CEH v12 System Hacking and Web Application Attacks

To earn your Certified Ethical Hacker (CEH) v12 certification, you must master the attacker’s mindset, moving from initial access to total control. This knowledge isn't just for passing an exam; it’s the foundational skill set for identifying and remediating critical vulnerabilities that malicious hackers exploit daily. System hacking and web application attacks represent two of the most consequential domains, covering the full attack lifecycle from breaching a perimeter to compromising data and infrastructure.

System Hacking: The Attack Lifecycle

System hacking follows a logical sequence, often called the cyber kill chain. It begins with gaining a foothold, typically through stolen credentials. Password cracking is the process of recovering passwords from data stored or transmitted by a system. For the CEH exam, you must understand the primary methods: dictionary attacks (using wordlists), brute-force attacks (trying all combinations), and hybrid attacks (adding numbers/symbols to dictionary words). Tools like John the Ripper and Hashcat are used offline against captured password hashes, such as NTLM or SHA-512. Rainbow tables, which are precomputed tables for reversing cryptographic hash functions, represent a time-memory trade-off attack. Your countermeasure focus should be on enforcing strong, complex passwords, implementing account lockout policies, and using robust hashing algorithms with salts.

Once you have a user-level account, the next objective is privilege escalation. This involves exploiting a vulnerability to gain higher-level privileges, such as administrator or SYSTEM access. There are two main types: vertical (moving from a low-privilege to a high-privilege account) and horizontal (moving to a similarly privileged account). Techniques include exploiting unpatched kernel vulnerabilities, misconfigured service permissions (e.g., writable service binaries), or leveraging token impersonation. In exam scenarios, you'll often need to identify which system misconfiguration (like weak folder permissions or a missing patch) enabled the escalation.

The final phase of this cycle is maintaining access and covering tracks. After achieving administrator rights, an attacker will install backdoors, rootkits, and trojans to ensure persistent access even if the initial vulnerability is patched. A rootkit is particularly dangerous as it modifies system kernels or drivers to hide its presence. Attackers also engage in clearing logs and using data hiding techniques (stenography, alternate data streams) to evade detection. Defensive strategies hinge on integrity monitoring (e.g., file checksumming), host-based intrusion detection systems (HIDS), and diligent log management and analysis from a centralized SIEM.

Web Application Attack Vectors

Web applications are a primary target due to their direct internet exposure and frequent business logic flaws. The Open Web Application Security Project (OWASP) Top 10 lists the critical vulnerabilities you must know.

SQL Injection (SQLi) remains a top threat. It occurs when an attacker injects malicious SQL code into an application's input fields, manipulating backend databases. You'll encounter in-band (using the same channel, like union-based or error-based), blind (inferring results from behavior), and out-of-band (using a different protocol) SQLi. The impact is severe, ranging from data theft and modification to full system compromise via database functions. Countermeasures are non-negotiable: use parameterized queries (prepared statements) and stored procedures, never concatenate user input into queries, and employ robust input validation.

Cross-Site Scripting (XSS) allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types: Reflected XSS (the malicious script is reflected off a web server, often in an error message or search result), Stored XSS (the script is permanently stored on the target server, like in a forum post), and DOM-based XSS (the vulnerability exists in client-side code rather than server-side code). The danger lies in session hijacking, defacement, or redirecting users to malicious sites. Prevention requires output encoding and context-aware escaping of user-supplied data, as well as implementing a Content Security Policy (CSP) header.

Two other critical session-based attacks are Cross-Site Request Forgery (CSRF) and Session Hijacking. CSRF tricks a victim’s browser into executing an unwanted action on a trusted site where they are authenticated. For example, a malicious link could change a user's password without their knowledge if they are logged into the target site. Mitigation involves using anti-CSRF tokens that are validated by the server with each state-changing request. Session Hijacking, on the other hand, involves stealing or predicting a valid session token (like a cookie) to impersonate a user. This can be done through packet sniffing, session fixation (forcing a user to use a known session ID), or XSS. Defenses include using secure, HttpOnly cookies, regenerating session IDs after login, and enforcing HTTPS.

Infrastructure and Server-Side Exploits

Attacks often target the underlying web server and its configuration. Web server vulnerabilities like unpatched software (e.g., Apache, IIS, Nginx), default installations, and unnecessary enabled services (like verbose error reporting) provide easy entry points. A directory traversal attack (or path traversal) exploits insufficient security validation to access files and directories stored outside the web root folder. An attacker might manipulate input with sequences like ../../../etc/passwd to read sensitive system files.

Closely related are file inclusion attacks, which are divided into Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI tricks the application into including files already present on the server, leading to sensitive data disclosure or code execution if log files can be injected. RFI is more severe; it forces the application to include a malicious file from a remote server (e.g., http://attacker.com/shell.txt), often leading directly to remote code execution. Prevention requires whitelisting allowed files, disabling remote file includes if not needed, and implementing strict input validation.

Wireless, Mobile, and IoT Threat Landscapes

The attack surface extends far beyond traditional servers. Wireless hacking focuses on exploiting weaknesses in Wi-Fi protocols. You must understand attacks against WEP (utterly broken), WPA/WPA2 (vulnerable to KRACK attacks on the handshake and brute-force attacks on weak pre-shared keys), and the improvements in WPA3. Tools like Aircrack-ng are used for capturing handshakes and running cracking sessions. Rogue access points and evil twin attacks are also common social-engineering vectors.

Mobile platform attacks target iOS and Android through malicious apps, insecure data storage, improper session handling, and vulnerable inter-process communication. Jailbroken or rooted devices are particularly at risk. IoT security threats are rampant due to default passwords, insecure network services, lack of update mechanisms, and vulnerable hardware interfaces. These devices often become entry points to a network or are enslaved into botnets like Mirai. For all these domains, the countermeasure philosophy is consistent: change defaults, segment networks, apply patches, and conduct regular penetration testing.

Common Pitfalls

1. Misconfigurations as the Primary Vector: Many candidates focus solely on fancy zero-day exploits. In reality, and on the exam, most successful attacks stem from basic misconfigurations—default credentials, unused open ports, verbose errors, and improper file permissions. Always check the simplest explanation first.
2. Over-Reliance on a Single Defense: Thinking that a firewall alone makes you secure is a critical error. Defense must be layered (defense in depth). For example, a web application needs input validation, parameterized queries, a WAF, and network-level controls working in concert.
3. Ignoring the Human Element: Technical controls can be bypassed through social engineering. Phishing is the most common initial access vector. Your security assessment is incomplete if it doesn’t include social engineering tests and user awareness training as a core countermeasure.
4. Failing to Practice Identification: On the exam, you may be given logs, code snippets, or attack descriptions and asked to identify the attack. Confusing similar-sounding attacks (e.g., CSRF vs. XSS) is a common trap. Remember: XSS executes script in the user's browser, while CSRF causes the user's browser to make an unintended request to a target site.

Summary

• System hacking follows a phased model: crack passwords for access, escalate privileges for control, and install persistent backdoors while covering your tracks.
• Web application security hinges on defending against OWASP Top 10 threats, primarily SQL Injection (prevented with parameterized queries), Cross-Site Scripting (prevented with output encoding), and session attacks like CSRF and hijacking.
• Server-side attacks like directory traversal and file inclusion exploit poor input validation to read files or execute code on the underlying server.
• The attack surface includes wireless networks (exploiting weak encryption), mobile devices (via malicious apps/data storage), and IoT (via default settings), requiring tailored security controls for each.
• Effective defense is proactive and layered, combining technical hardening, continuous patching, secure coding practices, and user education to mitigate risks across all vectors.