map
Logger	সব HTTP request log করোLog all HTTP requests	Logger tab (BApp Store)

⌨️ Burp Suite Keyboard ShortcutsBurp Suite Keyboard Shortcuts

Shortcut	কাজFunction
Ctrl + R	Repeater-এ পাঠাওSend to Repeater
Ctrl + I	Intruder-এ পাঠাওSend to Intruder
Ctrl + F	Forward intercepted requestForward intercepted request
Ctrl + Enter	Request send (Repeater)Send request (Repeater)

Shortcut	কাজFunction
Ctrl + Z	Undo (request editor)Undo in request editor
Ctrl + A	Select all textSelect all text
Ctrl + S	Project saveSave project
Ctrl + Shift + B	Base64 encode (selected)Base64 encode selection

🧩 দরকারী BApp ExtensionsUseful BApp Extensions

Extension	কাজFunction
Logger++	Advanced request loggingAdvanced request logging
Autorize	Authorization bypass testing (IDOR)Authorization bypass testing (IDOR)
J2EEScan	Java application vulnerability scanningJava application vulnerability scanning
SQLiPy	SQLmap integrationSQLmap integration
Turbo Intruder	High-speed Intruder (Race condition testing)High-speed Intruder (Race condition testing)
Active Scan++	Extra active scan checksExtra active scan checks
Param Miner	Hidden parameter discoveryHidden parameter discovery
Upload Scanner	File upload vulnerability testingFile upload vulnerability testing

CHAPTER 02

🔍 Nikto — Web Server Vulnerability ScannerWeb Server Vulnerability Scanner

Web server misconfiguration, outdated software, dangerous files — সব scan করো automaticallyAutomatically scan for web server misconfigs, outdated software, dangerous files

🔍

nikto

Open-source web server scanner — ৬৭০০+ vulnerability ও misconfiguration check করতে পারেOpen-source web server scanner — can check for 6700+ vulnerabilities and misconfigurations

Web Scanner Active Recon

Flag	কাজFunction	উদাহরণExample
-h host	Target host বা IP specify করোSpecify target host or IP	nikto -h target.com
-p port	নির্দিষ্ট port scan করো (default: 80)Scan specific port (default: 80)	nikto -h target.com -p 8080
-p 80,443,8080	Multiple port scan করোScan multiple ports	nikto -h target.com -p 80,443
-ssl	SSL/HTTPS force করোForce SSL/HTTPS scan	nikto -h target.com -ssl
-o file	Output file-এ save করোSave output to file	nikto -h target.com -o scan.html
-Format html	Output format — html, csv, xml, txt, jsonOutput format — html, csv, xml, txt, json	nikto -h target -o r.html -Format html
-Tuning x	Scan category filter করো (নিচে দেখো)Filter scan categories (see below)	nikto -h target -Tuning 9
-useproxy	Proxy দিয়ে scan করো (Burp-এর সাথে)Scan through proxy (use with Burp)	nikto -h target -useproxy http://127.0.0.1:8080
-id user:pass	HTTP Basic Auth দিয়ে scan করোScan with HTTP Basic Auth	nikto -h target -id admin:password
-C all	CGI directory সব check করোCheck all CGI directories	nikto -h target -C all
-nossl	SSL disable করোDisable SSL	nikto -h target -nossl
-timeout sec	Request timeout set করোSet request timeout	nikto -h target -timeout 10
-Plugins list	Available plugins দেখাওShow available plugins	nikto -list-plugins
-update	Nikto database update করোUpdate Nikto database	nikto -update
-Display V	Verbose output দেখাওShow verbose output	nikto -h target -Display V
-nolookup	DNS lookup বন্ধ করো (দ্রুত)Disable DNS lookup (faster)	nikto -h 192.168.1.1 -nolookup
-evasion x	IDS evasion technique ব্যবহার করোUse IDS evasion technique	nikto -h target -evasion 1
-iL hosts.txt	File থেকে multiple host scan করোScan multiple hosts from file	nikto -iL hosts.txt
-maxtime 1h	Maximum scan time set করোSet maximum scan time	nikto -h target -maxtime 30m

🎯 Tuning Options — কোন category scan করবTuning Options — What to Scan

নম্বরNumber	Category
0	File Upload vulnerability
1	Interesting file / Seen in logs
2	Misconfiguration / Default file
3	Information Disclosure
4	Injection (XSS/Script/HTML)
5	Remote File Retrieval — Inside Web Root
6	Denial of Service
7	Remote File Retrieval — Server Wide
8	Command Execution / Remote Shell
9	SQL Injection
a	Authentication Bypass
b	Software Identification
c	Remote Source Inclusion
x	Reverse Tuning options (exclude chosen)

# Basic scan root@kali:~# nikto -h http://target.com # Full scan with HTML report root@kali:~# nikto -h http://target.com -o report.html -Format html # HTTPS scan root@kali:~# nikto -h https://target.com -ssl # Burp proxy দিয়ে (traffic capture করতে) root@kali:~# nikto -h target.com -useproxy http://127.0.0.1:8080 # SQL injection ও auth bypass check করো root@kali:~# nikto -h target.com -Tuning 9a # নির্দিষ্ট port-এ scan করো ও save করো root@kali:~# nikto -h target.com -p 8080 -o scan_8080.txt -Format txt

CHAPTER 03

💉 SQLmap — SQL Injection AutomationSQL Injection Automation

Automatic SQL injection detection ও exploitation — database dump থেকে OS shell পর্যন্তAutomatic SQL injection detection and exploitation — from database dump to OS shell

💉

sqlmap

World-এর সবচেয়ে powerful open-source SQL injection tool — automatic detection, exploitation ও data extraction করেWorld's most powerful open-source SQL injection tool — automatic detection, exploitation, and data extraction

SQL Injection Web Hacking Auto Exploit

🎯 Target SpecificationTarget Specification

Flag	কাজFunction	উদাহরণExample
-u URL	Target URL specify করো (GET parameter)Specify target URL (GET parameter)	-u "http://target.com/page?id=1"
--data "params"	POST data দাওProvide POST data	--data "user=a&pass=b"
-r file.txt	Burp থেকে save করা HTTP request file দাওProvide saved HTTP request file from Burp	-r request.txt
--cookie "c=v"	Cookie সহ request পাঠাওSend request with cookie	--cookie "PHPSESSID=abc123"
-p param	নির্দিষ্ট parameter test করোTest a specific parameter	-p "id"
--headers "H: V"	Custom header যোগ করোAdd custom headers	--headers "X-Forwarded-For: 127.0.0.1"
--user-agent "UA"	Custom User-Agent সেট করোSet custom User-Agent	--user-agent "Mozilla/5.0"
--random-agent	Random User-Agent ব্যবহার করোUse random User-Agent	--random-agent
--proxy	Proxy দিয়ে scan করোRoute through proxy	--proxy "http://127.0.0.1:8080"
--tor	Tor নেটওয়ার্ক ব্যবহার করোUse Tor network	--tor

🔍 Detection OptionsDetection Options

Flag	কাজFunction
--level=1-5	Test level (1=basic, 5=maximum) — level বাড়লে বেশি test হয় কিন্তু ধীরTest level (1=basic, 5=maximum) — higher = more tests but slower
--risk=1-3	Risk level — 3 মানে সব ধরনের injection, data modify হতে পারেRisk level — 3 means all injections including potentially harmful
--technique=BEUSTQ	SQLi technique specify করো: B=Boolean, E=Error, U=Union, S=Stacked, T=Time, Q=InlineSpecify SQLi technique: B=Boolean, E=Error, U=Union, S=Stacked, T=Time, Q=Inline
--dbms=mysql	Database type force করো (mysql, mssql, oracle, postgresql, sqlite)Force database type (mysql, mssql, oracle, postgresql, sqlite)
--string "text"	True response-এ থাকা unique string দাওProvide unique string present in true response
--not-string	False response-এ থাকা string দাওProvide string present in false response

🗄️ Database EnumerationDatabase Enumeration

Flag	কাজFunction	উদাহরণExample
--dbs	সব database-এর নাম বের করোList all databases	sqlmap -u "url?id=1" --dbs
-D dbname --tables	নির্দিষ্ট database-এর সব table দেখাওList all tables in specific database	-D mydb --tables
-D db -T table --columns	Table-এর সব column দেখাওList all columns in table	-D mydb -T users --columns
-D db -T table --dump	পুরো table dump করোDump entire table	-D mydb -T users --dump
--dump-all	সব database-এর সব table dump করোDump all tables from all databases	--dump-all
-C col1,col2 --dump	নির্দিষ্ট column dump করোDump specific columns only	-C "username,password" --dump
--current-db	বর্তমান database-এর নাম দেখাওShow current database name	--current-db
--current-user	বর্তমান DB user দেখাওShow current DB user	--current-user
--users	সব DB user দেখাওList all DB users	--users
--passwords	DB user password hash বের করোExtract DB user password hashes	--passwords
--privileges	DB user-এর privilege দেখাওShow DB user privileges	--privileges
--is-dba	Current user DBA কিনা check করোCheck if current user is DBA	--is-dba
--count	Table-এ row count দেখাওShow row count in table	-T users --count
--where "cond"	Condition দিয়ে filter করোFilter data with condition	--where "id > 5"

💻 File & OS OperationsFile & OS Operations

Flag	কাজFunction	উদাহরণExample
--file-read	Server-এর file পড়ো (যদি permission থাকে)Read file from server (if permissions allow)	--file-read "/etc/passwd"
--file-write	Server-এ file লেখো (webshell upload!)Write file to server (webshell upload!)	--file-write "shell.php"
--file-dest	Server-এ file লেখার destination pathDestination path on server for file write	--file-dest "/var/www/html/shell.php"
--os-shell	Interactive OS shell পাও (DBA হলে)Get interactive OS shell (if DBA)	--os-shell
--os-cmd "cmd"	Single OS command execute করোExecute a single OS command	--os-cmd "whoami"
--sql-shell	Interactive SQL shell পাওGet interactive SQL shell	--sql-shell
--sql-query "q"	Custom SQL query চালাওExecute custom SQL query	--sql-query "SELECT version()"

⚡ Performance & EvasionPerformance & Evasion

Flag	কাজFunction
--threads=10	Concurrent threads বাড়াও (দ্রুত হবে)Increase concurrent threads (faster)
--time-sec=5	Time-based injection-এ delay সেট করোSet delay for time-based injection
--tamper=space2comment	WAF bypass tamper script ব্যবহার করোUse WAF bypass tamper script
--tamper=charencode	Character encoding দিয়ে WAF bypassBypass WAF with character encoding
--flush-session	Previous session data মুছে নতুন করোClear previous session and start fresh
--fresh-queries	Cache ignore করো, নতুন query করোIgnore cache, make fresh queries
--batch	সব prompt-এ default answer দিয়ে auto-run করোAuto-run with default answers to all prompts
-v 3	Verbose level — 0-6 (3 = payload দেখা যায়)Verbose level 0-6 (3 = see payloads)

# Basic GET parameter injection check root@kali:~# sqlmap -u "http://target.com/item?id=1" --dbs # POST request injection (login form) root@kali:~# sqlmap -u "http://target.com/login" --data="user=a&pass=b" --dbs # Burp request file দিয়ে (সবচেয়ে ভালো পদ্ধতি) root@kali:~# sqlmap -r burp_request.txt --dbs --batch # Cookie-based injection root@kali:~# sqlmap -u "http://target.com/" --cookie "id=1" -p id --dbs # সব user dump করো root@kali:~# sqlmap -u "url?id=1" -D webapp -T users --dump # OS shell পাও (high privilege দরকার) root@kali:~# sqlmap -u "url?id=1" --os-shell # WAF bypass করে scan করো root@kali:~# sqlmap -u "url?id=1" --tamper="space2comment,charencode" --dbs --random-agent # /etc/passwd পড়ো root@kali:~# sqlmap -u "url?id=1" --file-read="/etc/passwd"

CHAPTER 04

📂 Gobuster — Directory & DNS Brute ForcerDirectory & DNS Brute Forcer

Hidden directory, file, subdomain, virtual host খোঁজো wordlist দিয়ে — দ্রুততম toolFind hidden directories, files, subdomains, vhosts with wordlists — one of the fastest tools

📂

gobuster

Go দিয়ে লেখা fast brute force tool — dir, dns, vhost, fuzz, s3 mode আছেFast brute force tool written in Go — supports dir, dns, vhost, fuzz, s3 modes

Dir Brute DNS Enum VHost Scan

📁 dir mode — Directory & File Brute ForceDirectory & File Brute Force

Flag	কাজFunction	উদাহরণExample
-u URL	Target URL specify করোSpecify target URL	-u http://target.com
-w wordlist	Wordlist file দাওProvide wordlist file	-w /usr/share/wordlists/dirb/common.txt
-x ext	File extension check করোCheck file extensions	-x php,html,txt,bak
-t threads	Thread count বাড়াও (default: 10)Increase thread count (default: 10)	-t 50
-o file	Output save করোSave output to file	-o results.txt
-s codes	কোন status code দেখাবে (default: 200,204,301,302,307)Which status codes to show (default: 200,204,301,302,307)	-s 200,301
-b codes	কোন status code hide করবে (blacklist)Blacklist status codes to hide	-b 404,403
-k	SSL certificate verify skip করোSkip SSL certificate verification	-k
-c cookie	Cookie যোগ করো (auth-এর পরে scan)Add cookie (scan after auth)	-c "PHPSESSID=abc123"
-H header	Custom header যোগ করোAdd custom header	-H "Authorization: Bearer token"
-a agent	Custom User-Agent সেট করোSet custom User-Agent	-a "Mozilla/5.0"
-e	Full URL print করোPrint full URL in output	-e
-r	Redirect follow করোFollow redirects	-r
--timeout	Request timeout সেট করোSet request timeout	--timeout 5s
-z	Progress দেখাও না (quiet mode)Don't show progress (quiet mode)	-z
--wildcard	Wildcard response আসলেও চালিয়ে যাওContinue even with wildcard responses	--wildcard

🌐 dns mode — Subdomain Brute ForceSubdomain Brute Force

Flag	কাজFunction	উদাহরণExample
-d domain	Target domain specify করোSpecify target domain	-d target.com
-w wordlist	Subdomain wordlist দাওProvide subdomain wordlist	-w subdomains.txt
-r resolver	Custom DNS resolver ব্যবহার করোUse custom DNS resolver	-r 8.8.8.8
--show-cname	CNAME records দেখাওShow CNAME records	--show-cname
--show-ips	IP address দেখাওShow IP addresses	--show-ips

🏠 vhost mode — Virtual Host DiscoveryVirtual Host Discovery

Flag	কাজFunction	উদাহরণExample
-u URL	Base URL specify করোSpecify base URL	-u http://target.com
-w wordlist	Virtual host wordlist দাওProvide virtual host wordlist	-w vhosts.txt
--append-domain	Domain suffix automatically যোগ করোAutomatically append domain suffix	--append-domain

# Basic directory scan root@kali:~# gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt # File extension সহ scan করো root@kali:~# gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,bak,zip -t 50 # HTTPS scan (cert skip) root@kali:~# gobuster dir -u https://target.com -w common.txt -k -t 30 # Cookie দিয়ে authenticated scan root@kali:~# gobuster dir -u http://target.com/admin -w common.txt -c "session=abc123" -t 40 # DNS subdomain brute force root@kali:~# gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 30 --show-ips # VHost discovery root@kali:~# gobuster vhost -u http://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain # Output save করো root@kali:~# gobuster dir -u http://target.com -w common.txt -o gobuster_results.txt -t 50 -e

💡 Best Wordlists for Gobuster

/usr/share/wordlists/dirb/common.txt — Small, fast
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt — Medium, comprehensive
/usr/share/seclists/Discovery/Web-Content/big.txt — Large
/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt — Very large

CHAPTER 05

📁 Dirb — Web Content ScannerWeb Content Scanner

Recursive directory scanning — সহজ এবং কার্যকরRecursive directory scanning — simple and effective

📁

dirb

Web content scanner — HTTP response এর উপর ভিত্তি করে hidden files ও directories খোঁজেWeb content scanner — finds hidden files and directories based on HTTP responses

Dir Scan Web Recon

Flag	কাজFunction	উদাহরণExample
dirb http://target.com	Default wordlist দিয়ে scan করোScan with default wordlist	dirb http://target.com
dirb url wordlist.txt	Custom wordlist দিয়ে scan করোScan with custom wordlist	dirb http://target.com /usr/share/wordlists/dirb/big.txt
-o file	Output file-এ save করোSave output to file	-o results.txt
-r	Non-recursive mode (subdirectory scan বন্ধ)Non-recursive mode (no subdirectory scan)	-r
-S	Silent mode — found result শুধু দেখাওSilent mode — show only found results	-S
-X ext	Extension suffix যোগ করোAppend file extension	-X .php,.html
-z ms	Request-এর মধ্যে millisecond delayMillisecond delay between requests	-z 100
-c cookie	Cookie সেট করোSet cookie	-c "session=abc"
-u user:pass	HTTP auth username:password দাওSet HTTP auth username:password	-u admin:password
-H header	Custom header যোগ করোAdd custom header	-H "X-Custom: value"
-p proxy	Proxy দিয়ে scan করোScan through proxy	-p http://127.0.0.1:8080
-N code	নির্দিষ্ট HTTP code ignore করোIgnore specific HTTP response code	-N 302
-w	Warning message দেখাও নাDon't show warning messages	-w
-f	Fine tuning — 404 response এর উপর ভিত্তি করেFine tune based on 404 responses	-f

# Default wordlist দিয়ে scan root@kali:~# dirb http://target.com # Custom wordlist + PHP extension + output save root@kali:~# dirb http://target.com /usr/share/wordlists/dirb/big.txt -X .php,.bak -o dirb_results.txt # Cookie দিয়ে authenticated scan root@kali:~# dirb http://target.com/admin -c "PHPSESSID=abc123" -S # Burp proxy দিয়ে root@kali:~# dirb http://target.com -p http://127.0.0.1:8080

🆚 Gobuster vs Dirb vs DirsearchGobuster vs Dirb vs Dirsearch

Tool	গতিSpeed	সুবিধাAdvantage	ব্যবহারBest for
Gobuster	দ্রুততম	Multi-threaded, Go দিয়ে লেখাMulti-threaded, written in Go	CTF, Bug Bounty
Dirb	মাঝারি	Simple, Recursive, Built-in wordlistSimple, recursive, built-in wordlist	Quick scan
Dirsearch	দ্রুত	Python, Extension support, Beautiful outputPython, extension support, nice output	Comprehensive scan
Feroxbuster	সবচেয়ে দ্রুত	Rust, Recursive, Smart filteringRust, recursive, smart filtering	Large targets

CHAPTER 06

🔑 WPScan — WordPress Security Scanner

WordPress plugin, theme, user, vulnerability — সব কিছু scan করোScan WordPress for plugins, themes, users, and vulnerabilities

🔑

wpscan

WordPress-specific black box security scanner — WPVulnDB থেকে vulnerability data নেয়WordPress-specific black box security scanner — pulls vulnerability data from WPVulnDB

WordPress CMS Scanner Brute Force

Flag	কাজFunction	উদাহরণExample
--url URL	Target WordPress site URL দাওProvide target WordPress URL	--url http://wp-target.com
--enumerate u	User enumerate করোEnumerate users	--enumerate u
--enumerate p	Plugin enumerate করোEnumerate plugins	--enumerate p
--enumerate t	Theme enumerate করোEnumerate themes	--enumerate t
--enumerate vp	Vulnerable plugins খোঁজোFind vulnerable plugins	--enumerate vp
--enumerate vt	Vulnerable themes খোঁজোFind vulnerable themes	--enumerate vt
--enumerate ap	সব plugin enumerate করোEnumerate all plugins	--enumerate ap
--enumerate at	সব theme enumerate করোEnumerate all themes	--enumerate at
--enumerate cb	Config backup file খোঁজোFind config backup files	--enumerate cb
--enumerate dbe	DB export file খোঁজোFind DB export files	--enumerate dbe
-P wordlist.txt	Password brute force করোBrute force passwords	-P /usr/share/wordlists/rockyou.txt
-U username	নির্দিষ্ট username brute force করোBrute force specific username	-U admin
--api-token TOKEN	WPVulnDB API token দাও (বেশি info)Provide WPVulnDB API token (more info)	--api-token YOUR_TOKEN
--detection-mode	Detection mode: passive/aggressive/mixedSet detection mode: passive/aggressive/mixed	--detection-mode aggressive
--throttle ms	Request-এর মধ্যে millisecond delayMillisecond delay between requests	--throttle 200
-o file	Output save করোSave output to file	-o wp_scan.txt
--format json	JSON format-এ outputOutput in JSON format	--format json -o output.json
--proxy	Proxy দিয়ে scan করোScan through proxy	--proxy http://127.0.0.1:8080
--update	WPScan database update করোUpdate WPScan database	wpscan --update

# Basic scan root@kali:~# wpscan --url http://wp-target.com # User, Plugin, Theme সব enumerate করো root@kali:~# wpscan --url http://wp-target.com --enumerate u,vp,vt,cb # User enumerate করে brute force করো root@kali:~# wpscan --url http://wp-target.com --enumerate u -P /usr/share/wordlists/rockyou.txt # Aggressive mode — সব plugin check করো root@kali:~# wpscan --url http://wp-target.com --enumerate ap --detection-mode aggressive # API token সহ full scan root@kali:~# wpscan --url http://wp-target.com --enumerate u,ap,at,cb,dbe --api-token YOUR_TOKEN -o wp_full.json --format json # নির্দিষ্ট user-এ brute force root@kali:~# wpscan --url http://wp-target.com -U admin -P /usr/share/wordlists/rockyou.txt --throttle 200

CHAPTER 07

🌀 Wfuzz — Web Application FuzzerWeb Application Fuzzer

URL, parameter, header, cookie — যেকোনো জায়গায় payload inject করো ও response analyze করোInject payloads anywhere — URL, parameters, headers, cookies — and analyze responses

🌀

wfuzz

Flexible web fuzzer — FUZZ keyword দিয়ে যেকোনো জায়গায় payload দাও, filter করে interesting response বের করোFlexible web fuzzer — place FUZZ keyword anywhere and filter to find interesting responses

Fuzzing Web Testing Brute Force

💡 FUZZ keyword

Wfuzz-এ FUZZ লিখলে সেখানে wordlist-এর প্রতিটি word replace হয়। একাধিক FUZZ position-এ FUZZ, FUZ2Z, FUZ3Z ব্যবহার করো। In Wfuzz, wherever you write FUZZ, each word from the wordlist gets substituted. For multiple positions use FUZZ, FUZ2Z, FUZ3Z.

🎯 Basic FuzzingBasic Fuzzing

Flag	কাজFunction	উদাহরণExample
-w wordlist	Wordlist file দাওProvide wordlist file	-w /usr/share/wordlists/dirb/common.txt
-u URL/FUZZ	FUZZ position সহ URL দাওProvide URL with FUZZ position	-u http://target.com/FUZZ
-z payload	Payload type specify করো (file, list, range, alphanum)Specify payload type	-z file,wordlist.txt
-d "data"	POST data দাও FUZZ সহProvide POST data with FUZZ	-d "user=FUZZ&pass=test"
-b cookie	Cookie সেট করোSet cookie	-b "session=abc"
-H header	Custom header সেট করোSet custom header	-H "Host: FUZZ.target.com"
-X method	HTTP method সেট করোSet HTTP method	-X POST
-t threads	Concurrent threadsNumber of concurrent threads	-t 40
-s secs	Request-এর মধ্যে delayDelay between requests	-s 0.5
-p proxy	Proxy দিয়ে route করোRoute through proxy	-p 127.0.0.1:8080
-o file	Output save করোSave output to file	-o results.html
-f file,html	Format সহ output save করোSave output with format	-f output.html,html

🔎 Filter Options — Response Filter করাFilter Options — Filtering Responses

Flag	কাজFunction	উদাহরণExample
--hc codes	নির্দিষ্ট HTTP code hide করো (hide code)Hide specific HTTP codes	--hc 404,403
--sc codes	শুধু নির্দিষ্ট HTTP code দেখাও (show code)Show only specific HTTP codes	--sc 200,301
--hl lines	নির্দিষ্ট line count-এর response hide করোHide responses with specific line count	--hl 9
--sl lines	নির্দিষ্ট line count-এর response দেখাওShow responses with specific line count	--sl 50
--hw words	নির্দিষ্ট word count-এর response hide করোHide responses with specific word count	--hw 240
--sw words	নির্দিষ্ট word count-এর response দেখাওShow responses with specific word count	--sw 100
--hs string	নির্দিষ্ট string আছে এমন response hide করোHide responses containing specific string	--hs "Not Found"
--ss string	নির্দিষ্ট string আছে এমন response দেখাওShow responses containing specific string	--ss "Welcome"

# Directory brute force root@kali:~# wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ # GET parameter fuzzing root@kali:~# wfuzz -c -w params.txt --hc 404 "http://target.com/page?FUZZ=value" # POST login brute force (username fixed, password fuzz) root@kali:~# wfuzz -c -w /usr/share/wordlists/rockyou.txt --hc 302 -d "user=admin&pass=FUZZ" http://target.com/login # VHost fuzzing (subdomain discovery) root@kali:~# wfuzz -c -w subdomains.txt --sc 200 -H "Host: FUZZ.target.com" http://target.com # Cookie-based auth scan root@kali:~# wfuzz -c -w wordlist.txt --hc 404 -b "session=FUZZ" http://target.com/profile # Multiple FUZZ (username:password combination) root@kali:~# wfuzz -c -z file,users.txt -z file,passwords.txt --hc 302 -d "user=FUZZ&pass=FUZ2Z" http://target.com/login # File extension fuzzing root@kali:~# wfuzz -c -w extensions.txt --sc 200 "http://target.com/config.FUZZ"

CHAPTER 08

📡 Curl & Wget — HTTP Request ManipulationHTTP Request Manipulation

Manual HTTP request পাঠানো, header manipulation, cookie, auth — command line থেকে পুরো controlSend manual HTTP requests, manipulate headers, cookies, auth — full control from command line

📡

curl

Client URL — HTTP/HTTPS/FTP সহ ২৫+ protocol support করে। Web security testing-এর জন্য অপরিহার্যClient URL — supports 25+ protocols including HTTP/HTTPS/FTP. Indispensable for web security testing

HTTP Client API Testing

🌐 Curl — Basic UsageCurl — Basic Usage

Flag	কাজFunction	উদাহরণExample
curl URL	Basic GET request পাঠাওSend basic GET request	curl http://target.com
-I / --head	শুধু HTTP header দেখাও (response body ছাড়া)Show only HTTP headers (no body)	curl -I http://target.com
-v	Verbose — request ও response সব দেখাওVerbose — show all request and response details	curl -v http://target.com
-o file	Response file-এ save করোSave response to file	curl -o page.html http://target.com
-O	Remote filename দিয়ে save করোSave with remote filename	curl -O http://target.com/file.zip
-L	Redirect follow করোFollow redirects	curl -L http://target.com
-k / --insecure	SSL certificate check skip করোSkip SSL certificate verification	curl -k https://target.com
-s	Silent mode — progress bar দেখাবে নাSilent mode — no progress bar	curl -s http://target.com

🔧 Request ManipulationRequest Manipulation

Flag	কাজFunction	উদাহরণExample
-X METHOD	HTTP method specify করোSpecify HTTP method	curl -X POST http://target.com/api
-X DELETE	DELETE request পাঠাওSend DELETE request	curl -X DELETE http://api/resource/1
-X PUT	PUT request পাঠাওSend PUT request	curl -X PUT -d '{"k":"v"}' http://api/
-d "data"	POST data পাঠাওSend POST data	curl -d "user=admin&pass=1234" http://target.com/login
-d @file	File থেকে POST data পাঠাওSend POST data from file	curl -d @payload.txt http://target.com
-H "Header: Value"	Custom header যোগ করোAdd custom header	curl -H "X-Admin: true" http://target.com
-H "Content-Type: application/json"	JSON content type set করোSet JSON content type	curl -H "Content-Type: application/json" -d '{"id":1}' url
-H "Authorization: Bearer TOKEN"	Bearer token authenticationBearer token authentication	curl -H "Authorization: Bearer eyJ..." url
-u user:pass	Basic HTTP AuthenticationBasic HTTP Authentication	curl -u admin:password http://target.com
-b "cookie=value"	Cookie পাঠাওSend cookie	curl -b "PHPSESSID=abc123" http://target.com
-c cookie.txt	Response cookie file-এ save করোSave response cookies to file	curl -c cookies.txt http://target.com/login
-b cookie.txt	File থেকে cookie পাঠাওSend cookies from file	curl -b cookies.txt http://target.com
-A "agent"	Custom User-Agent সেট করোSet custom User-Agent	curl -A "Mozilla/5.0" http://target.com
-e "referer"	Referer header সেট করোSet Referer header	curl -e "http://google.com" http://target.com
-x proxy	Proxy দিয়ে request করোSend request through proxy	curl -x http://127.0.0.1:8080 http://target.com
--data-urlencode	URL encode করে data পাঠাওURL-encode data before sending	curl --data-urlencode "q=hello world" url
-F "file=@path"	File upload করো (multipart/form-data)Upload file (multipart/form-data)	curl -F "upload=@shell.php" http://target.com/upload
--max-time sec	Maximum request time সেট করোSet maximum request time	curl --max-time 10 http://target.com

# Server header information দেখো root@kali:~# curl -I http://target.com # POST login request পাঠাও root@kali:~# curl -X POST -d "username=admin&password=test" -v http://target.com/login # JSON API request root@kali:~# curl -X POST -H "Content-Type: application/json" -d '{"username":"admin","password":"pass"}' http://target.com/api/login # Session cookie save করো তারপর ব্যবহার করো root@kali:~# curl -c cookies.txt -d "user=admin&pass=123" http://target.com/login root@kali:~# curl -b cookies.txt http://target.com/admin # File upload test করো (webshell) root@kali:~# curl -F "file=@shell.php" -b "session=abc" http://target.com/upload.php -v # Burp proxy দিয়ে route করো root@kali:~# curl -x http://127.0.0.1:8080 -k -v http://target.com/api/users # Authorization header bypass test করো root@kali:~# curl -H "X-Forwarded-For: 127.0.0.1" -H "X-Real-IP: 127.0.0.1" http://target.com/admin

📥 Wget — File Download ও MirroringFile Download & Mirroring

Flag	কাজFunction	উদাহরণExample
wget URL	File download করোDownload file	wget http://target.com/file.zip
-O file	নির্দিষ্ট নামে save করোSave with specific filename	wget -O output.zip http://target.com/a.zip
-q	Quiet mode — output দেখাবে নাQuiet mode — no output	wget -q http://target.com/file
-r	Recursive download করোRecursive download	wget -r http://target.com
--mirror	পুরো website mirror করোMirror entire website	wget --mirror http://target.com
--no-check-certificate	SSL check skip করোSkip SSL check	wget --no-check-certificate https://target.com
--header "H: V"	Custom header যোগ করোAdd custom header	wget --header "Cookie: session=abc" url
--post-data "d"	POST data পাঠাওSend POST data	wget --post-data "user=a&pass=b" url
--user-agent "UA"	Custom User-Agent সেট করোSet custom User-Agent	wget --user-agent "Googlebot" url
-c	Incomplete download continue করোContinue incomplete download	wget -c http://target.com/bigfile.iso
-i urls.txt	File থেকে multiple URL download করোDownload multiple URLs from file	wget -i urls.txt
--spider	File download না করে check শুধু করোCheck URLs without downloading	wget --spider http://target.com

🌐 Web Hacking Workflow — সঠিক পদ্ধতিWeb Hacking Workflow — Correct Approach

1️⃣ Recon: Nikto দিয়ে server scan, Gobuster দিয়ে hidden directory খোঁজোRecon: Scan server with Nikto, find hidden dirs with Gobuster
2️⃣ Proxy: Burp Suite চালু করে সব traffic intercept করোProxy: Start Burp Suite and intercept all traffic
3️⃣ Manual Test: Burp Repeater দিয়ে manually request modify করোManual Test: Modify requests manually with Burp Repeater
4️⃣ SQLi: Parameter-এ SQLmap চালাও (Burp request file দিয়ে)SQLi: Run SQLmap on parameters (using Burp request file)
5️⃣ Brute Force: Login-এ Burp Intruder বা Wfuzz ব্যবহার করোBrute Force: Use Burp Intruder or Wfuzz on login
6️⃣ WordPress: WPScan দিয়ে plugin vulnerability ও user খোঁজোWordPress: Use WPScan to find plugin vulns and users

🌐 "The web is the largest attack surface — know your tools well."

সব কিছু authorized environment-এ practice করো। অন্যের web application-এ permission ছাড়া কোনো কিছু করা illegal। Practice everything in authorized environments only. Testing web applications without permission is illegal.

Kali Linux Series — Part 2 | v1.0 | Web Hacking Tools

Part 3: Exploitation Tools (Metasploit, Searchsploit, msfvenom) →

Kali Linux — Part 2

Web Hacking Tools — সম্পূর্ণ বাংলা গাইড Web Hacking Tools — Complete Guide