312-50v13 Certified Ethical Hacker Exam (CEHv13) Questions and Answers

Passive reconnaissance is emphasized throughout CEH as an essential method for gathering intelligence without alerting monitoring systems. When the tester cannot interact with the live site, they must rely entirely on third-party archives or cached content stored by search engines or internet archival services. Google’s cache function provides previously stored versions of web pages exactly for this purpose. CEH explains that attackers frequently use cached content to retrieve outdated login portals, administrative pages, exposed directories, or other sensitive elements that may no longer appear on the live web server. Unlike operators such as intext or intitle, which query live indexed metadata, the cache operator retrieves historical snapshots without accessing the target website. The link operator identifies backlinks but does not provide historical page content. Only the cache operator directly supports viewing previous versions of pages passively, aligning perfectly with the requirement to avoid detection while gathering intelligence on legacy web content.

The finding most directly demonstrates insecure data transfer and storage. The scenario includes two explicit problems: (1) sensitive business records are transmitted “across the network without encryption,” and (2) the same records are “stored in a retrievable format” in the cloud platform. Those two conditions map exactly to data-in-transit and data-at-rest weaknesses. When IoT devices transmit sensitive data without encryption (e.g., plain HTTP, unprotected MQTT, insecure proprietary protocols), attackers who gain network visibility can intercept, read, and potentially modify that data. Similarly, when cloud-stored data is kept in an easily retrievable or improperly protected form (e.g., weak access controls, lack of encryption at rest, overly permissive storage buckets, exposed APIs), attackers can access business records long after transmission.

In IoT ecosystems, data typically flows from sensors to gateways, then to cloud dashboards and analytics services. If encryption and strong access control are not consistently applied across these hops, confidentiality and integrity are at risk. This can lead to competitive harm (exposed inventory/business records), privacy impact (if customer data is included), and operational disruption (tampered records leading to wrong decisions). The scenario is not about the IoT device exposing services like Telnet/FTP (network services), nor about default passwords; it is specifically about how data is transported and stored.

Why the other options are less accurate:

Insecure ecosystem interfaces (A) focuses on APIs, web/mobile apps, and cloud interfaces; while cloud storage access might involve interfaces, the core weakness described is lack of encryption and retrievable storage, which is more directly the data transfer/storage category.

Insecure network services (C) refers to exposed services/ports on IoT devices, not data confidentiality across the pipeline.

Insecure default settings (D) relates to factory defaults (passwords, open ports, insecure configs), not specifically unencrypted transport and weak storage protection.

Therefore, the correct answer is B. Insecure data transfer and storage.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 underscores that modern multi-vector DDoS attacks—particularly SYN floods combined with Layer 7 HTTP floods—cannot be effectively mitigated by traditional firewalls, IPS devices, or local traffic filters. These systems become overwhelmed or risk blocking legitimate clients. CEH emphasizes the use of cloud-based DDoS mitigation platforms that provide traffic scrubbing, distributed filtering, rate shaping, and automatic scaling to absorb massive volumes of malicious traffic. Such services differentiate legitimate versus malicious traffic using global intelligence, behavioral analysis, and multi-layer protection strategies. Increasing bandwidth or blocking broad traffic categories is ineffective and harmful to users. An IPS cannot scale to handle volumetric attacks. Only cloud scrubbing solutions (e.g., Cloudflare, Akamai, AWS Shield Advanced) meet CEH’s recommended defenses for high-volume distributed attacks. These services ensure continuous availability and minimize collateral damage by filtering traffic upstream before it reaches the organization ' s infrastructure.

Ransomware encrypts user data and extorts payment for restoration. CEH covers ransomware as a major threat in system hacking, highlighting encryption-based extortion as its defining behavior.

CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

Option D is correct.

Options A and B support resilience but do not detect tampering.

Option C alone is insufficient against LotL attacks.

CEH v13 identifies spear-phishing as one of the most effective and targeted social engineering methods. It involves crafting highly personalized messages that reference real events, internal processes, or upcoming activities to build credibility and reduce suspicion. In this scenario, referencing board meetings—an event executive assistants frequently handle—creates a believable and urgent context for the request. CEH emphasizes that personalization significantly increases success rates because recipients perceive the sender as someone with legitimate access to internal information. A phone call impersonating IT support (Option B) is less convincing for retrieving agenda access-specific credentials. Mass phishing (Option C) lacks personalization and is easily flagged. LinkedIn social engineering (Option D) is long-term and less effective for obtaining immediate credentials. Therefore, a tailored spear-phishing email is the most effective approach.

CEH identifies spear-phishing as a targeted, context-rich social engineering method tailored to specific individuals or departments. By incorporating accurate insider details, attackers significantly increase trust and likelihood of disclosure.

CEH’s Malware Analysis module outlines a structured approach:

Identify suspicious indicators (e.g., JavaScript, OpenAction)

Extract and analyze embedded objects

Determine behavior and exploit logic

PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.

Option B is correct.

Option A is useful but insufficient for deep analysis.

Option C only aids identification, not behavior understanding.

CEH v13 defines passive reconnaissance as information gathering without interacting directly with the target or alerting them. The goal is to remain undetected while collecting intelligence from publicly available sources.

Directly interacting with a threat actor on forums—even under a pseudonym—constitutes active engagement. CEH v13 warns that such interaction risks exposure, attribution, and legal complications. It can alert the adversary, cause them to alter behavior, or even retaliate.

WHOIS lookups, DNS queries, archived web content, and anonymous browsing are all passive techniques endorsed in CEH v13. These methods do not notify the target and leave minimal trace.

Thus, Option A should be avoided to maintain a low profile.

The CEH Web Application Security module explains that race conditions occur when systems improperly handle simultaneous requests, leading to unexpected behavior. In token-based authentication systems, poor synchronization between token expiration checks and validation logic can allow attackers to exploit timing gaps.

The observed pattern—failed attempts with expired tokens followed by successful access—suggests the attacker exploited a race condition where the application inconsistently validated token state.

Option C is correct.

Option A would not involve expired tokens.

Option B is highly impractical given secure token entropy.

Option D typically succeeds without repeated failures.

CEH highlights race conditions as subtle but dangerous logic flaws.

The attack described is spear phishing because it is a targeted phishing attempt crafted for a specific individual using personal and organizational context. In CEH social engineering coverage, spear phishing differs from generic phishing by its customization: the attacker addresses the victim by name, references the victim’s job function, and tailors the message to create credibility and urgency. Here, the email is addressed specifically to Clara and mentions her role in the accounts team, which increases the likelihood she will trust the message and comply.

The message uses classic phishing psychological triggers emphasized in CEH materials: urgency and fear. By claiming a “critical system vulnerability” and threatening account suspension, the attacker pressures Clara to act quickly and ignore verification steps. The inclusion of a link to a login page that “resembles the company’s internal portal” indicates credential harvesting, where the attacker’s goal is to capture usernames and passwords or other authentication tokens. The subtle misspelling in the sender’s domain is a common indicator of lookalike or typosquatting domains used to mimic legitimate corporate email addresses and bypass casual inspection.

The other options do not match as well. Impersonation is a broader category, but spear phishing is the specific technique using an email lure with personalization. Quid pro quo involves offering a benefit or service in exchange for information, which is not present. Vishing is voice-based phishing via phone calls, not email. Recommended defenses in CEH guidance include verifying sender domains, using out-of-band confirmation with IT, enabling email security controls like SPF, DKIM, and DMARC, and enforcing phishing awareness training and MFA to reduce credential theft impact.

The correct answer is D. Expansion because the scenario emphasizes that, after the initial foothold, the attacker harvests credentials and moves laterally to compromise additional systems—routers, printers, and file servers—thereby broadening control across the internal environment. In CEH-aligned APT lifecycle descriptions, this stage is commonly associated with internal reconnaissance, privilege/credential access, lateral movement, and widening the foothold to increase resilience and reach. The attacker is no longer limited to the original compromised endpoint; instead, they are deliberately spreading to other networked assets to build operational advantage.

The sequence in the prompt is important. Initial Intrusion (A) already occurred via spear-phishing delivering the first payload to the manager’s laptop. The question asks what phase is being simulated at this point, after access is gained and the attacker is actively moving through the network. Persistence (B) refers to establishing mechanisms to maintain access (e.g., backdoors, scheduled tasks, services, persistence in credentials/accounts) so the attacker can survive reboots, password changes, or cleanup attempts. While an attacker might establish persistence during expansion, the defining action here is lateral movement and compromise of multiple internal systems, which is more directly expansion than persistence.

Search & Exfiltration (C) would involve identifying and collecting target data (in this case, sensitive research data) and transferring it out of the environment. The prompt explicitly states Alex has not yet targeted sensitive research data, which rules out the search/exfiltration phase as the primary activity being simulated right now.

Therefore, the phase of the APT lifecycle best matching credential harvesting followed by lateral movement and compromise of multiple internal devices/servers to build a broader foothold is Expansion.

CEH v13 explains that ARP poisoning (also known as ARP spoofing) occurs when an attacker sends forged ARP replies across the network to associate their MAC address with multiple IP addresses, tricking hosts into sending traffic through the attacker’s machine. This results in routing inconsistencies, intermittent connectivity, failed logins, and degraded intranet performance—exactly the symptoms described. ARP poisoning typically involves unsolicited ARP replies, which overwrite legitimate ARP cache entries. CEH emphasizes that ARP-based attacks are common on LANs because ARP lacks authentication, allowing attackers to impersonate gateways or key hosts. DHCP snooping misconfigurations (Option B) affect IP allocation, not ARP mappings. Legitimate ARP refreshes (Option C) are request-based and do not involve flooding unsolicited replies. Port security restrictions (Option D) block MAC anomalies, not create them. Therefore, ARP poisoning is the correct root cause.

The scenario emphasizes that Daniel “begins capturing and reviewing live network traffic” to identify unauthorized session behaviors. In CEH-aligned network analysis practice, the most direct method to confirm session hijacking when you already have a packet capture is manual packet analysis using packet sniffing tools. By inspecting live traffic, Daniel can correlate sessions, verify whether multiple sources are reusing the same session identifiers, identify abnormal TCP sequence and acknowledgment behavior, and detect patterns such as duplicated cookies/tokens, replayed requests, inconsistent client IP or user-agent shifts, or sudden session reuse across hosts. This approach provides evidentiary detail beyond an alert and allows validation before escalation.

An IDS can be helpful, but it is a detection system that generates alerts based on signatures or anomalies; it does not inherently “confirm” the issue unless it provides clear supporting evidence, and the question specifically frames Daniel’s action as hands-on traffic review. Checking for predictable session tokens is a preventive and diagnostic step for weak session management design, but it does not directly confirm an in-progress hijacking event from observed network behavior. Monitoring for ACK storms can indicate certain TCP-level hijacking/desynchronization conditions, but it is narrower and may not apply to application-layer session hijacking, which is far more common in enterprise environments and would be validated by inspecting session identifiers and request flows in the capture.

Therefore, given the described workflow and the need to confirm unauthorized session activity from live traffic, CEH methodology aligns best with manual packet analysis using sniffing tools.

CEH v13 explains that SQL injection typically occurs when user inputs are concatenated into SQL queries without proper validation or parameterization. The login form is one of the most common injection targets, and testers use specific test payloads designed to manipulate the authentication query. A classic test string such as ' OR ' 1 ' = ' 1 exploits conditional logic to force the SQL statement to evaluate as true, effectively bypassing authentication if the application is vulnerable. CEH notes that this technique is a standard initial test because it is low-risk, easily detectable if vulnerable, and directly confirms improper sanitization. JavaScript injection (Option A) tests for XSS, not SQLi. Directory traversal (Option C) targets file path vulnerabilities rather than SQL queries. Brute-force attacks (Option D) rely on guessing credentials and do not test input sanitization. Therefore, using a logical SQL injection payload is the most appropriate and CEH-aligned method.

CEH teaches that unrestricted file upload vulnerabilities are among the most dangerous in web applications because they allow attackers to bypass extension checks and upload malicious executable files. When the server fails to validate MIME types, file extensions, or execution permissions, an attacker can upload a web shell disguised as a harmless file, such as “image.php.jpg,” which may pass superficial validation and still be executed by the server’s interpreter. Once executed, the shell provides the attacker with command execution capabilities, allowing full control over the system. CEH emphasizes that web shells can enable privilege escalation, database compromise, lateral movement, or full server takeover. Unlike SQL injection or XSS, file upload exploitation directly affects server-side execution, making it significantly more severe. Unrestricted upload flaws are commonly tested in CEH labs with tools like Burp Suite to alter content-type headers or bypass client-side filters. This is a high-impact vulnerability requiring strict validation and sandboxing controls.

Once initial access is obtained—especially through weak or default credentials—the CEH system hacking methodology directs the tester to proceed to privilege escalation. The objective is to elevate user-level access to administrative or system-level privileges so the attacker can perform unrestricted actions such as installing tools, modifying configurations, accessing protected files, and pivoting laterally. CEH materials emphasize using privilege escalation vulnerabilities, such as misconfigured services, kernel exploits, unpatched local privilege escalation flaws, weak file permissions, and token impersonation. A denial-of-service attack is counterproductive and does not support post-exploitation goals. XSS is a web application attack vector and unrelated to operating system privilege manipulation. Brute-forcing the root password is noisy, slow, and unnecessary when authenticated access is already established. Therefore, exploiting a known local privilege escalation vulnerability is the appropriate CEH-aligned next step.

CEH v13 identifies Idle (Zombie) Scanning as one of the most stealthy reconnaissance techniques. In this method, attackers use a third-party system (the zombie) to send probes to the target, obscuring the attacker’s true identity.

Because the attacker never directly interacts with the target, detection and attribution become extremely difficult. FIN and Xmas scans are stealthy but still originate from the attacker’s IP. TCP connect scans are noisy and easily detected.

CEH v13 highlights idle scanning as the gold standard for stealth reconnaissance, making option D correct.

The correct answer is A. Call Spoofing because the defining behavior in the scenario is manipulating the caller ID information so that the victim’s phone displays a trusted number—specifically, the credit union’s official line. In CEH-aligned social engineering and mobile attack discussions, call spoofing is a technique where an attacker falsifies caller ID data to impersonate a legitimate organization, department, or known contact. This increases credibility and exploits human trust in recognized numbers, making victims more likely to comply with sensitive requests such as disclosing usernames, passwords, or one-time codes.

The attack is also a form of vishing (voice phishing), where the attacker uses phone calls and persuasive pretexts (“mandatory security check”) to trick employees into revealing credentials. The success factor here is the authority and legitimacy signal created by the spoofed number. When staff see what appears to be an official institutional phone number, they are more likely to assume the call is authentic and bypass normal verification steps, especially under time pressure or when framed as a security requirement.

Why the other options are incorrect: OTP hijacking refers to stealing or intercepting one-time passwords (for example via SIM swap, malware, or social engineering focused specifically on MFA/OTP codes). While the attacker could ask for OTPs, the scenario’s core mechanism is the spoofed caller ID, not OTP interception. Bluebugging is a Bluetooth-based attack that gains unauthorized control over a device through Bluetooth vulnerabilities; it is unrelated to caller ID impersonation. SMiShing is phishing via SMS/text messages, not a voice call.

Therefore, the mobile attack vector demonstrated—displaying a trusted institutional number to deceive employees during a credential-harvesting call—is call spoofing.

The correct choice is the SOA record because it uniquely provides authoritative administrative and operational metadata about a DNS zone. In CEH reconnaissance techniques, DNS enumeration is a high-value passive and semi-passive method to learn about an organization’s infrastructure without actively attacking hosts. The Start of Authority record defines core parameters of the zone and identifies the primary authoritative name server for that domain. Most importantly for this question, the SOA record contains fields that directly match “serial number and refresh interval,” which are classic SOA elements used for zone replication and synchronization behavior between primary and secondary DNS servers.

An SOA record typically includes the primary name server, the responsible party field often formatted like an email address for the zone administrator, the zone serial number, and timing values such as refresh, retry, expire, and minimum TTL. These details can reveal change frequency, operational practices, and sometimes administrative contact clues, all of which are relevant in reconnaissance and reporting.

The other record types do not meet the requirement. MX records identify mail exchangers for the domain but do not include serial or refresh parameters. NS records list authoritative name servers but lack administrative timing metadata. TXT records store arbitrary text such as SPF, DKIM, DMARC, or verification strings and are useful for email security posture analysis, but they do not provide the zone control fields the question references. Since the question explicitly calls out serial and refresh interval, the SOA record is the only option that fits completely.

This is best explained by credentialed scanning because the scanner is given administrator-level credentials, and the SIEM confirms successful logins occurred during the scan. Credentialed scans authenticate to the target systems (via SMB/WMI/WinRM for Windows, SSH for Linux/Unix, APIs for certain platforms) and then perform deeper inspection from an “inside” perspective. That allows the scanner to enumerate details that are not reliably visible from unauthenticated network probing—such as installed patch levels, local security policy settings, registry permissions, configuration files, running services with their exact versions, and misconfigurations that require local access to verify.

The scenario’s outcomes strongly match this: the scan takes significantly longer, which is common because authenticated checks involve logging in and performing many local queries; the results include weak registry permissions, outdated patches, and insecure configuration files, all of which typically require authenticated access to assess comprehensively. In addition, credentialed scanning reduces false positives and improves accuracy, because it can confirm vulnerability conditions directly rather than inferring from banners or open ports.

Why the other options are less accurate:

Non-credentialed scanning (D) is performed from an external perspective without logins; it would not normally retrieve detailed registry/config file permission findings, and SIEM logs would not show successful authentication events caused by the scanner.

External scanning (A) describes the scan’s network location (outside the organization) rather than the authentication mode. You can do external credentialed scans, but the defining feature here is authenticated logins and deep host checks.

Internal scanning (C) also refers to where the scan originates. While the scan might be internal, the question’s key differentiator is that admin credentials were used to log in and gather detailed local information.

Therefore, the scan type is B. Credentialed Scanning.

White-hat hackers perform security assessments with authorization. CEH defines ethical hacking as legal, structured testing of network defenses with the goal of improving security rather than causing harm.

CEH courseware categorizes hackers based on intent, authorization, and affiliation. State-sponsored hackers are defined as individuals or teams who conduct cyber operations on behalf of a government to advance national interests. These operations often include espionage, cyber warfare, intelligence gathering, and covert offensive actions. Unlike organized hackers or cybercriminal groups, whose motivations may include financial gain or ideological activism, state-sponsored units follow strategic directives issued by government agencies. CEH materials explain that such groups operate with access to advanced tools, long-term funding, and classified intelligence, enabling them to execute highly sophisticated and covert operations targeting foreign governments, corporations, or critical infrastructure. Hacktivists pursue political or social causes, while gray-hat hackers operate without explicit permission but without malicious intent. Only state-sponsored hackers match the scenario where cyber experts are formally trained, resourced, and authorized by a national government to conduct operations that remain undetected. Therefore, the correct classification is state-sponsored hackers.

This scenario matches a session fixation attack because Michael sets up a valid session identifier with the application first, then forces the victim to authenticate while using that same pre-established session. In CEH terms, session fixation occurs when an attacker “fixes” or plants a known session ID in the victim’s browser, typically via a crafted URL parameter, cookie setting through a subdomain, or a redirect that preserves a session token. If the application does not regenerate the session ID after login, the victim’s authentication becomes bound to the attacker-known session. The attacker can then reuse that same session ID to access the application as the victim, exactly as described when Michael “uses that session to access the portal” after the employee logs in.

The other options do not fit the mechanism. Session sniffing relies on capturing session tokens from network traffic, usually when encryption is missing or weak, but the question focuses on a link and a pre-initialized session rather than intercepting traffic. Session replay generally refers to capturing and replaying authentication exchanges or tokens, not pre-setting a session before the victim authenticates. “Session donation” is not the standard CEH label for this behavior and is not the best match to the described flow.

CEH-recommended mitigations include regenerating session IDs immediately after authentication and privilege changes, rejecting session IDs supplied in URLs, setting Secure and HttpOnly cookie flags, enforcing SameSite where appropriate, implementing short idle timeouts, and adding server-side controls to detect concurrent use or abnormal session binding changes.

CEH v13 identifies the Idle Scan as one of the most stealthy and advanced reconnaissance techniques due to its ability to avoid generating any traffic directly between the attacker and the target. Using a “zombie host,” which has predictable IP ID sequencing, the attacker forges packets so that all scan traffic appears to originate from the zombie. The IDS sees communication only between the zombie and the target, not the attacker. This allows evasion of network monitoring tools, traffic correlation systems, and intrusion detection signatures. CEH highlights Idle Scanning as a core technique for bypassing sophisticated detection controls because it leaves no direct fingerprint of the attacker. Options A and B still originate from the attacker’s IP. Option C can evade some filters but remains detectable due to packet anomalies. Only Idle Scanning provides full origin obfuscation, making it the most appropriate method for stealth port enumeration.

The described behavior strongly matches HTTP Response Splitting. This vulnerability occurs when an application includes unsanitized user input in HTTP response headers. By injecting carriage return and line feed characters (CRLF), an attacker can “split” the server’s response into multiple parts—causing additional headers to appear or injecting unintended body content. The scenario explicitly says Raj’s payloads cause “additional headers to appear” and “inject unintended content into the output,” which is the classic outcome of response splitting.

Why this matters: response splitting can enable attacks such as web cache poisoning, cookie manipulation, redirection, and cross-site scripting-like impacts through header/body injection. For example, if an attacker can inject a Set-Cookie header, they may set or overwrite cookies in the victim’s browser. If they can inject a Location header, they may force redirects. If they inject content into the body, they may deliver malicious scripts or alter page behavior—especially when combined with caching intermediaries. The vulnerability typically arises in features that reflect user input into headers such as Location, Set-Cookie, Content-Disposition, or custom headers.

The other options do not match the symptoms:

XML Poisoning (B) and XXE (C) relate to XML parsing and entity resolution; they do not directly cause added HTTP headers in responses.

SSRF (D) involves forcing the server to make outbound requests to internal/external resources; it may expose data but does not primarily manifest as injected response headers and altered response structure.

Therefore, Raj is most likely exploiting A. HTTP Response Splitting.

The KRACK (Key Reinstallation Attack) vulnerability is a critical WPA2 flaw covered extensively in CEH v13 Wireless Network Hacking. KRACK exploits weaknesses in the four-way handshake process, allowing attackers to force reinstallation of encryption keys.

This key reinstallation resets nonces and counters, enabling attackers to decrypt, replay, and forge packets, even on encrypted WPA2 networks. CEH v13 highlights that KRACK does not break encryption mathematically but exploits protocol logic flaws.

Hole196 affects GTK misuse, and WPS PIN attacks target authentication, not replay of encrypted traffic. Weak RNG issues are unrelated to WPA2 replay.

Thus, Option B is correct.

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

Passive reconnaissance focuses on collecting information without directly touching or interacting with the target’s systems. CEH materials stress that any action that sends network traffic to the target—such as scanning, probing, fingerprinting, or enumeration—creates logs and increases the risk of detection. Email headers, however, are considered an excellent source of passive intelligence because they reveal internal IP structures, routing paths, mail server hostnames, internal domain formats, and technology stacks without requiring interaction with the target environment. Since these headers are already in the possession of the ethical hacker through legitimate communication records, examining them does not generate traffic or trigger monitoring systems. SSL certificates and WHOIS data provide valuable external information, but they rarely disclose internal addressing schemes. Active scanning tools, such as Nmap, would immediately violate the requirement to avoid detection. Therefore, analyzing previously received email headers is the most effective and covert method for extracting internal network details during the reconnaissance phase.

CEH teaches that unrestricted file upload vulnerabilities are among the most dangerous in web applications because they allow attackers to bypass extension checks and upload malicious executable files. When the server fails to validate MIME types, file extensions, or execution permissions, an attacker can upload a web shell disguised as a harmless file, such as “image.php.jpg,” which may pass superficial validation and still be executed by the server’s interpreter. Once executed, the shell provides the attacker with command execution capabilities, allowing full control over the system. CEH emphasizes that web shells can enable privilege escalation, database compromise, lateral movement, or full server takeover. Unlike SQL injection or XSS, file upload exploitation directly affects server-side execution, making it significantly more severe. Unrestricted upload flaws are commonly tested in CEH labs with tools like Burp Suite to alter content-type headers or bypass client-side filters. This is a high-impact vulnerability requiring strict validation and sandboxing controls.

A load balancer is the best match because the key mitigation behavior described is distributing incoming traffic across multiple servers to prevent any single system from being overwhelmed. In CEH coverage of availability attacks, one of the most practical architectural defenses against flooding-based DoS and DDoS is to scale horizontally and place a load-balancing layer in front of a server pool. This allows the organization to absorb spikes by spreading connections and requests across multiple backend nodes, improving resilience and maintaining uptime.

The scenario also mentions filtering malicious requests. Modern load balancers commonly provide health checks, rate limiting, connection limiting, and integration with access control rules, and they are often deployed alongside DDoS scrubbing or edge protections. Even when the filtering logic is implemented through integrated security policies or upstream services, the defining characteristic in the prompt is traffic distribution across multiple servers, which is a primary function of load balancing and a common CEH-referenced mitigation strategy for volumetric attacks.

A web application firewall focuses on inspecting and blocking malicious HTTP and application-layer payloads such as injection, request anomalies, and known attack patterns, but it is not primarily responsible for distributing traffic across multiple servers. An IPS can block suspicious patterns and exploit attempts, yet it does not typically provide the core traffic distribution function described. A traditional firewall enforces network-level rules and may help with rate limits, but it does not inherently balance traffic across a server farm. Therefore, the most likely tool in use here is a load balancer.

The CEH IoT and APT Threat modules describe APT groups as highly skilled adversaries that favor stealth, persistence, and advanced exploitation techniques. IoT environments are particularly attractive due to:

Limited monitoring

Infrequent firmware updates

Weak or proprietary security mechanisms

CEH highlights that APT actors often exploit zero-day vulnerabilities in firmware to gain long-term, covert access to IoT systems. Firmware-level exploitation allows attackers to maintain persistence while evading traditional security controls.

Option C is correct.

Option A is noisy and short-term.

Option B is common but less sophisticated for APTs.

Option D is possible but secondary compared to firmware exploitation.

CEH emphasizes firmware security as a critical concern in IoT deployments.

CEH v13 emphasizes that IoT and smart city environments are highly sensitive and safety-critical. When an IoT device shows anomalous outbound traffic and unauthorized open ports, this strongly indicates device compromise.

The correct immediate response is to isolate the affected device to prevent lateral movement and protect public safety. CEH v13 further stresses the importance of firmware analysis, as IoT malware often resides at the firmware level to maintain persistence.

Attempting reverse connections (Option A) is risky and may violate operational safety. Firewall changes alone (Option C) do not address an already compromised device. A full penetration test (Option D) is appropriate later but not as an immediate containment step.

Therefore, Option B aligns with CEH v13 incident handling best practices for IoT and OT environments.

A polymorphic virus is specifically designed to change its code appearance while keeping the same underlying functionality, which aligns exactly with the scenario. In CEH terms, polymorphism allows malware to mutate its decryptor routine, instruction ordering, register usage, junk code insertion, and other syntactic elements every time it propagates or executes. This causes each instance to look different at the binary level, producing different hashes and signatures, even though the malicious payload and behavior remain the same. That is why the security team sees inconsistent antivirus detection and why “traditional hash-based comparison” fails. The key indicator is that static analysis shows the “underlying logic remains unchanged,” but “code patterns vary unpredictably,” which is the hallmark of polymorphism: behavior stays consistent, signature changes.

The other options do not fit as well. A cavity virus typically hides by inserting itself into unused spaces within legitimate executable files to avoid changing the overall file size, but it does not inherently generate unpredictable code variants per infection. A macro virus primarily targets macro-enabled documents and spreads through document templates and user actions, which is not suggested here. A stealth virus focuses on evading detection by intercepting system calls and hiding its presence, such as returning “clean” file reads, but it does not necessarily produce many structurally different binaries that break hash matching. Therefore, the most likely cause of the described outbreak is a polymorphic virus.

CEH v13 explains that a keylogger is a type of spyware designed to capture user input covertly, often storing or transmitting captured data—such as passwords, emails, chat messages, and financial information—to an attacker. Keyloggers can be implemented as software, firmware, or hardware, and they operate silently in the background without affecting system performance, making them ideal for credential theft. CEH categorizes keyloggers under spying and monitoring malware frequently used in the System Hacking phase to escalate privileges or move laterally once credentials are harvested. Unlike rootkits, which hide processes, or ransomware, which encrypts files, a keylogger’s main purpose is passive surveillance. CEH emphasizes how attackers deploy keyloggers post-compromise or use phishing/social engineering to trick victims into installing them. Their covert nature and ability to bypass traditional AV solutions by masquerading as legitimate processes make identifying them crucial during forensics and incident response activities.

According to the CEH Denial-of-Service (DoS/DDoS) module, application-layer DDoS attacks specifically target services such as HTTP, HTTPS, DNS, or APIs by sending requests that appear legitimate but overwhelm server resources.

An HTTP flood attack sends a massive number of HTTP GET or POST requests, consuming CPU, memory, and application threads. CEH highlights that these attacks are particularly dangerous because they:

Mimic normal user behavior

Are difficult to distinguish from legitimate traffic

Bypass traditional network-layer defenses

Option A is correct.

Options B, C, and D operate primarily at the network or transport layers, not the application layer.

CEH stresses that HTTP floods are among the most challenging DDoS attacks to mitigate due to their stealthy nature.

To determine which specific system on the sender’s side processed the message, the most relevant email-header detail is the sender’s mail server, typically revealed in the chain of Received: headers. Each mail transfer agent (MTA) that handles the message adds a Received line indicating the system that passed the message along and the system that received it. By reviewing these headers from bottom to top (earliest hop upward), analysts can identify the originating outbound infrastructure used by the sender—such as the initial submission server, outbound relay, or gateway that first accepted the email for delivery.

The scenario’s goal is to “map the sender’s outbound email infrastructure” and identify “which specific system on the sender’s side processed the message.” That maps more directly to identifying the mail server hostnames involved (the MTAs), because those are the processing systems that relayed the email. While an IP address can help locate a host, the question emphasizes the “specific system” responsible for processing, which is typically expressed as the mail server identity (hostname/domain) shown in header traces. In practice, investigators correlate the sender mail server information with IPs, TLS details, and authentication results, but the primary header clue for the processing system is the server identified in Received lines.

Why the other options are less suitable:

Date and time (A) helps with timeline analysis, not identification of the processing system.

Sender’s IP address (C) can indicate a source network, but the message may traverse NAT, relays, or cloud email services; it doesn’t always name the processing system.

Authentication system used (D) (e.g., SPF/DKIM/DMARC results) indicates validation outcomes, not which server processed the message.

Therefore, the correct choice is B. Sender’s mail server.

According to CEH v13, black box testing refers to a testing approach where the ethical hacker has no prior knowledge of the internal structure, source code, or configuration of the system.

The attacker simulates a real-world external attacker, relying solely on discovery and exploitation techniques.

White box testing = full knowledge

Gray box testing = partial knowledge

The Certified Ethical Hacker (CEH) Cloud Computing module emphasizes that serverless environments rely heavily on granular permission models. Attacks involving compromised APIs often succeed because functions are granted excessive privileges.

Option D is correct because enforcing function-level permissions and the principle of least privilege directly limits what a compromised function can execute. CEH documentation states this is the primary defense against serverless abuse.

Option A is beneficial but reactive.

Option B focuses on SaaS governance rather than FaaS execution control.

Option C provides visibility but does not directly prevent privilege misuse.

CEH highlights identity and access management (IAM) as critical in serverless security.

The CEH Cloud Security module highlights identity and access management (IAM) failures as a major source of cloud breaches. Ensuring timely de-provisioning of user accounts when employees leave is a core security control.

Option C is correct.

Options A and B detect issues but don’t prevent access persistence.

Option D is unrelated to access control.

CEH stresses joiner–mover–leaver (JML) processes.

TCP port 389 is the default port for LDAP (Lightweight Directory Access Protocol). The tester’s actions—performing an anonymous bind and querying directory contents with structured search filters to extract usernames and organizational information—are definitive indicators of LDAP enumeration. LDAP is commonly used for centralized directory services (including environments integrated with Active Directory via LDAP interfaces). If misconfigured to allow anonymous binds or overly permissive searches, an attacker can retrieve valuable identity and structure data.

The scenario describes obtaining usernames, departmental details, and organizational units (OUs). Those are typical LDAP directory attributes and containers. Enumerating them can directly support follow-on attack paths: building targeted password-spraying lists, crafting spear-phishing that references accurate internal roles, identifying privileged groups, and mapping the organization’s structure to prioritize high-value targets. Even without direct credential compromise, directory disclosure increases attacker effectiveness.

Why the other options are incorrect:

SMTP enumeration (A) focuses on email systems (e.g., VRFY/EXPN/RCPT TO behaviors) and typically uses TCP/25 or related mail ports, not 389.

DNS enumeration (B) involves querying DNS records (A/AAAA, MX, NS, TXT, zone transfers) and does not involve directory binds or LDAP filters.

NTP enumeration (D) relates to time services (UDP/123) and provides timing/monlist-style information, not user/OU directory attributes.

Because the service is on TCP/389 and the technique involves binds and directory searches, the correct classification is C. LDAP Enumeration.

The capabilities described match an enterprise Wireless Intrusion Prevention System (WIPS) tightly integrated with WLAN infrastructure: it uses access points as sensors (placing selected APs into passive scan/monitor mode), correlates and aggregates alarms from multiple controllers into a central engine for analysis and forensic retention, and can push automated countermeasures across the campus (such as coordinated channel scanning and remote configuration enforcement) when a device is classified as malicious. This is most consistent with Cisco Adaptive Wireless IPS.

Cisco’s adaptive WIPS model uses the existing Cisco wireless architecture (controllers and APs) to provide campus-wide monitoring and enforcement. The phrase “selected APs into a passive scan mode” is a strong indicator of adaptive sensor use—APs can be dedicated or time-sliced for scanning, and the system can coordinate coverage across channels. The centralized engine concept also aligns with enterprise WIPS deployments that collect events and alarms from multiple controllers for correlation and long-term storage, supporting incident investigation and compliance.

Why the other options are less fitting:

Fern WiFi Cracker (C) is an attack/assessment tool, not a production defensive platform, and it does not provide centralized alarm aggregation and automated enterprise countermeasures.

RFProtect (B) is a known wireless security/WIPS solution family, but the question’s feature set and wording (“adaptive,” APs used for passive scanning, controller-integrated countermeasures) most closely matches Cisco’s adaptive WIPS concept.

WatchGuard Wi-Fi Cloud WIPS (A) is a vendor-managed WIPS offering; while it can provide monitoring, the scenario stresses multi-controller aggregation into a central engine and coordinated campus countermeasures via WLAN infrastructure—again aligning best with Cisco’s controller/AP ecosystem.

Therefore, the best answer is D. Cisco Adaptive Wireless IPS.

According to the Certified Ethical Hacker (CEH) IDS/IPS and Evasion Techniques module, packet fragmentation is a technique attackers use to split malicious payloads into smaller fragments so that signature-based IDS sensors may fail to reassemble and inspect the complete packet.

CEH explains that anomaly-based IDS systems are more effective against fragmentation evasion because they analyze behavioral deviations rather than relying solely on known signatures. Fragmented traffic often deviates from baseline network behavior in terms of packet size, sequencing, and reassembly anomalies.

Option A is correct because anomaly-based detection can identify abnormal fragmentation behavior even if the payload itself does not match known signatures.

Option B is unreliable, as attackers do not use consistent intervals.

Option C is impractical, since legitimate traffic may be fragmented.

Option D is less effective because signature-based IDS systems can be bypassed by fragmentation techniques.

CEH recommends packet normalization and anomaly-based detection as effective countermeasures.

Operational Technology and ICS environments often suffer from misconfigurations such as unchanged factory-default passwords. CEH identifies exploiting default credentials as a direct and effective method because ICS devices frequently lack strong authentication controls. Using these built-in credentials grants immediate unauthorized access to supervisory controls, enabling adversaries to manipulate configurations, disrupt processes, or escalate attacks across critical systems.

The CEH Cryptanalysis module describes differential cryptanalysis as an attack that studies the relationship between differences in input and resulting differences in output to recover secret keys.

Option A precisely matches this definition.

Option B relies on execution timing.

Option C requires ciphertext manipulation.

Option D exhaustively tests keys.

CEH lists differential cryptanalysis as a foundational theoretical attack.

Bluesnarfing is a Bluetooth attack described in CEH v13 Wireless Network Hacking, where attackers exploit misconfigured Bluetooth devices to access sensitive data such as contacts, messages, and files—often without user interaction.

One of the most critical enablers of Bluesnarfing is Bluetooth discoverable mode. When devices are discoverable, attackers can easily identify them and attempt unauthorized connections or exploit vulnerabilities in Bluetooth services.

Disabling discoverable mode significantly reduces the attack surface by preventing unauthorized devices from locating Bluetooth-enabled systems. CEH v13 explicitly recommends setting Bluetooth devices to non-discoverable mode when not pairing.

While firmware updates (Option B) are important, they do not immediately prevent discoverability-based attacks. Stronger PINs (Option C) help against pairing attacks but do not stop unauthorized queries. Network-level encryption (Option D) is inherent in Bluetooth protocols and does not mitigate discovery abuse.

CEH v13 highlights that visibility control is the most immediate and effective defense against Bluesnarfing. Therefore, Option A is the correct answer.

This is a SYN flood because the attack floods the target with TCP SYN packets (connection initiation). The server responds by allocating resources and sending SYN-ACK replies, moving each connection into a half-open state while it waits for the client’s final ACK to complete the three-way handshake. In a SYN flood, that final ACK never arrives (often because the source addresses are spoofed or because the attacker deliberately does not complete the handshake). As a result, the server’s backlog queue of pending connections fills up, consuming memory/connection slots and preventing legitimate users from establishing new sessions.

The scenario’s language matches the mechanics precisely: “flood of TCP connection initiation packets,” “exhausting the server’s backlog of half-open connections,” and “never receives the final ACK.” Those are the classic identifiers of SYN flooding.

Why the other options are incorrect:

ACK flood (A) involves flooding with TCP ACK packets; it does not primarily create half-open handshakes because ACKs are not the connection-initiation step.

TCP SACK Panic (B) refers to a specific vulnerability/issue related to TCP Selective Acknowledgment processing, not a generic handshake backlog exhaustion attack pattern.

APT attack (C) is not a DoS attack type; it refers to advanced persistent threat campaigns and is unrelated to TCP handshake flooding.

Therefore, Aisha is simulating D. SYN Flood Attack.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 identifies XML Signature Wrapping (XSW) attacks, also known simply as Wrapping attacks, as a major threat against SOAP-based web services. These attacks exploit weak XML parsing and insufficient validation of signed message components. SOAP messages often include digitally signed sections, but if the server validates the signature without confirming the correct position or structure of the signed elements, attackers can duplicate, move, or wrap signed content inside a modified XML envelope. This allows an attacker to inject malicious payloads while still presenting a valid signature. CEH details how this can lead to unauthorized execution, privilege escalation, or bypassing authentication controls in SOAP APIs. Cloud snooping, cryptanalysis, and IMDS abuse do not involve message duplication or signature misplacement. The scenario precisely matches CEH’s definition of a Wrapping Attack in SOAP/XML security.

CEH v13 stresses that IoT-to-OT convergence is one of the most dangerous architectures in critical infrastructure environments. IoT devices often lack strong security controls and become ideal entry points for lateral movement into OT systems controlling physical processes.

The immediate priority is to secure the communication boundary between IoT and OT systems. Implementing strong encryption, authentication, and access control ensures that even if an IoT device is compromised, it cannot be used as a pivot point. CEH v13 explicitly recommends network segmentation and secure communication channels as first-response containment measures.

Penetration testing (Option A) is valuable but time-consuming and not an immediate mitigation. ML-based tools (Option C) require training time and are not instant safeguards. IPS deployment (Option D) helps detect attacks but does not prevent credential abuse or trusted-path exploitation between IoT and OT layers.

By enforcing secure protocols, certificates, and authentication mechanisms, the organization reduces attack surface immediately. Thus, Option B is correct.

CEH v13 explains that IDS systems are often tuned to detect active scanning behavior, especially port scans and TCP/UDP probing that generate recognizable signatures. The command nmap -sn -PE performs a pure ICMP Echo Request ping sweep without sending any TCP SYN, UDP probes, or other packets normally associated with port enumeration. Since this mode disables port scanning entirely, it produces minimal traffic that resembles legitimate network behavior. CEH emphasizes that many networks allow ICMP Echo traffic internally for diagnostics, so such pings may not be treated as suspicious unless rate thresholds are exceeded. Because the tester avoided SYN packets, ACK probes, and UDP scans, the IDS saw no malicious pattern or connection attempts. The effectiveness of this technique is highlighted in CEH under passive and stealth reconnaissance, where minimal interaction is used to avoid detection. Thus, the scan succeeded because it relied solely on ICMP host discovery, not port scanning.

The correct answer is B. Stealth Virus because the defining characteristic described is hiding malicious presence by intercepting operating system calls and masking changes so that normal tools (including antivirus scans) do not observe the infection. In CEH-aligned malware concepts, stealth viruses are designed to evade detection by concealing modifications to files, boot records, or system areas. They commonly do this by hooking system functions or APIs so that when the OS or a security product requests file contents, sizes, checksums, directory listings, or other metadata, the virus returns clean-looking or original data instead of the infected/modified version. This makes infected files appear to “function normally,” while the malware remains active in memory and persists on disk.

The scenario explicitly mentions that “infected files continue to function normally” and that the malware “conceals its modifications by intercepting operating system calls.” That is the classic behavior of stealth techniques: manipulate what the system reports, not necessarily change the outward behavior of the application. The repeated “no threats detected” results also align: signature-based or basic scanning can be blinded when the malware controls the interface through which the scanner reads target files or system structures.

Why the other options are less correct: a polymorphic virus focuses on changing its code/signature between infections to evade signature-based detection, but the key clue here is OS call interception and hiding modifications, not code mutation. A macro virus targets macro-enabled documents and spreads through macro execution in office applications; it is not primarily defined by OS-level call hooking. A cavity virus (spacefiller) hides by inserting itself into unused areas of a file without changing the file size, but the scenario’s emphasis is on intercepting OS calls to conceal changes, which is more directly the stealth-virus behavior.

Therefore, Ryan most likely deployed a stealth virus.

The described behavior aligns precisely with ARP spoofing, also known as ARP poisoning, a common man-in-the-middle attack technique covered extensively in CEH materials. ARP operates at Layer 2 of the OSI model and is responsible for mapping IP addresses to MAC addresses within a local network. Because ARP lacks authentication mechanisms, any host can send forged ARP replies to other devices on the LAN.

In this scenario, Marcus injects crafted messages that alter how two hosts identify each other. This strongly indicates forged ARP replies were sent to both the payroll workstation and the authentication server. By telling each system that his machine’s MAC address corresponds to the other party’s IP address, Marcus positions himself logically between the two endpoints. As a result, traffic is transparently routed through his system without requiring changes to switch configurations, proxies, or VPN tunnels.

This technique enables interception and potential modification of credentials in transit. DNS spoofing affects domain name resolution rather than direct Layer 2 host identification. MAC flooding overflows the switch CAM table to force broadcast behavior but does not specifically manipulate IP-to-MAC mappings between two targeted hosts. Switch port stealing targets MAC table entries but does not rely on altering host identity mappings in the same way ARP poisoning does.

Therefore, ARP spoofing is the most accurate technique described in this scenario.

The CEH DDoS Mitigation Strategies section explains that load balancing distributes traffic across multiple servers or infrastructure components to prevent any single resource from being overwhelmed.

By using hardware load balancers and cloud-based traffic distribution, organizations can:

Absorb large volumes of attack traffic

Maintain service availability

Ensure legitimate users are served

Option B is correct and directly matches CEH’s definition.

Option A drops all traffic, including legitimate requests.

Option C focuses on traffic analysis rather than distribution.

Option D limits traffic rather than distributing it.

CEH strongly recommends load balancing as a core DDoS resilience mechanism.

Fragmentation is a well-known firewall and IDS evasion technique covered in CEH materials. The attacker breaks a malicious packet into smaller IP fragments so that simple filtering devices, especially those relying mainly on basic header checks or stateless rules, may fail to reconstruct the original payload and therefore miss the malicious content. To counter this, defenses must track packet state and perform reassembly or validation of fragmented traffic so the security control can evaluate the complete communication stream rather than isolated fragments.

Stateful Packet Inspection is the control most aligned with this requirement. A stateful inspection firewall maintains a state table of active connections and monitors traffic as part of an ongoing session. Because it tracks session context, it can handle fragmented packets more effectively by correlating fragments to the original flow and applying policy after reconstructing or normalizing traffic. In CEH-aligned descriptions, this directly reduces the effectiveness of fragmentation-based evasion, overlapping with the concept of traffic normalization that removes ambiguity attackers try to exploit.

Deep Packet Inspection examines payload beyond headers, but the key success factor in stopping fragmentation evasion is state tracking and reassembly, which is characteristic of stateful inspection and state-aware security devices. Signature-based and anomaly-based detection can help detect malicious patterns or unusual behavior, but without reliable reassembly and session context, fragmented payloads may not match signatures and may appear benign in isolation. Therefore, the most likely measure used to identify and block fragmented packets in this scenario is Stateful Packet Inspection.

The behavior described most closely matches an insider attack, because the actor is a temporary contractor who has physical proximity and implicit access to internal areas where employees work and handle sensitive information. In CEH guidance, an “insider” is not limited to permanent employees; it includes contractors, vendors, interns, and any trusted or semi-trusted individuals who can enter facilities or access internal environments. The attack combines two common insider-facilitated techniques: shoulder surfing and dumpster diving. Recording employees entering passwords is a form of shoulder surfing, where credentials are harvested by observing or capturing authentication entry through direct viewing or recording devices. Finding sensitive documents in a trash bin indicates dumpster diving, where attackers recover confidential information from improperly disposed materials.

These actions are typically feasible because the attacker is already inside the perimeter and can exploit weak operational security practices, such as lack of clean-desk enforcement, inadequate shredding policies, and insufficient physical monitoring of visitor or contractor activity. CEH materials emphasize that insider threats are particularly dangerous because they bypass many external perimeter controls and can blend into normal workplace behavior.

The other options do not fit. A distribution attack generally refers to compromise introduced through supply chain or third-party distribution channels, not on-site observation and trash retrieval. A passive attack is too generic and does not capture the key element of an authorized or trusted presence enabling the compromise. “Cisco-in attack” is not a standard CEH attack category for this scenario. Therefore, the most accurate classification is an insider attack.

CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

Option D is correct.

Options A and B support resilience but do not detect tampering.

Option C alone is insufficient against LotL attacks.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes Firewalking as a reconnaissance technique designed to determine which layer-4 protocols and ports a firewall allows. The attacker sends packets with carefully adjusted TTL values so that the packet expires just beyond the firewall. If the next hop generates ICMP Time Exceeded responses, the attacker can infer which ports the firewall permits. This method mimics normal TTL behavior, making it stealthier than full SYN scans or high-noise probing. Firewalking is expressly highlighted in CEH as a low-profile way to map firewall ACLs without triggering alarms. Broadcast pings are noisy and detectable, passive DNS monitoring does not reveal firewall rule sets, and full SYN scans are easily flagged by IDS systems. Firewalking’s reliance on TTL behavior, combined with protocol-specific probes, makes it the correct and CEH-aligned technique for quietly discovering open ports and firewall filtering rules.

CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

CEH defines spyware as malware designed to covertly observe user behavior and transmit sensitive information to attackers without the victim’s knowledge. Spyware commonly records keystrokes, browser activity, form submissions, application usage, and other personally identifiable information. CEH highlights that spyware often operates silently and may disguise itself as legitimate software, making detection difficult. Unlike rootkits—which hide processes and files—or worms that self-replicate, spyware focuses exclusively on monitoring and data exfiltration. It is frequently installed through phishing, drive-by downloads, browser vulnerabilities, or malicious installers. Spyware can serve as a stepping stone for further system compromise by providing attackers with credentials for privilege escalation, lateral movement, or financial theft. CEH emphasizes the need for endpoint hardening, updated anti-malware engines, and behavioral analysis tools to detect such stealthy monitoring programs.

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

DHCP starvation is a network-level attack in which an attacker sends a massive number of DHCPDISCOVER requests, each appearing to originate from a different MAC address. CEH courseware explains that DHCP servers assign IP leases based on unique MAC addresses, and when the lease pool is exhausted, legitimate clients are unable to obtain valid IP configurations. This disrupts network connectivity and can serve as a precursor to deploying a rogue DHCP server, enabling further attacks such as traffic redirection or credential interception. DHCP starvation is different from ARP spoofing, which manipulates MAC–IP mappings, or DNS poisoning, which corrupts domain resolution. Rogue DHCP relay attacks involve forwarding DHCP packets to unauthorized servers, not depleting leases. The scenario described—rapid MAC address spoofing and exhaustion of DHCP leases—matches the precise definition of DHCP starvation as documented in CEH materials.

Asymmetric encryption, as defined in CEH v13 Cryptography, uses a public-private key pair, solving the key distribution problem inherent in symmetric encryption.

Public keys can be freely shared, enabling secure communication initiation without prior shared secrets. Disk encryption and hashes do not address key exchange.

Therefore, Option D is correct.

According to the Certified Ethical Hacker (CEH) IoT, OT, and SCADA Security module, side-channel attacks exploit indirect information leaks such as power consumption, electromagnetic emissions, timing variations, or thermal output rather than software vulnerabilities.

Option A is correct because monitoring hardware-level anomalies is the primary method for detecting side-channel exploitation. CEH materials emphasize that these attacks bypass traditional security controls.

Option B relates to cryptographic weaknesses, not side-channel analysis.

Option C addresses interface misuse, not covert data leakage.

CEH highlights that SCADA systems are especially vulnerable due to legacy hardware and limited monitoring capabilities.

The attackers described are most consistent with black hat hackers because their actions are clearly unauthorized, intentionally harmful, and motivated by financial gain. They compromise a financial institution, deploy credential-stealing malware, exfiltrate customer account data, and then sell the stolen information on underground forums. This aligns with criminal hacking behavior: monetizing access and stolen data through illicit marketplaces, fraud, and repeated targeting of similar victims.

The scenario explicitly rules out ideologically motivated activity: “no political or social statements are made.” That makes hacktivists unlikely, since hacktivism typically involves a political, social, or ideological motive and often seeks publicity for a cause (defacements, leaks, DDoS protests). It also rules out ethical categories: white hat hackers operate with authorization and report findings to improve security rather than steal and sell credentials. Script kiddies are generally low-skill attackers who rely on existing tools and scripts; while they can cause harm, the scenario highlights sustained targeting, credential theft, and underground monetization—behavior more strongly associated with organized cybercriminals/black hats.

Black hats typically pursue objectives like theft of credentials, financial fraud, ransomware deployment, and sale of access or data. Their operations often emphasize anonymity, operational security, and repeatability across many similar targets—consistent with “continuing to target similar organizations for financial gain.”

Therefore, the most likely category is A. Black Hat hackers.

The Certified Ethical Hacker (CEH) Network and Perimeter Hacking module describes MAC flooding as an attack targeting switch CAM (Content Addressable Memory) tables. The attacker overwhelms the switch by sending frames with spoofed MAC addresses, forcing the switch to broadcast traffic like a hub.

Option D is the correct indicator because MAC flooding results in many different MAC addresses being learned on a single switch port, which is abnormal behavior. CEH documentation identifies this as the primary forensic sign of a MAC flooding attack.

Option A relates more closely to ARP poisoning rather than MAC flooding.

Option B can occur in network misconfigurations but is not a primary MAC flooding indicator.

Option C is common in NAT environments and is not malicious by itself.

CEH emphasizes monitoring CAM table behavior and port security violations to detect MAC flooding attacks effectively.

CEH v13 highlights HTML smuggling as a modern technique used to bypass perimeter defenses by leveraging browser-side execution. Instead of downloading a malware file directly—which firewalls and IDS can detect—an attacker embeds obfuscated JavaScript or HTML within an attachment. When the victim opens the file, the browser reconstructs the payload locally using APIs like Blob or URL.createObjectURL. This method avoids external network transfers during the payload creation stage, allowing it to bypass content filters, sandboxing, and inline inspection tools. CEH emphasizes that HTML smuggling is especially dangerous because it operates within the browser environment, which security appliances implicitly trust. Port forwarding (Option B) relates to tunneling traffic, not file reconstruction. XSS (Option C) requires injecting scripts into web pages, not delivering malware. HTTP header spoofing (Option D) manipulates request metadata, not payload construction. Therefore, HTML smuggling precisely matches the described behavior.

CEH clearly distinguishes between active and passive reconnaissance. Passive methods involve gathering publicly available data without directly interacting with the target’s infrastructure, thus avoiding detection. Tools such as Netcraft, DNSdumpster, VirusTotal, Certificate Transparency logs, and search engine indexing are recommended by CEH for discovering subdomains through public metadata, cached DNS records, WHOIS data, SSL certificate entries, and third-party enumeration databases. These platforms provide insights into externally accessible assets without sending packets or queries to the target organization. Brute-force enumeration is active and violates the rules of engagement. Attempting credential guessing or requesting internal DNS data are unauthorized and clearly active reconnaissance activities. Passive OSINT-based subdomain enumeration is a core CEH technique used to uncover hidden infrastructure safely and legally. It is especially crucial in red team operations where stealth is a priority.

The CEH Cloud Computing module identifies cloud APIs as one of the most critical attack surfaces in public cloud environments. APIs control provisioning, configuration, authentication, and management of cloud resources.

A vulnerability in a cloud API can allow attackers to:

Bypass authentication

Escalate privileges

Access or modify cloud resources

Create or delete services

Option B is therefore correct.

Option A relates to availability, not API flaws.

Option C is managed by the provider and unrelated to APIs.

Option D would require key compromise, not just API weakness.

CEH strongly emphasizes API security as a top cloud risk.

Colasoft Packet Builder is specifically designed for creating and editing custom packets, making it the best match for a scenario where the tester “crafts custom network packets” and “carefully designs their headers” to test or evade firewall filtering. In CEH methodology, packet crafting is a common technique used to validate how filtering devices respond to unusual or borderline traffic patterns, including altered TCP flags, manipulated fragmentation behavior, spoofed fields, and protocol edge cases. A packet builder tool enables precise control over Layer 2 through Layer 4 fields and, in many cases, supports building application payloads as well. This supports testing for weaknesses such as overly permissive rules, inconsistent state handling, improper reassembly, and inadequate normalization that could allow malicious traffic to pass.

Metasploit is primarily an exploitation framework used to deliver payloads and run modules after targets and weaknesses are identified. While it can generate traffic, it is not the most direct tool for low-level, manual header crafting as described. Nmap is mainly used for host discovery, port scanning, service detection, and scripting-based enumeration; it can manipulate some packet characteristics, but its core purpose is not interactive custom packet construction. Traffic IQ Professional is typically associated with network analysis and traffic monitoring rather than crafting bespoke packets to probe firewall rule behavior.

Therefore, the tool most aligned with CEH-style custom packet creation for firewall evasion testing is Colasoft Packet Builder.

CEH v13 states that the only viable way to attack WPA2-PSK is by capturing the four-way handshake. De-authentication forces clients to reconnect, allowing the handshake to be captured and later cracked offline.

MITM, jamming, and rogue AP attacks do not directly expose the PSK.

CEH v13 defines a white hat hacker as a security professional who performs authorized assessments to identify vulnerabilities and strengthen an organization’s defenses. The defining characteristic of white hat activity is the presence of formal permission—typically through a signed rules-of-engagement, scope of work, and explicit authorization from the organization. CEH emphasizes that white hats adhere to legal boundaries, follow ethical guidelines, and document findings to support remediation. They may use the same tools and methodologies as malicious hackers, but the intent and authorization distinguish them. In contrast, black hats operate without permission and with malicious intent. Grey hats act without authorization but may not have malicious motivations, making them inappropriate in a formal penetration testing engagement. Script kiddies lack professional skill and rely on pre-made tools without understanding the underlying techniques. Therefore, the hacker described is a white hat—an ethical professional performing sanctioned testing.

The correct answer is D. Hardware/Firmware Rootkit because the scenario describes persistence that remains even after multiple OS reinstalls and executes before the operating system loads, while evading OS-level antivirus and forensic scans. In CEH-aligned malware/rootkit concepts, hardware/firmware rootkits embed malicious code into firmware components such as BIOS/UEFI, device firmware (for example, NIC firmware, storage controller firmware, HDD/SSD firmware), or other embedded hardware layers. Because firmware is separate from the operating system’s file system, reinstalling the OS typically does not remove the implant.

The clue “resides deep inside the system hardware” and “executes before the OS is loaded” aligns with firmware-level execution in the boot chain. Firmware rootkits can run during early startup, initialize malicious hooks, and then hand off control to the OS in a way that hides their presence. This makes them extremely difficult to detect using conventional host-based tools, because those tools operate after the OS is running and generally cannot easily inspect or validate firmware integrity. The mention of “unusual activity on network cards and storage devices” is also a strong indicator: compromised NIC or storage firmware can manipulate traffic, exfiltrate data, or alter reads/writes while remaining invisible to file-based scanning.

Why the other options are less accurate: a boot-loader-level rootkit typically infects the bootloader on disk; while it runs early, it may be removed by disk reimaging or certain reinstall workflows. A kernel-level rootkit resides within the OS kernel and is generally removed by reinstalling the OS. A hypervisor-level rootkit (virtualization-based) can be stealthy, but it still generally depends on software layers that may not survive repeated OS reinstalls unless paired with firmware persistence.

Therefore, the persistence across reinstalls and pre-OS execution most clearly indicate a hardware/firmware rootkit.

According to CEH v13 Network Scanning Techniques, a FIN scan is a stealth scanning method that sends TCP packets with only the FIN flag set. Its behavior relies on RFC 793, which specifies that closed ports must respond with a TCP RST, while open ports should silently drop the packet.

However, modern firewalls, IDS/IPS systems, and hardened TCP/IP stacks often filter or silently drop FIN packets regardless of port state. Therefore, when a FIN scan results in no response from a large number of ports, it does not conclusively indicate that the ports are open. Instead, CEH v13 stresses that this behavior commonly points to packet filtering by firewalls or security controls.

Option A is incorrect because a lack of response does not definitively mean ports are closed. Option B is an overreaction; stealth scan anomalies alone do not indicate a breach. Option C is unlikely because congestion would impact multiple protocols, not selectively suppress FIN responses.

CEH v13 recommends that when FIN scans produce ambiguous results, analysts should correlate findings using additional scan types (such as SYN scans) and investigate firewall rules and filtering behavior. Thus, option D is the most accurate interpretation and aligns with CEH guidance.

The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata. CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

CEH teaches that ARP-based attacks vary in sophistication from basic poisoning to more specialized techniques such as switch port stealing. In environments where ARP poisoning defenses or inspection tools limit traditional attacks, attackers may exploit timing vulnerabilities in ARP reply behavior. Switch port stealing works by sending spoofed ARP replies at precisely the right moment—before the legitimate ARP response from the target host—causing the switch’s CAM table to update temporarily and associate the target’s IP address with the attacker’s MAC address. CEH emphasizes that switches trust the latest ARP update, so even brief timing windows enable partial packet interception. This is different from fully persistent ARP poisoning, which continuously overwrites ARP tables, and from passive sniffing, which cannot capture unicast traffic on a switched network. This attack is particularly useful when ARP spoofing is mitigated because it relies on opportunistic timing rather than full table poisoning. The intermittent nature of intercepted packets matches CEH’s description of switch port stealing behavior.

According to CEH v13 Security Operations and Incident Response, backdoors are stealth mechanisms that allow attackers persistent access. Indicators such as unexplained outbound traffic, unauthorized file modifications, and irregular reboots strongly suggest post-compromise persistence mechanisms.

CEH v13 recommends a behavioral and host-based detection approach for backdoor identification. Continuous monitoring of system and file activity helps detect unauthorized binaries, registry changes, and scheduled tasks. Anomaly detection identifies deviations from normal system behavior, which is critical for uncovering hidden backdoors that evade signature-based detection.

Additionally, advanced anti-malware tools with heuristic and memory analysis capabilities are essential to identify sophisticated backdoors that traditional antivirus may miss. These tools can detect rootkits, fileless persistence, and covert communication channels.

The other options are preventative but not investigative. Immediate reboots may destroy volatile evidence, while password policies and ACLs do not detect existing compromises. Therefore, option B provides the most effective and CEH-aligned response.

CEH covers classical cryptanalytic attacks, including linear cryptanalysis, which uses statistical correlations between plaintext and ciphertext to infer bits of the secret key. If a cipher leaks structural patterns across many data samples, linear approximations can be computed to break the cipher.

CEH v13 states that DNS server hijacking occurs when attackers compromise the authoritative DNS infrastructure and alter DNS zone records to redirect all legitimate queries to malicious destinations. Unlike DNS cache poisoning, which affects specific resolvers temporarily, server hijacking manipulates the core DNS authority controlling the domain. This results in a complete redirect for all users, regardless of geographic location or device configuration. CEH emphasizes that such attacks can lead to large-scale credential theft, phishing, financial fraud, and session compromise because the attacker presents an identical clone site while retaining full control of DNS routing. DNS tunneling is used for covert data exfiltration and does not redirect traffic. DNS rebinding targets browser policies, not global DNS redirection. DNS amplification is a volumetric DDoS technique unrelated to zone manipulation. The scenario matches DNS server hijacking exactly.

CEH methodology emphasizes validating and researching identified vulnerabilities to determine exploitability, patch status, and business impact. Even medium-risk findings require investigation to assess their real severity.

Network Access Control (NAC) solutions often authenticate only the first device connected to a port. CEH explains that attackers can insert a rogue device behind an already authenticated host, bypassing NAC checks. This creates a transparent bridge that forwards legitimate traffic while injecting attacker-controlled communications.

According to the CEH Denial-of-Service (DoS/DDoS) module, application-layer DDoS attacks specifically target services such as HTTP, HTTPS, DNS, or APIs by sending requests that appear legitimate but overwhelm server resources.

An HTTP flood attack sends a massive number of HTTP GET or POST requests, consuming CPU, memory, and application threads. CEH highlights that these attacks are particularly dangerous because they:

Mimic normal user behavior

Are difficult to distinguish from legitimate traffic

Bypass traditional network-layer defenses

Option A is correct.

Options B, C, and D operate primarily at the network or transport layers, not the application layer.

CEH stresses that HTTP floods are among the most challenging DDoS attacks to mitigate due to their stealthy nature.

The Certified Ethical Hacker (CEH) Cryptography and Quantum Computing section introduces the concept known as “Harvest Now, Decrypt Later”. This threat model describes adversaries capturing encrypted data today, even if they cannot decrypt it immediately, with the expectation that future quantum computers will be able to break currently secure public-key algorithms such as RSA and ECC.

Option A accurately reflects this concept.

Option B describes a method (Shor’s algorithm) but not the threat model itself.

Option C is unrelated to cryptographic attacks.

Option D refers to quantum communication attacks, not classical encrypted data harvesting.

CEH emphasizes post-quantum cryptography as a mitigation strategy.

This activity most accurately describes a DHCP starvation attack. CEH network and sniffing coverage explains that DHCP starvation is a denial-of-service technique in which an attacker rapidly sends large numbers of DHCP requests, usually with spoofed MAC addresses, to consume all available IP addresses in the DHCP pool. Once the pool is exhausted, legitimate clients can no longer obtain valid leases, which produces exactly the symptoms described in the question: repeated address negotiation attempts, failure to receive configuration, and a burst of requests coming from a single interface. A rogue DHCP server is often paired with starvation later, but the key evidence here is the rapid exhaustion behavior rather than the distribution of malicious configurations. IRDP spoofing would manipulate gateway discovery, not primarily deplete DHCP leases, and MAC spoofing alone would not explain widespread address assignment failure across multiple hosts. CEH guidance presents DHCP starvation as both a network disruption issue and a stepping stone for further interception attacks, since denying legitimate DHCP service can set conditions for a rogue DHCP server to take over client configuration and redirect traffic.

White-hat hackers perform security assessments with authorization. CEH defines ethical hacking as legal, structured testing of network defenses with the goal of improving security rather than causing harm.

Packet fragmentation is a well-documented IDS evasion technique in CEH v13 Network and Perimeter Hacking. Attackers fragment packets to evade detection by overwhelming or confusing intrusion detection systems, especially those that rely on simple pattern matching.

CEH v13 explains that anomaly-based IDS systems are particularly effective against evasion techniques like packet fragmentation because they analyze deviations from normal network behavior, rather than relying on static signatures. Fragmented packets often create unusual traffic patterns, abnormal packet sizes, or irregular reassembly behavior, which anomaly-based systems are designed to detect.

Signature-based IDS solutions struggle against fragmentation because attackers can split malicious payloads across multiple packets in ways that bypass predefined signatures. Rejecting all fragmented packets (Option C) is impractical and could disrupt legitimate network communication, as fragmentation is a normal part of TCP/IP networking.

Recognizing regular intervals (Option A) is unreliable, as attackers can randomize packet timing. CEH v13 clearly recommends anomaly-based detection to counter advanced evasion techniques.

Thus, Option B is the most effective and CEH-aligned IDS configuration.

The scenario points directly to information gathering from the robots.txt file. A robots.txt file is typically located at the root of a website (e.g., https://example.com/robots.txt) and is intended to instruct search engine crawlers which paths should or should not be indexed. During web reconnaissance, testers often review robots.txt because it can unintentionally disclose sensitive directories, administrative panels, staging paths, backup locations, or restricted areas that the organization hoped would remain obscure. The scenario explicitly says Sofia found “a crawler directive at the server’s root” that “allows unintended indexing of restricted areas,” and that this “reveals internal paths.” That is exactly the kind of leakage that can come from misconfigured or overly revealing crawler directives.

This is considered an early-stage reconnaissance / information gathering technique because it does not require exploitation. It leverages publicly accessible configuration hints to map the application’s hidden structure. Even when robots.txt is used correctly, the listed disallowed entries can still serve as a roadmap of interesting targets; if configured incorrectly (for example, allowing indexing or exposing sensitive paths), it can increase exposure by helping those paths surface in search results or be discovered faster by attackers.

Why the other options are less accurate:

Vulnerability Scanning (A) implies using scanners to identify known flaws; here, the tester is manually/strategically inspecting a crawler directive for exposed paths.

Web Server Footprinting/Banner Grabbing (C) focuses on identifying server type/version and technologies via headers or responses, not discovering hidden paths from crawler directives.

Directory Brute Forcing (D) uses wordlists to guess directories; Sofia’s discovery comes from a disclosed list of paths, not brute-force guessing.

Therefore, the technique is B. Information Gathering from robots.txt File.

VLAN hopping is an advanced attack technique described in CEH materials, used to bypass VLAN segmentation by exploiting switch misconfigurations or vulnerabilities. Two primary methods—switch spoofing and double tagging—allow attackers to gain access to traffic from VLANs they are not authorized to view. This technique enables the capture of inter-VLAN traffic without requiring administrative privileges or triggering security tools. Port mirroring requires administrative control and is not an attack method. Rogue DHCP servers target IP assignment, not VLAN segmentation. ARP poisoning is effective only within a single broadcast domain and cannot traverse VLAN boundaries. Because the objective is to silently access multiple VLANs despite enforced segmentation, VLAN hopping is the correct technique as per CEH’s network perimeter attack methodology.

CEH v13 highlights behavioral analytics as one of the most effective techniques for identifying ambiguous or stealthy threats such as data exfiltration, command-and-control traffic, and insider abuse. When interactions appear suspicious but not definitively malicious, behavioral profiling provides the most direct visibility.

Behavioral analytics tools establish a baseline of normal system and network behavior, including typical communication patterns, data transfer volumes, destinations, and timing. Deviations from this baseline trigger alerts, allowing analysts to detect previously unknown threats without relying on signatures.

Option C is the most appropriate because it both identifies anomalies and supports continuous mitigation. A full zero-trust shutdown (Option A) is disruptive. Forensics (Option B) is reactive and better suited after confirmation of compromise. Training (Option D) does not address system-level interactions.

CEH v13 emphasizes that modern attacks often blend into normal traffic, making behavioral analysis essential. Therefore, Option C is the correct answer.

In CEH v13, IDS effectiveness is closely tied to proper signature tuning and sensitivity thresholds. When IDS alerts are triggered by legitimate user behavior, the most common cause is overly sensitive configuration, resulting in false positives.

False positives occur when normal traffic patterns match intrusion signatures. CEH v13 emphasizes that IDS systems must be calibrated to the organization’s baseline traffic profile. Without tuning, IDS logs become noisy and reduce analyst effectiveness.

Firewall issues (Option A) and outdated IDS signatures (Option B) can cause missed detections, not excessive alerts. Users unintentionally triggering protocols (Option D) is not a root cause but a symptom of misconfiguration.

Thus, excessive IDS sensitivity is the correct explanation.

ARP spoofing–based session hijacking is identified in CEH v13 Web Application and Network Attacks as one of the most stealthy and difficult-to-detect session compromise techniques, especially within internal or VPN-connected networks.

In ARP spoofing, attackers poison ARP caches to position themselves as a man-in-the-middle (MitM). Once in place, they can silently intercept, modify, or replay session data—even when encryption is used—by redirecting traffic transparently between endpoints.

Option A (sidejacking) is mitigated by HTTPS. Option C (session guessing) is noisy and detectable. Option D (cookie poisoning) relies on weak validation and is easier to detect via integrity checks.

CEH v13 highlights ARP spoofing as particularly dangerous because:

It exploits trusted local network behavior

It does not require breaking encryption directly

It is often invisible to users and applications

Therefore, Option B is the most challenging to detect and mitigate and is the correct answer.

Qualys VM is the best match because the scenario emphasizes enterprise vulnerability management for a hybrid environment with agent-based endpoint coverage, continuous monitoring, alerting, and centralized visibility across both on-premises and cloud systems. In CEH-aligned security operations concepts, vulnerability management is not only about running periodic scans, but also about maintaining an accurate, continuously updated view of asset exposure, prioritizing risk, and producing actionable remediation workflows. A platform designed for hybrid infrastructures commonly includes lightweight agents for endpoints, cloud connectors, unified dashboards, continuous assessment, and notification or alerting features to support real-time risk decisions. Qualys VM is widely recognized for delivering vulnerability management through a centralized cloud platform with broad asset visibility and support for continuous assessment models that align with large-scale, distributed environments.

The other options are less aligned with the full requirement set. Nikto is a focused web server and web application scanner and does not represent an enterprise-wide vulnerability management platform for endpoints and hybrid assets. OpenVAS is a capable open-source vulnerability scanner, but it is typically implemented as a scanning solution rather than a full hybrid vulnerability management platform with the same level of integrated agent-based endpoint coverage, centralized cloud visibility, and operational alerting described. Nessus is a strong vulnerability scanner and can support agents in some deployments, but the scenario’s emphasis on broad hybrid infrastructure visibility and centralized, continuous monitoring with alerting most strongly aligns with Qualys VM as a vulnerability management platform.

Session Replay Attacks are highlighted in CEH v13 Web Application Hacking as one of the most sophisticated and difficult-to-detect session hijacking techniques. In this attack, adversaries capture valid session tokens or encrypted session identifiers and replay them to impersonate legitimate users.

Unlike credential stuffing, which relies on login attempts and can be detected through authentication anomalies, session replay occurs after authentication, using legitimate session artifacts. Clickjacking and CSRF manipulate user interactions but do not directly hijack session tokens.

CEH v13 explains that session replay attacks are especially dangerous in environments where session tokens are predictable, long-lived, or improperly bound to client attributes such as IP address or device fingerprint. Because the attacker reuses valid session data, traditional detection mechanisms often fail.

The replayed session appears legitimate to the server, making fraud detection extremely difficult without advanced behavioral analytics. This makes session replay attacks particularly effective in online retail environments where transactions are frequent and time-sensitive.

Thus, Option D correctly identifies the most challenging attack.

CEH v13 defines passive reconnaissance as information gathering without directly interacting with the target’s systems. Activities such as reviewing archived websites, social media, forums, and public records are all passive and legal.

Running an intensive port scan, however, is an active reconnaissance technique. According to CEH v13, port scanning directly interacts with target systems and can trigger IDS/IPS alerts, logs, and even legal consequences if done without authorization.

Therefore, option B violates the principles of passive reconnaissance and is the riskiest choice.

DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.

DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.

Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.

CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.

The highest-priority proactive control “to embed into the organization’s development lifecycle” is including quantum-resistance checks in the SDLC and code review processes. The scenario emphasizes a company-wide, long-term risk reduction strategy while development continues on a major refactor. In that context, the most scalable and durable control is governance and engineering hygiene: ensuring that new features and refactored components do not reintroduce weak or legacy cryptography and that teams consistently select algorithms and key sizes aligned with modern guidance and future migration plans.

Embedding checks into the SDLC means instituting standards and guardrails such as approved cryptographic libraries, banned algorithm lists (e.g., legacy RSA key sizes, deprecated curves, weak hashes), cryptography design reviews, automated dependency scanning for crypto usage, and CI/CD policy gates that flag noncompliant implementations. This approach reduces “crypto sprawl,” prevents new technical debt, and creates a structured path to transition toward post-quantum or quantum-resistant approaches as the organization modernizes systems.

Why the other choices are not the best “highest priority” SDLC-embedded control:

Encrypt stored data with quantum-resistant algorithms (B) may be appropriate for protecting long-lived sensitive data (“harvest now, decrypt later”), but it is a targeted technical control and may not be feasible immediately across many services during refactoring. It also does not by itself prevent developers from continuing to implement legacy public-key schemes elsewhere.

Quantum-specific firewalls (C) is not a realistic or standard control for post-quantum readiness in typical enterprise environments.

Fragmenting data across locations (D) can help resilience/confidentiality in some designs but does not address the core issue: preventing continued reliance on weak public-key cryptography.

Therefore, the best answer is A. Include quantum-resistance checks in SDLC and code review processes.

CEH v13 explains that WPA3 introduces SAE (Simultaneous Authentication of Equals), which resists traditional offline dictionary and brute-force attacks by removing crackable handshake material. Because WPA3 prevents attackers from capturing a reusable handshake, the most practical offensive method is to force a downgrade attack, tricking clients into associating using WPA2 instead of WPA3. Once the victim reconnects under WPA2-PSK, the attacker captures the standard 4-way handshake, which can then be cracked offline using dictionary or GPU-accelerated brute-force methods. CEH discusses downgrade attacks as a significant real-world threat when mixed-mode configurations are enabled or when access points fail to enforce strict WPA3-only operation. Options B and C are ineffective because WPA3 handshake materials cannot be brute-forced offline. Option D is unrelated to Wi-Fi encryption. Downgrading to WPA2 is the most effective and widely documented attack path.

CEH v13 explains that Side-Channel Attacks exploit physical characteristics of cryptographic devices—such as power consumption, timing variations, electromagnetic leakage, or acoustic emissions—to infer confidential data like encryption keys. These attacks do not break the cryptographic algorithm itself but instead analyze unintended signals produced during computation. The scenario describes a classic power analysis and timing analysis attack, where the attacker monitors fluctuations during encryption operations on a smart card. CEH details how Differential Power Analysis (DPA) and Simple Power Analysis (SPA) allow attackers to extract secret keys by statistically correlating measured power traces to cryptographic operations. This type of attack is extremely dangerous because it bypasses mathematical strength and targets hardware implementation flaws. Options A, C, and D do not relate to side-channel exploitation. CEH specifically categorizes this method as observing hardware emissions to deduce secrets, making Option B the most accurate match.

Email headers typically contain multiple time-related fields, but they do not all carry the same evidentiary value for tracing message handling. In CEH-aligned reconnaissance and email analysis, the most reliable way to determine when an email was processed by the sender’s infrastructure is to examine the earliest “Received” header entry—specifically, the timestamp showing when the message was accepted by the sender’s originating mail server (the first mail transfer agent in the chain). This aligns with option C: the date and time received by the originator’s email servers.

The “Date” header (option A) is set by the sender’s mail client and can be manipulated or misconfigured, making it less trustworthy for forensic timing. Option B (sender’s mail server) is useful for identifying infrastructure and routing, but it does not directly provide the exact processing moment unless paired with the correct “Received” timestamp. Option D (authentication system such as SPF/DKIM/DMARC results) helps validate whether a message is authorized for a domain and detect spoofing, but it does not pinpoint when the sender’s system processed the email.

CEH guidance emphasizes that analysts should correlate multiple “Received” lines from bottom to top (earliest to latest), validate time zones, and look for inconsistencies such as impossible hops, private IP anomalies, or missing hops that indicate header forgery. However, for the specific “moment processed by the sender’s system,” the first acceptance timestamp at the origin mail server is the key artifact.

CEH teaches that insufficient input validation on mobile applications enables code injection attacks. Injecting JavaScript or crafted payloads into fields validates whether the application improperly processes untrusted data. If executed, it confirms that the app is vulnerable to injection-based attacks.

CEH v13 describes Agent Smith–style attacks as malicious Android operations where an app silently replaces legitimate applications by exploiting weaknesses in the Android app update and installation processes. These attacks often begin when users download seemingly innocent apps from untrusted third-party marketplaces. Once installed, the malicious application injects harmful code into other apps, overwriting them while preserving their icons and interface, allowing the attacker to harvest credentials, display ads, or maintain persistence without detection. CEH explains that this technique takes advantage of Android’s APK structure, sideloading vulnerabilities, and lack of signature validation in compromised environments. Simjacker (Option A) targets SIM toolkit vulnerabilities and does not replace apps. Man-in-the-Disk (Option B) abuses external storage operations but does not overwrite applications. Camfecting (Option D) refers to hijacking smartphone cameras. The described malicious replacement of legitimate apps exactly matches the Agent Smith attack pattern.

Server-Side Request Forgery (SSRF) is emphasized in CEH v13 Web Application Hacking as a stealthy and powerful attack. SSRF allows attackers to make requests from the trusted server itself, bypassing firewalls, authentication, and logging controls.

Compared to web shells or webhook abuse, SSRF leaves fewer forensic artifacts and enables internal API access, metadata exposure, and lateral movement.

Sherlock is the correct choice because it is specifically designed for OSINT-style username enumeration across a very large number of websites. In CEH-aligned reconnaissance, one common task is “alias correlation,” where the tester checks whether the same username exists across multiple social networks, forums, and content platforms. Sherlock automates this by querying many supported sites and reporting where an account with a given username appears to exist. This directly matches the question’s requirement: “cross-platform username correlation by scanning hundreds of social networking sites.”

The prompt also specifies what the tool does not do: it “does not natively support geolocation tracking or visualizing identity relationships.” That limitation aligns with Sherlock’s role as a focused username discovery tool rather than an analysis platform. By comparison, Creepy is associated with geolocation-focused OSINT, particularly collecting and correlating location metadata from social media posts and images, which is the opposite of the stated limitation. Maltego is well known for relationship analysis and link visualization, allowing investigators to build graphs of people, emails, domains, and social entities—again contradicting the “does not visualize identity relationships” constraint. Social Searcher is more oriented toward searching and monitoring public social media content and mentions, not primarily high-volume username existence checking across hundreds of sites in the same manner.

In CEH reconnaissance workflows, Sherlock fits early-stage enumeration to expand a target’s footprint, after which analysts may pivot into tools like Maltego for link analysis or geolocation tools when location exposure is part of the assessment.

CEH v13 emphasizes that insecure deserialization is one of the most dangerous application vulnerabilities because it can lead to arbitrary code execution, bypassing authentication, authorization, and session protections entirely.

Even with MFA, encrypted cookies, and WAFs, deserialization flaws allow attackers to manipulate serialized objects used in session handling. When deserialized without validation, these objects may execute attacker-controlled code.

CSRF relies on authenticated users. Side jacking is mitigated by encryption. Session fixation is ineffective if session regeneration and MFA are implemented. Insecure deserialization, however, attacks the application logic itself, making it the most effective option.

Thus, Option D is correct.

This scenario represents a Tautology-Based SQL Injection, a fundamental SQL injection technique covered under the Web Application Hacking module in the CEH v13 curriculum. The defining characteristic of this attack is the injection of a condition that always evaluates to TRUE, thereby bypassing authentication or authorization controls.

In the given example, the injected input 1 OR ' T ' = ' T ' ; -- manipulates the logical condition of the SQL query. A typical vulnerable login query may resemble:

SELECT * FROM users WHERE user_id = 1 AND password = ' input ' ;

When the attacker submits the injected payload, the resulting SQL statement becomes:

SELECT * FROM users WHERE user_id = 1 OR ' T ' = ' T ' ; -- ' ;

The expression ' T ' = ' T ' is a tautology, meaning it always evaluates to TRUE regardless of context. As a result, the database returns records without properly validating the user’s credentials, granting unauthorized access.

According to EC-Council CEH v13, tautology-based SQL injection is classified as a Boolean-based injection technique where attackers exploit improper input validation to alter the logical flow of SQL queries. This attack does not depend on database error messages (as in Error-Based SQL Injection), does not extract data using UNION statements (Union-Based SQL Injection), and does not rely on response delays (Time-Based Blind SQL Injection).

CEH v13 emphasizes that such attacks are especially effective against login forms and authentication mechanisms when developers fail to implement input sanitization, parameterized queries, or prepared statements. This attack is one of the most common and exam-tested SQL injection types because it clearly demonstrates how flawed logic can compromise application security without advanced techniques.

Understanding tautology-based SQL injection is critical for ethical hackers, as it forms the foundation for identifying and mitigating more complex SQL injection variants.

CEH identifies brute-force cryptanalysis as a method in which an attacker systematically tests every possible key, password, or passphrase until the correct one is found. When an attacker obtains initial bytes from an encrypted container—often referred to as known plaintext—they can use this to validate attempts as the tool iterates through candidate keys. Automated brute-force tools compare decrypted results with known header patterns, file signatures, or expected byte structures to determine when the correct key is reached. This process aligns precisely with brute-force password testing described in CEH cryptography modules. Quantum solving is not part of CEH scope, digest comparison relates to collision attacks, and analyzing output length pertains to padding oracle detection. The correct classification is automated brute-force cryptanalysis.

CEH courseware describes rootkits as specialized malware designed to conceal their presence while providing persistent, unauthorized access to system-level functions. Rootkits typically modify low-level components of the operating system—such as kernel modules, drivers, or system processes—to hide files, processes, registry keys, and network connections. Their primary purpose is to grant attackers administrative privileges without triggering alerts, making them extremely stealthy and dangerous. CEH emphasizes that rootkits often accompany other malware to maintain long-term control after initial compromise. In contrast, viruses replicate by attaching to files, keyloggers record keystrokes but do not hide system-level access, and ransomware encrypts data rather than conceals operations. The defining characteristics in this scenario—cloaking activity, providing admin-level control, persisting undetected—are directly aligned with rootkit behavior as described in CEH training material.

A low-and-slow scanning technique spreads probe attempts over long intervals, reducing the chance of triggering IDS signatures that rely on detecting rapid or high-volume scans. CEH highlights timing-based evasion as an effective method for reconnaissance against networks with strict perimeter controls.

The correct answer is D. Application Keylogger because the scenario describes keystroke capture from desktop applications on a Windows workstation without installing kernel drivers and without requiring physical access or browser-level script injection. In CEH-aligned keylogger classifications, an application (user-mode) keylogger operates at the application layer by using user-space techniques such as hooking common Windows APIs (for example, keyboard input functions and message-handling routines) to intercept keystrokes as they are processed by applications. This enables logging of credentials typed into local programs, draft emails written in desktop clients, and sensitive text entered into business tools—exactly the outcome Tyler observed.

The question provides two strong eliminators. First, it states no kernel drivers were installed, which rules out kernel keyloggers that capture input at the kernel level (often requiring driver installation and deeper OS integration). Second, it states the attack did not require browser injection, which rules out a JavaScript keylogger (typically implemented by injecting script into a web page/application to capture form inputs within a browser session). It also explicitly notes that there was no physical device access, which rules out a hardware keylogger (a physical device placed between keyboard and computer or embedded in a keyboard) that requires in-person installation.

Application keyloggers are frequently used in post-exploitation because they can be deployed quickly with standard user-level privileges (though higher privileges may expand coverage), can target a broad range of applications, and can run covertly. From a defense perspective, monitoring for suspicious API hooking behavior, unusual process injection, abnormal input-capture patterns, and endpoint controls that detect credential access techniques are common countermeasures.

Therefore, given the constraints and the observed logging of desktop application input, the most likely keylogger type is an application keylogger.

In Certified Ethical Hacker cloud computing coverage, the essential characteristics of cloud services align with the widely adopted NIST cloud model. The requirement in this scenario is twofold: efficient sharing of resources across multiple users and the ability to scale to meet spikes in demand such as Black Friday traffic. The cloud characteristic that directly addresses efficient sharing is resource pooling. Resource pooling means the cloud provider aggregates compute, storage, memory, and network resources into a shared pool that serves multiple customers using a multi-tenant model. Resources are dynamically assigned and reassigned according to consumer demand, which enables rapid scaling without requiring the organization to purchase and install new physical infrastructure for each surge.

This matches the scenario’s emphasis on optimizing resource allocation and ensuring scalability. With resource pooling, the platform can draw from shared infrastructure capacity when demand rises and release it when demand drops, improving efficiency and cost effectiveness. In CEH terms, this also influences security considerations such as tenant isolation, hypervisor security, and access control, because multiple customers may rely on the same underlying physical hardware while remaining logically separated.

The other options are not the best match for “efficiently shared across multiple users.” Measured service focuses on metering and pay-as-you-go billing. Broad network access describes availability over networks and standard client platforms. On-demand self-service refers to a consumer’s ability to provision resources automatically without human interaction from the provider. Those are important cloud traits, but the one that specifically enables shared infrastructure and elastic allocation is resource pooling.

According to the CEH Network and Perimeter Security module, one of the most effective and widely used firewall evasion techniques is the use of encrypted communication channels. When traffic is encrypted using protocols such as HTTPS, TLS, or VPN tunnels, traditional firewalls and packet-inspection tools may be unable to inspect payload contents unless SSL/TLS inspection is explicitly enabled.

CEH documentation explains that attackers commonly encrypt command-and-control (C2) traffic to:

Blend in with legitimate encrypted traffic

Bypass content-based inspection

Evade signature-based detection

Option B is therefore correct.

Option A (IP spoofing) is less effective against stateful firewalls.

Option C is a human-focused attack, not firewall evasion.

Option D has no relevance to firewall bypass techniques.

CEH highlights encryption misuse as a major blind spot in perimeter defenses.

An HTTP GET POST attack is the most likely answer because the key indicator in the scenario is the measurement unit and behavior: 398 million requests per second. In CEH-aligned DoS and DDoS coverage, volumetric network-layer attacks like SYN floods are typically discussed in packets per second or bits per second, and they primarily exhaust connection tables or bandwidth at Layer 3 and Layer 4. By contrast, an HTTP flood targets Layer 7 and is commonly measured in requests per second because the attacker is sending large volumes of seemingly valid web requests. This overwhelms web servers, application stacks, and upstream components such as reverse proxies, load balancers, and API gateways, leading to degraded performance and dropped sessions, exactly as described when “active connections drop unexpectedly.”

The mention of “customer-facing platforms” and “numerous compromised devices” also matches typical botnet-driven application-layer flooding, where many distributed sources generate massive HTTP request rates to evade simple IP-based blocking. A TCP SACK panic attack is a vulnerability-triggered crash condition related to TCP handling, not a request-rate spike scenario. An RST attack involves sending TCP reset packets to tear down sessions, which would not normally present as an extreme requests-per-second event in server logs.

Therefore, the evidence most strongly supports an application-layer DDoS: an HTTP GET POST flood designed to exhaust server and application resources and cause intermittent service disruption.

The CEH IDS/IPS Evasion module describes packet fragmentation as a common evasion technique used to bypass signature-based detection.

Option B is correct.

Other options represent different attack categories.

CEH highlights reassembly normalization as a countermeasure.

According to the Certified Ethical Hacker (CEH) attack methodology, once reconnaissance, footprinting, and website mirroring have been completed, the attacker proceeds cautiously to exploitation while maintaining stealth. CEH documentation emphasizes that low-noise, application-layer attacks are preferable when the objective is to minimize detection.

Option B, attempting SQL Injection, aligns directly with CEH’s Web Application Hacking module. SQL Injection is a server-side attack that can often be executed through normal-looking HTTP requests, making it less likely to trigger intrusion detection systems (IDS) or security alerts. CEH materials highlight SQL injection as a common and effective technique for extracting sensitive data such as usernames, passwords, and business-critical information without disrupting server operations.

Option A is incorrect because immediately modifying server configuration files after session hijacking significantly increases the risk of detection. CEH guidelines stress post-exploitation restraint, especially during red team operations.

Option C is not ideal at this stage because automated vulnerability scanners generate substantial traffic and are highly detectable. CEH explicitly notes that vulnerability scanning is noisy and often logged.

Option D is the least stealthy option. Brute-force attacks generate numerous failed authentication attempts, triggering security alerts and account lockouts. CEH classifies brute-force attacks as high-risk and easily detectable.

Therefore, SQL Injection represents the most effective and stealthy next step in accordance with CEH’s structured attack lifecycle.

The directory that contains the publicly accessible web content—including HTML pages, images, JavaScript, CSS, and other client-side assets—is known as the Document Root. This is the base filesystem path that a web server maps to the “/” location of a website. When a user requests a resource (for example, https://site.com/index.html), the web server typically resolves that URL path to a file under the configured document root and then serves it to the client (subject to access controls and server configuration).

The scenario’s details match this precisely: Jake identifies “the directory that stores the publicly accessible website content,” and notes that it is a frequent attacker target due to risks from improper permissions. Document root security is critical because overly permissive read or browse access can expose files that were never intended to be public—such as backups, configuration files, temporary files, source code archives, or sensitive data accidentally placed in web-accessible paths. Misconfigurations can also enable directory listing, allowing attackers to enumerate and retrieve files directly. Attackers often probe for common filenames (e.g., old .zip backups, .bak files, exposed .env files, or test pages) precisely because document root is where such mistakes become externally reachable.

Why the other options are less accurate:

An Application Server (A) runs server-side application logic (e.g., Java/.NET app containers) and is not specifically the directory of static public web content.

The HTTP Server (Core) (C) refers to the web server software/service handling HTTP requests, not the content directory itself.

A Virtual Document Tree (D) describes the logical structure mapping URLs to resources (sometimes via aliases and virtual hosts), but the question asks for the directory that stores the publicly accessible content—this is the document root.

Therefore, Jake is analyzing B. Document Root.

CEH v13 explains that LDAP enumeration is often restricted by Access Control Lists (ACLs). Sensitive directory objects and attributes are frequently protected to prevent unauthorized disclosure.

Even when LDAP is accessible, ACLs can limit the visibility of users, groups, and configuration data.

This technique is known as Boolean-Based Blind SQL Injection, as defined in CEH v13 Web Application Hacking. When applications suppress database errors and return generic responses, attackers use conditional statements to infer database behavior.

By comparing responses to true (1=1) and false (1=2) conditions, the attacker deduces whether injected SQL is being executed successfully.

CEH v13 distinguishes this from:

Error-based SQLi (visible DB errors)

UNION-based SQLi (data extraction)

Time-based SQLi (response delays)

Boolean-based blind SQL injection relies solely on content differences, making option C correct.

The Certified Ethical Hacker (CEH) Malware Threats module explains that attackers often abuse legitimate system services to blend malicious traffic with normal system behavior. Background Intelligent Transfer Service (BITS) is a Windows service designed to transfer files in the background using idle network bandwidth.

Attackers leverage BITS because its traffic closely resembles legitimate Windows Update traffic, which is commonly allowed through firewalls and proxy servers. CEH documentation states that BITS-based malware can download payloads, upload stolen data, and maintain persistence without triggering security alerts.

Option A is correct because BITS traffic appears legitimate and trusted, making it difficult for security devices to distinguish malicious usage.

Option B is incorrect because BITS does not operate exclusively through HTTP tunneling; it primarily uses HTTP/HTTPS in a legitimate manner.

Option C is incorrect because IP fragmentation is not a core feature of BITS.

Option D is incorrect because BITS does not rely on encrypted DNS traffic.

CEH emphasizes that living-off-the-land (LotL) techniques—using native tools like BITS—are increasingly favored by attackers due to their stealth and reliability.

In CEH’s Cloud Computing module, one of the most common real-world causes of cloud data exposure is misconfiguration, especially overly permissive network access controls. Cloud platforms commonly use constructs like security groups / firewall rules / network ACLs to define inbound and outbound access. CEH highlights that exposing sensitive services (databases, storage endpoints, admin panels) to the public internet—whether by “0.0.0.0/0” rules, overly broad ports, or unintended administrative access—frequently results in unauthorized access and data leakage even without sophisticated exploit chains.

Option D is therefore the most likely, because misconfigured security groups can directly expose customer data stores or management interfaces, enabling data theft through normal connectivity rather than exploiting a rare hypervisor flaw.

Option A (hypervisor side-channel attack) is advanced and less common; it typically requires high attacker capability and conditions not implied here. Option B (DoS) impacts availability, not confidentiality, so it doesn’t best explain data exposure. Option C (brute force passwords) is possible, but the question emphasizes an “unknown vulnerability” in the cloud environment—CEH teaching often frames “unknown vulnerability” in cloud incidents as misconfiguration or uncontrolled exposure rather than authentication guessing alone.

CEH countermeasures include least-privilege security group rules, segmentation, continuous configuration monitoring, cloud security posture management, and auditing publicly exposed resources.

The Certified Ethical Hacker (CEH) Footprinting and Reconnaissance module defines Google Hacking, also known as Google Dorking, as the use of advanced search operators to uncover sensitive information unintentionally exposed on the public internet. This technique remains passive, making it ideal during early reconnaissance.

Google Hacking can reveal:

Exposed configuration files

Backup files (.bak, .old, .zip)

Error messages and stack traces

Source code fragments and scripting errors

These findings often indicate coding weaknesses or insecure configurations within a web application. CEH explicitly highlights Google Dorking as an effective way to identify web application weaknesses without scanning or exploiting the target directly.

Option C is correct because Google Hacking is commonly used to identify coding and configuration weaknesses exposed through indexed files.

Option A may be possible indirectly but is not the primary justification.

Option B is incorrect because Google does not index the Deep Web.

Option D involves internal network discovery, which Google Hacking cannot directly achieve.

CEH emphasizes Google Hacking as a powerful passive reconnaissance technique for discovering exposed vulnerabilities.

Google Hacking, also known as Google Dorking, is a passive reconnaissance technique covered in CEH v13 Reconnaissance Techniques. It involves using advanced search operators to uncover sensitive information that has been inadvertently indexed by search engines.

CEH v13 explains that Google Hacking can reveal exposed files, directories, configuration files, backups, login portals, error messages, and sensitive documents. This information often resides on the Deep Web, meaning it is not easily accessible through normal browsing but is still indexed by search engines.

Option D correctly reflects this capability. Google Hacking does not analyze source code directly (Option A), map internal networks (Option C), or primarily detect phishing sites (Option B), although it may indirectly assist with those tasks.

Because Google Hacking relies solely on publicly available data and does not interact directly with target systems, it fits perfectly within passive footprinting, making it legally and ethically appropriate when authorized.

CEH v13 emphasizes Google Hacking as a powerful method to identify unintended data exposure. Therefore, Option D is the correct justification.

CEH v13 discusses various credential extraction and authentication abuse techniques, including approaches that avoid LSASS memory due to modern protections like Credential Guard. The Internal Monologue technique is a specialized credential-harvesting approach that leverages the Windows SSPI authentication stack to coerce the local system into generating NetNTLM challenge-response hashes without requiring direct access to LSASS. This allows attackers to obtain legitimate NTLM responses entirely within the user’s security context. These captured responses can then be cracked offline using tools such as Hashcat. Unlike replay attacks (Option B), Internal Monologue is not about reusing captured traffic. Hash injection (Option C) requires possession of NT hashes and modifies authentication tokens, which does not occur here. Pass-the-ticket (Option D) targets Kerberos, not NTLM. Therefore, the correct technique is the Internal Monologue attack.

Man-in-the-Cloud (MITC) attacks target cloud synchronization services such as Dropbox, Google Drive, and OneDrive by manipulating authentication tokens instead of user passwords. CEH courseware explains that cloud storage clients rely heavily on sync tokens stored locally, which authorize access without user interaction. If an attacker replaces or injects a malicious token, they can hijack the victim’s cloud account or redirect synced data to attacker-controlled locations. In this scenario, the EC2 instance continues to operate normally, but its Dropbox client silently synchronizes data to an external account using the attacker’s token. This bypasses traditional defenses such as perimeter firewalls, credential monitoring, or user behavior analytics, because the synchronization process appears legitimate and authenticated. MITC attacks are uniquely stealthy, as they require no further compromise once the sync token is stolen or replaced. Other choices, such as Cloud Snooper or cryptojacking, do not match the described behavior. Therefore, this attack clearly aligns with a Man-in-the-Cloud attack.

Once the base DN is identified through LDAP namingContexts, CEH teaches that the next step in enumeration is to query the directory tree using this DN. This allows retrieval of users, groups, computers, and other AD objects. LDAP-based enumeration requires valid search filters rooted in the base DN.

In CEH v13 Information Security and Ethical Hacking Overview, script kiddies are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.

CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.

Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.

CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.

Thus, Option B is the correct answer.

CEH teaches that certain advanced intrusion evasion techniques rely on understanding how firewalls differentiate between new connections and established traffic. Most perimeter firewalls scrutinize SYN packets and initial HTTP requests but allow ACK packets from established sessions to pass with minimal filtering. ACK tunneling leverages this behavior by embedding malicious payloads inside ACK packets, which appear to be part of a legitimate, pre-established session. Because ACK packets are often considered " safe, " they bypass deep inspection engines, intrusion detection systems, and application-layer gateways. This method allows attackers to move data or commands covertly between compromised internal systems and external hosts. CEH references such evasion strategies when discussing bypassing stateful firewalls and making malicious traffic appear legitimate. Port knocking and SYN scans would initiate new connections—precisely what the firewall is heavily inspecting. ICMP flooding is noisy and easily detected. ACK tunneling is specifically designed for stealth and is aligned with red team tradecraft for avoiding packet-level inspection mechanisms.

The correct answer is Ciphertext-only attack. CEH cryptography coverage defines this attack as a situation in which the attacker has access only to encrypted data and not to the corresponding plaintext. The attacker attempts to derive useful information, recover plaintext patterns, or eventually infer the key by analyzing the ciphertext itself. That is exactly what the question describes: the adversary obtained encrypted database backups but not the keys and not the original plaintext records, and the specialist is considering whether the attacker is examining the encrypted output in isolation for structural clues or repetition. Known-plaintext attacks require access to both plaintext and matching ciphertext. Chosen-plaintext attacks involve the attacker selecting input to be encrypted, while chosen-ciphertext attacks involve selecting ciphertext for decryption attempts. None of those fit the scenario. CEH materials emphasize that ciphertext-only analysis is the most basic cryptanalytic model because it assumes the least attacker knowledge apart from the encrypted material itself. Since the exposure here is limited to intercepted ciphertext with no confirmed access to plaintext or decryption capability, the best match is a ciphertext-only attack.

CEH defines ethical hacking as the authorized, structured, and permission-based process of identifying vulnerabilities to strengthen an organization’s security posture. Ethical hackers operate under a signed scope-of-work and follow legal boundaries. Malicious hackers, by contrast, exploit systems without permission, often with harmful or criminal intent. CEH emphasizes that both ethical and malicious hackers may use similar tools, techniques, and methodologies; the distinction lies entirely in authorization, intent, and legality. Ethical hacking is conducted to improve defenses, while malicious hacking targets exploitation, theft, or disruption. Nothing in CEH materials suggests that toolsets or work styles distinguish the two groups; permission and lawful operation remain the central differentiators.

Passive reconnaissance involves gathering information without directly interacting with the target. WHOIS, search engines, and social media are all passive techniques highlighted in CEH v13 Reconnaissance.

Nmap scanning, however, actively probes target systems and generates traffic that can be logged and detected. This makes it an active reconnaissance technique.

Therefore, Option D is least useful in a passive phase.

CEH guidance for web server hardening prioritizes controls that reduce exploitable conditions across the broadest set of threats. While obscuring paths (for example, unusual directory names like “certrcx” or storing content under “/admin/web”) may slightly slow down casual discovery, CEH emphasizes that security through obscurity is not a reliable control. If an attacker can identify the server root, document root, and virtual directory structure (through misconfigurations, directory listing, error leakage, backup exposure, or known-path enumeration), then the real risk becomes unpatched vulnerabilities in the web server, modules, libraries, and underlying OS.

Regularly updating and patching the server software is the most direct, high-impact countermeasure because it closes known vulnerabilities attackers routinely exploit (RCE, privilege escalation, auth bypass, path traversal, request smuggling, etc.). CEH materials also stress that virtual hosting expands the attack surface (multiple sites, shared services, shared misconfigurations), making systematic patching and configuration management even more important.

Option A (moving the document root to a different disk) may help with organization and, in some cases, recovery planning, but it does not inherently reduce vulnerabilities. Option C (changing IPs) is not a security control; it may complicate blocking lists but doesn’t fix the underlying weakness. Option D (using LAMP) is an architectural choice, not a security measure by itself—an open-source stack can still be insecure if misconfigured or unpatched.

Therefore, CEH-aligned best practice is regular patching and updates.

CEH v13 outlines insertion attacks as IDS evasion methods in which attackers send packets deliberately crafted so that the IDS processes them differently from the target host. In an insertion attack, malformed packets appear legitimate to the IDS—allowing malicious traffic to blend with benign inspection results—while the end host rejects or modifies the packets due to incorrect checksums, invalid flags, or protocol inconsistencies. As a result, the IDS sees one set of reconstructed data, while the actual host processes a different version or nothing at all. CEH emphasizes that intrusion detection systems may not follow full TCP/IP stack validation, making them susceptible to deception by malformed or borderline-conformant packets. Polymorphic shellcode (Option B) changes payload signatures, not packet structure. Session splicing (Option C) splits payload across packets to evade pattern matching but does not rely on checksum manipulation. Fragmentation attacks (Option D) divide traffic into smaller fragments, not alter validity fields. The described behavior fits insertion attacks precisely.

Password cracking is a core component of the system hacking phase. CEH materials highlight that once password hashes are obtained, attackers often perform offline cracking to avoid detection and bypass account lockout policies. Tools like Hashcat make use of hardware acceleration—specifically, GPU or multi-core CPU computing—to significantly increase cracking throughput. Hardware acceleration allows the system to perform thousands to millions of hash calculations simultaneously, dramatically improving cracking efficiency compared to traditional CPU-bound methods. While dumping SAM contents is part of credential extraction, it is not the optimization described in the scenario. Dictionary rules influence cracking strategy but not raw speed. NetBIOS spoofing is unrelated to password cracking. The emphasis here is on maximizing computational power to accelerate the hash-cracking process, aligning directly with CEH’s explanation of hardware-accelerated offline cracking techniques.

CEH v13 explains that multi-vector DDoS attacks, especially those combining volumetric reflection (DNS amplification) with application-layer exhaustion (Slowloris), require multi-layered mitigation. Standard firewalls and IPS devices cannot handle large-scale distributed attacks without causing collateral damage to legitimate traffic. CEH emphasizes the need for hybrid DDoS protection, combining on-premises appliances for real-time local filtering with cloud-based scrubbing centers capable of absorbing massive volumetric floods. Cloud scrubbing removes malicious traffic upstream, while on-prem devices mitigate application-layer anomalies. Increasing bandwidth (Option A) is ineffective against reflection attacks. IPS (Option B) cannot handle Slowloris-style partial requests at scale. Blocking all external DNS/HTTP (Option C) would deny service to legitimate users. The correct CEH-aligned solution is hybrid DDoS mitigation services.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 explains that TOCTOU (Time-of-Check Time-of-Use) vulnerabilities arise when a system checks a condition (such as file permissions) and then later uses the resource based on that assumption. If there is even a tiny gap between the validation and the actual use, attackers can exploit this race condition by replacing or modifying the resource after validation but before execution. This is common in file-handling operations involving temporary files, symbolic links, or shared directories. CEH emphasizes that TOCTOU attacks often lead to privilege escalation, unauthorized execution, or tampering with data because the system trusts the earlier validation step. The attacker swaps the file at precisely the right moment, taking advantage of a race window. The other options—certificate validation, integer overflow, and null pointer dereference—do not involve timing-based race conditions. The scenario exactly matches CEH’s description of TOCTOU exploitation, where attackers manipulate file access in the interval between validation and execution.

This scenario represents a Botnet-Based Distributed Denial-of-Service (DDoS) attack, as described in CEH v13 Network Attacks. Compromised internal devices become part of a botnet and are used to launch attacks against external targets.

CEH v13 notes that botnets frequently include IoT devices and employee workstations, making insider-originated DDoS activity a serious concern.

Passive reconnaissance focuses on collecting intelligence without interacting with the target ' s systems. CEH materials emphasize reviewing publicly available information, including leaked documents, breach data, reports, or exposed metadata, as this yields internal network structure details while generating no detectable traffic. This method avoids triggering monitoring systems and aligns with stealth requirements for covert intelligence gathering.

CEH v13 identifies Man-in-the-Browser (MitB) attacks as one of the most dangerous and difficult-to-detect session hijacking techniques, especially in online banking environments. In MitB attacks, malware operates inside the user’s browser, intercepting and manipulating transactions in real time.

Unlike XSS or session fixation attacks, MitB bypasses server-side security controls entirely. Even strong encryption, multi-factor authentication, and secure cookies are ineffective because the attack occurs after authentication, within a trusted session.

Passive sniffing is limited by encryption, and session fixation relies on poor session management. Covert XSS requires injection points and is more easily mitigated.

CEH v13 emphasizes that MitB attacks can modify transaction details without user awareness, making detection extremely difficult. Therefore, Option B is correct.

CEH v13 teaches that NetBIOS enumeration is a key technique for gathering information in Windows environments without raising alarms. Ports 137 and 139 indicate that NetBIOS Name Service (NBNS) and SMB services are active. The tool nbtstat -A < IP > retrieves valuable information including computer names, logged-in users, domain/workgroup membership, and system roles—all passively and without authentication. CEH emphasizes that querying NetBIOS is often overlooked by defenders and generates minimal noise, making it ideal for stealth enumeration. LDAP enumeration (Option A) requires directory access and tends to trigger logs. Psloggedon and pspasswd (Options B and D) involve active interaction and authentication attempts, which are far more detectable. nbtstat is the CEH-recommended tool for initial reconnaissance on Windows networks using NetBIOS and SMB, especially when quiet enumeration is required.

The CEH Network Scanning module explains that ICMP Echo Requests are often filtered or blocked by firewalls, routers, or host-based security controls as a defensive measure to reduce reconnaissance exposure.

When systems fail to respond to ICMP Echo Requests but continue to function normally for other services, CEH indicates that this behavior typically means ICMP traffic is being blocked, not that the host is offline or compromised.

Option B is correct.

Option A would affect all services.

Option C lacks supporting indicators.

Option D is speculative and unreliable.

CEH emphasizes that ICMP filtering is common in hardened networks.

This scenario is a textbook example of a Whaling Attack, a highly targeted phishing technique described in the CEH v13 Social Engineering module. Whaling specifically targets senior executives or high-ranking individuals, exploiting their authority, access privileges, and decision-making roles.

In the given case, the attacker crafts a personalized email, impersonates the CEO, and uses legitimate corporate branding to build trust. The malicious PDF attachment delivers a backdoor, aligning with CEH v13 descriptions of advanced spear-phishing techniques used against executives.

CEH v13 differentiates whaling from other phishing types:

Broad phishing targets large groups indiscriminately.

Pharming redirects users via DNS manipulation.

Email clone attacks copy legitimate emails but typically target peers, not executives.

Whaling attacks are particularly dangerous because executives often bypass security scrutiny and possess elevated system access. CEH v13 emphasizes executive awareness training as a key mitigation strategy.

Therefore, the correct answer is Whaling attack aimed at high-ranking personnel.

Rachel is using the Ping method for sniffer detection. The distinguishing behavior in the scenario is that she sends ICMP echo requests (pings) crafted so that the Layer 2 MAC address is incorrect/mismatched, while the Layer 3 IP destination is correct. Under normal circumstances, a host’s network interface card (NIC) should drop frames not addressed to its MAC address. However, when a NIC is set to promiscuous mode (as sniffers often require), it can accept frames regardless of destination MAC and pass them up the stack. If the operating system then processes the encapsulated IP packet and responds (e.g., sends an ICMP echo reply), that response suggests the host is accepting frames it normally would ignore—an indicator consistent with promiscuous mode sniffing.

This technique is used as a heuristic: by intentionally violating normal Ethernet delivery rules and observing whether the target still responds, you can infer that the interface may be capturing traffic not explicitly addressed to it. It’s not perfect—modern drivers, switches, VLAN configurations, and host firewall behavior can affect results—but the scenario’s “mismatched MAC but correct IP” plus “the suspected machine responds” is the classic signature of the ping-based promiscuous-mode test.

Why the other options are less suitable:

ARP method (B) typically involves ARP-based tricks (non-broadcast ARP requests or crafted ARP traffic) to test how the target responds; the scenario explicitly describes ICMP behavior.

DNS method (C) relates to DNS queries/resolution behavior and does not match the ICMP/MAC mismatch test.

Nmap sniffer-detect (NSE) (D) is a specific scripted approach, but the question asks for the underlying technique being used; the described action matches the Ping method.

Therefore, the correct answer is A. Ping Method.

MAC flooding is a Layer 2 attack described in CEH v13 Network and Perimeter Hacking, where attackers overwhelm a switch’s CAM table with fake MAC addresses. Once the table is full, the switch behaves like a hub, forwarding traffic to all ports.

The most definitive indicator of MAC flooding is numerous MAC addresses learned on a single switch port, which is abnormal behavior in a properly segmented network. CEH v13 identifies this condition as a key forensic indicator of CAM table exhaustion.

ARP anomalies may occur, but they are more commonly associated with ARP spoofing attacks. IP-to-MAC inconsistencies indicate MITM attacks, not MAC flooding.

Thus, option C is the clearest confirmation.

The correct answer is MX. CEH reconnaissance material explains that MX, or Mail Exchange, records identify the mail servers responsible for receiving email for a domain. When a tester wants to understand how an organization handles incoming email traffic, MX records are the most relevant DNS data source because they reveal the designated mail infrastructure and often the priority order of mail servers. In this scenario, the objective is to gather passive intelligence about communication infrastructure without performing active network probing, so querying DNS records is appropriate. SOA records provide domain authority and zone administration information, TXT records often contain verification or policy-related text such as SPF details, and NS records identify authoritative name servers. While those can all contribute to broader reconnaissance, they do not directly answer which systems are responsible for receiving mail. CEH emphasizes that MX records are commonly used during footprinting to identify email infrastructure, support phishing simulations, analyze third-party mail providers, or map communication dependencies. Because the question explicitly asks for the DNS record type that reveals mail server configuration, MX is the correct choice.

Local File Inclusion vulnerabilities arise when a web application incorporates user-supplied input into file-handling functions without proper sanitization. CEH courseware emphasizes that attackers can leverage directory traversal sequences (such as ../../) to escape the intended directory structure and access sensitive local files. An LFI payload commonly targets system files like /etc/passwd on Linux to extract user information or escalate the attack further.

CEH explains that MAC flooding overwhelms a switch’s CAM table, causing it to fail open. When the table fills, the switch broadcasts frames out all ports, behaving like a hub. This exposes unicast traffic to attackers operating in promiscuous mode.

The correct answer is A. HTTP Response Splitting Attack because the scenario describes a flaw where one crafted request is interpreted in a way that causes the server (or an intermediary) to treat it as two separate HTTP messages, enabling the attacker to inject malicious data into the HTTP response stream. This is a classic input validation and header injection issue, typically involving the insertion of carriage return and line feed (CRLF) characters (\r\n) into user-controlled input that is later placed into HTTP headers (for example, in redirects, cookies, or custom headers). By injecting CRLF sequences, an attacker can “split” the server’s response: the first part completes a legitimate response header section, and the injected content begins a second, attacker-controlled response.

This aligns with the prompt’s emphasis that “a single crafted request is processed as two separate ones,” which is the fundamental mechanic of response splitting—turning one transaction into multiple interpreted HTTP entities. Once response splitting is possible, attackers may set or manipulate headers (such as Set-Cookie), inject arbitrary content, perform cross-user defacement, facilitate cache poisoning, or enable more effective delivery of client-side attacks by making browsers or proxies store and serve malicious content.

The question also frames it alongside XSS, CSRF, and SQL injection as “input validation flaws.” That matches response splitting’s root cause: insufficient sanitization/validation of untrusted input before including it in HTTP headers or responses.

Why the other options are incorrect: Password cracking is unrelated to HTTP parsing and input validation. Directory traversal abuses path handling to access files (e.g., ../) and does not involve splitting HTTP messages. Web cache poisoning can be a consequence of response splitting, but the described behavior—splitting a single request/response into two—most directly identifies HTTP response splitting as the demonstrated attack.

The CEH Footprinting and Reconnaissance module highlights Google Alerts as a key passive reconnaissance tool for monitoring changes in web content, news, and online mentions.

Option B is correct.

Option A is active engagement.

Option C aids anonymity but not monitoring.

Option D is illegal and unethical.

CEH strongly promotes automated alerting for competitive intelligence.

This scenario most accurately represents repackaging legitimate apps. CEH mobile social engineering coverage explains that in a repackaging attack, an adversary takes a real application, modifies its internal code or structure to include malicious functionality, and redistributes it through a third-party marketplace. The important clues here are that the app appears visually and functionally identical to the legitimate version, yet sandboxing reveals additional outbound activity and binary comparison confirms structural differences from the official build. That pattern is stronger than merely publishing a look-alike malicious app, because the question indicates there are two versions of what is essentially the same application and the unofficial copy has been altered. Smishing involves fraudulent SMS messages and fake security applications typically masquerade as protective tools, neither of which matches this case. CEH warns that unofficial application stores are a common distribution point for repackaged mobile apps because attackers can embed spyware, adware, credential theft code, or other malicious logic into otherwise trusted software. The user often sees a familiar interface and therefore assumes the application is safe, making repackaging a highly effective mobile-based social engineering method.

CEH v13 defines a penetration tester as an authorized security professional whose responsibility is to identify, exploit, and report vulnerabilities within an organization’s systems, networks, applications, and processes. Unlike malicious hackers, penetration testers operate strictly within legal boundaries, under documented Rules of Engagement (RoE), and with explicit written permission from the organization. Their goal is not to harm systems but to simulate real-world cyberattacks to help organizations strengthen their defenses. CEH emphasizes the ethical responsibilities of penetration testers, including maintaining confidentiality, avoiding unauthorized data exposure, ensuring minimal operational impact, and providing actionable recommendations. Options B, C, and D describe malicious actors, malware authors, or unauthorized attackers—roles opposite to that of an ethical penetration tester. CEH makes a strong distinction between white-hat ethical hackers and black-hat attackers, with penetration testers firmly falling under the ethical, lawful category. Therefore, Option A accurately reflects CEH’s definition of a penetration tester.

The CEH v13 courseware states that insecure communication occurs when mobile applications transmit sensitive data over unencrypted or weakly encrypted channels, exposing information to interception. When an application uses plain HTTP or does not properly validate certificates, attackers can place themselves between the client and server using a man-in-the-middle (MitM) attack. This allows them to read session tokens, credentials, API keys, or personal user data as it travels across the network. CEH materials emphasize that MitM attacks are the primary exploitation technique for insecure data transmission because they exploit weaknesses in transport-layer security rather than weaknesses in backend code or authentication mechanisms. SQL injection and CSRF attacks target web application logic, not transport encryption. Brute-force attacks target authentication mechanisms and are unrelated to how data is transmitted. Therefore, the most effective exploitation method is intercepting traffic via MitM to capture or manipulate unencrypted communications.

The symptoms point directly to a Slowloris attack, which CEH materials classify as an application-layer denial-of-service technique that targets web servers by exhausting their available concurrent connection slots rather than saturating bandwidth. In a Slowloris attack, the attacker opens many HTTP or HTTPS connections to the server and then keeps them alive as long as possible by sending partial, incomplete HTTP requests or very slow header transmissions at timed intervals. Because the requests are never fully completed, the server keeps the connections open, waiting for the remainder of the request. Over time, the server’s maximum connection limit is consumed, and legitimate users cannot establish new sessions, even though overall network traffic may remain relatively low.

That exact pattern is described in the scenario: the server is “struggling to accept new connections,” the “maximum connection limit is nearly reached,” and there is “no significant spike in overall network traffic.” This is a classic indicator of low-and-slow DoS behavior, which can be harder to detect because it does not resemble a high-volume flood.

A SYN Flood attack can also exhaust connection resources, but it typically creates a large number of half-open TCP connections and is usually more apparent in network-level telemetry and SYN backlog behavior. A UDP Flood generally causes a noticeable traffic spike. “Peer-to-Peer Attack” describes a botnet architecture style, not the specific technique used here. Therefore, the attack being simulated is Slowloris.

The behavior described matches the countermeasure commonly referred to in CEH materials as escaping or encoding special characters, most notably the single quote character. SQL injection frequently relies on breaking out of a quoted string in the SQL statement using the single quote, then appending logical operators such as OR 1=1, comments, or additional clauses. When an application replaces special characters with escaped equivalents before the SQL statement is executed, it attempts to ensure the input is treated purely as data rather than executable SQL syntax. A classic example is transforming a single quote into an escaped form such as \ ' or doubling it to ' ' depending on the database and escaping rules. By doing so, the database parser interprets the quote as part of the literal string value, preventing the attacker from terminating the string and altering query logic.

Option B is therefore the best fit because it precisely describes encoding or escaping the single quote, which is the most commonly targeted delimiter in SQL injection payloads. Option A, user input validation, is broader and typically refers to allowlisting accepted characters and formats, but the question specifically emphasizes replacement with escaped equivalents rather than rejecting invalid input. Option D, parameterized queries or prepared statements, is the strongest modern control recommended in CEH guidance because it separates code from data at the API level, but it is different from character escaping and does not rely on rewriting input characters. Option C limits damage but does not prevent injection. The observed mechanism is clearly single-quote encoding.

Google Hacking, also known as Google Dorking, is a passive reconnaissance technique covered in CEH v13 Reconnaissance Techniques. It involves using advanced search operators to uncover sensitive information that has been inadvertently indexed by search engines.

CEH v13 explains that Google Hacking can reveal exposed files, directories, configuration files, backups, login portals, error messages, and sensitive documents. This information often resides on the Deep Web, meaning it is not easily accessible through normal browsing but is still indexed by search engines.

Option D correctly reflects this capability. Google Hacking does not analyze source code directly (Option A), map internal networks (Option C), or primarily detect phishing sites (Option B), although it may indirectly assist with those tasks.

Because Google Hacking relies solely on publicly available data and does not interact directly with target systems, it fits perfectly within passive footprinting, making it legally and ethically appropriate when authorized.

CEH v13 emphasizes Google Hacking as a powerful method to identify unintended data exposure. Therefore, Option D is the correct justification.

Outdated server software often contains memory corruption flaws. CEH notes that buffer overflow exploits are a primary method for compromising vulnerable server binaries, allowing remote code execution. This approach targets the underlying service rather than application-layer input validation issues.

WPA2-PSK networks authenticate users using a pre-shared key derived from a passphrase. After capturing the 4-way handshake, CEH teaches that the standard and most effective method to recover the key is to perform an offline dictionary attack, where wordlist entries are hashed and compared against the captured handshake values. Offline cracking avoids detection and is significantly faster than brute-force attempts.

An Evil Twin access point is a malicious wireless access point that impersonates a legitimate Wi-Fi network by copying its SSID and often mimicking other observable characteristics such as security settings and signal behavior. In CEH-aligned wireless attack coverage, the goal is to trick users into connecting to the attacker-controlled AP instead of the real one. Once a victim device associates, the attacker can perform man in the middle interception, capture credentials, observe sensitive traffic, and potentially downgrade protections if the victim is not properly validating the network.

This scenario strongly matches an Evil Twin because the tablet connects to an access point “broadcasting a name and signal similar to the hospital’s secure Wi-Fi,” and Sarah finds an unauthorized device capturing sensitive traffic from connected systems. That combination indicates active impersonation and client deception, not merely an accidental device. A rogue AP is typically an unauthorized access point connected to the internal network, often deployed by employees for convenience, and may not be designed to impersonate the official SSID to lure clients. A misconfigured AP refers to an access point with weak settings or improper security controls, not an attacker-created clone. A honeypot AP is a deliberate decoy set up by defenders to attract attackers, which is the opposite of what is described.

Mitigations emphasized in CEH best practices include using WPA2 Enterprise or WPA3 Enterprise with certificate validation, enabling protected management frames where supported, deploying wireless intrusion detection and prevention to identify spoofed SSIDs and BSSID anomalies, disabling auto-join where possible, and training users to report suspicious network prompts or unexpected reconnect behavior.

Tautology-based SQL injection tests, such as using ' OR ' 1 ' = ' 1, are safe and effective methods to verify whether SQL queries are being manipulated by user input. CEH emphasizes avoiding destructive queries and using logical expressions that return all rows if injection is successful.

The correct answer is B. Testing String because the scenario describes a classic SQL injection detection approach where the tester submits special characters and malformed input strings—most notably single quotes ( ' )—to observe how the application processes them and whether it produces database error feedback. In SQL injection discovery, inserting a single quote (or multiple quotes) into a parameter commonly breaks the intended SQL syntax if the input is concatenated into a query without proper validation/escaping or parameterization. When this happens, the backend database often returns error messages that may disclose critical information such as the DBMS type (e.g., MySQL, Microsoft SQL Server, Oracle), query fragments, and sometimes references to table/column names. That is exactly what you observed: “system feedback that unexpectedly reveals the database type and internal query structure.”

This method is specifically called “testing strings” in CEH-style SQL injection identification: using quote characters, delimiters, comment markers, and other metacharacters to see whether the application is vulnerable and whether errors or abnormal behavior occur. The goal is not to fully exploit the injection immediately, but to confirm whether input is being interpreted as part of an SQL statement and to collect clues that help the tester model the backend query and proceed with safe, authorized validation steps.

Why the other options are less accurate: Function testing is a broader web-testing concept and is not the specific SQLi detection tactic shown. Dynamic testing generally refers to testing an application while it is running to observe behavior, but it does not name this specific SQLi discovery technique. Fuzz testing involves sending large volumes of random or semi-random unexpected inputs to trigger crashes or errors; while multiple quotes could be part of fuzzing, the described method is the targeted, well-known SQLi testing string approach used to elicit informative SQL errors.

Therefore, the method being employed is Testing String.

CEH courseware describes rootkits as specialized malware designed to conceal their presence while providing persistent, unauthorized access to system-level functions. Rootkits typically modify low-level components of the operating system—such as kernel modules, drivers, or system processes—to hide files, processes, registry keys, and network connections. Their primary purpose is to grant attackers administrative privileges without triggering alerts, making them extremely stealthy and dangerous. CEH emphasizes that rootkits often accompany other malware to maintain long-term control after initial compromise. In contrast, viruses replicate by attaching to files, keyloggers record keystrokes but do not hide system-level access, and ransomware encrypts data rather than conceals operations. The defining characteristics in this scenario—cloaking activity, providing admin-level control, persisting undetected—are directly aligned with rootkit behavior as described in CEH training material.

CEH cloud modules explain that side-channel attacks exploit indirect information leakage based on hardware characteristics—such as CPU timing, power usage, cache access patterns, or electromagnetic emissions. In virtualized cloud environments, multiple tenants share the same physical hardware, creating opportunities for attackers to extract sensitive data from neighboring virtual machines. By placing a malicious VM on the same host as the victim, an attacker can measure minute differences in timing during cryptographic operations, allowing them to infer private keys or sensitive computations. This aligns precisely with CEH’s definition of a side-channel attack. Cryptojacking involves unauthorized cryptocurrency mining, CPDoS targets caching layers rather than key extraction, and metadata spoofing manipulates cloud metadata endpoints. Only side-channel analysis matches the described attack behavior.

The command that best matches “directly interact with the NTP daemon and query its internal state,” enabling monitoring and retrieval of statistics, is ntpdc. Option C is correct because ntpdc is designed as a control/query utility for NTP that communicates with the NTP daemon using control messages. It can be used to request internal variables, statistics, and status information and to perform certain monitoring-style checks related to NTP daemon operation.

The scenario also gives a strong exclusion clue: Bob’s goal is not primarily to list peers with delay, offset, and jitter values. That peer listing is most closely associated with ntpq -p (option A), which prints peer relationships and timing metrics. Similarly, ntptrace (option B) is used to trace the chain of NTP servers (who is syncing from whom), which is not what Bob is seeking. Option D (ntpq with -c command) can query certain runtime details, but the question emphasizes a diagnostic command focused on controlling/checking daemon operation and retrieving internal stats—this description aligns more closely with ntpdc in many NTP administration and diagnostic workflows.

In practice, an assessor might use ntpdc to query items like system status, clock variables, and monitoring statistics from the daemon, which can help diagnose synchronization irregularities and understand how the NTP service is behaving internally. That aligns with “query its internal state” and “retrieve statistics.”

Therefore, the correct command is C. ntpdc [-ilnps] [-c command] [host].

Time-based blind SQL injection is used when applications suppress error messages and do not display query results. According to CEH v13, attackers rely on response time delays to infer whether injected SQL statements are executed.

The BENCHMARK() function forces the database to perform a CPU-intensive operation repeatedly, causing a noticeable delay if the injected condition is executed successfully. Option D explicitly introduces such a delay and is a textbook time-based blind SQL injection payload.

Options A, B, and C are used for union-based or boolean-based SQL injection and rely on visible output or content changes, which are ineffective in blind scenarios.

CEH v13 clearly states that time-delay functions such as SLEEP(), WAITFOR DELAY, and BENCHMARK() are the primary indicators for time-based blind SQL injection testing. Hence, Option D is correct.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 underscores that modern multi-vector DDoS attacks—particularly SYN floods combined with Layer 7 HTTP floods—cannot be effectively mitigated by traditional firewalls, IPS devices, or local traffic filters. These systems become overwhelmed or risk blocking legitimate clients. CEH emphasizes the use of cloud-based DDoS mitigation platforms that provide traffic scrubbing, distributed filtering, rate shaping, and automatic scaling to absorb massive volumes of malicious traffic. Such services differentiate legitimate versus malicious traffic using global intelligence, behavioral analysis, and multi-layer protection strategies. Increasing bandwidth or blocking broad traffic categories is ineffective and harmful to users. An IPS cannot scale to handle volumetric attacks. Only cloud scrubbing solutions (e.g., Cloudflare, Akamai, AWS Shield Advanced) meet CEH’s recommended defenses for high-volume distributed attacks. These services ensure continuous availability and minimize collateral damage by filtering traffic upstream before it reaches the organization ' s infrastructure.

The correct option is B because it uses vendor-based MAC spoofing, which is the most direct way to make traffic appear to come from a device manufactured by a specific, recognizable vendor (in this case, “Dell”). In MAC addressing, the first portion of the MAC address is the OUI (Organizationally Unique Identifier), which identifies the vendor/manufacturer. Many security and asset tools perform lightweight device profiling by correlating observed OUIs with known vendors, and MAC-based logs may record or flag devices based on whether their OUIs match expected corporate endpoints.

Nmap supports MAC spoofing in a way that allows specifying a vendor name so the resulting MAC address is generated with an OUI associated with that vendor. This matches the requirement in the scenario: the tester wants the scan traffic to “blend in with legitimate devices” by adopting a vendor-associated identifier rather than using a random or obviously unusual MAC prefix.

Why the other options are less appropriate:

A provides only a partial prefix-like value (not a full MAC), and it does not explicitly map to a vendor name, making it less aligned with “specific hardware vendor” blending.

C uses 0 (zero), which is commonly associated with generating a random MAC rather than selecting a specific vendor identity; randomization does not guarantee blending with a chosen vendor’s footprint.

D supplies a full explicit MAC address; while this can spoof a MAC, it does not inherently express the intent to “appear as a specific vendor” unless you already know that exact MAC’s OUI belongs to the desired vendor. The question emphasizes selecting a vendor-associated identifier directly, which is exactly what option B does.

So, the best match for vendor-based disguise is B.

SHA-256 is a cryptographic hash function, and CEH v13 clearly states that hash functions alone provide data integrity, but not authenticity or non-repudiation. If attackers can modify data and recompute the hash, integrity checks will still pass.

The issue arises because SHA-256 does not prove who created or modified the data. To address this weakness, CEH v13 recommends using digital signatures, which combine hashing with asymmetric cryptography. A digital signature ensures:

Integrity (data has not changed)

Authentication (data was signed by a known entity)

Non-repudiation (the signer cannot deny the action)

Digital signatures work by hashing the data and encrypting the hash with the sender’s private key. Any modification to the data invalidates the signature.

Encryption alone (Options A and C) protects confidentiality, not integrity or authenticity. SSL/TLS (Option B) secures data in transit but does not protect stored data from tampering.

CEH v13 explicitly identifies digital signatures as the correct cryptographic control when integrity mechanisms alone are insufficient. Therefore, Option D is correct.

The vulnerability described is characteristic of XML External Entity (XXE) Injection. In CEH web application security coverage, XXE occurs when an application parses XML input without properly disabling external entity resolution. If the XML parser is configured insecurely, an attacker can define a malicious external entity that references local files or internal system resources. When the parser processes the XML document, it resolves the external entity and may return the contents of sensitive files in the server’s response.

The scenario clearly states that the issue arises from “handling of external references in document parsing” and results in exposure of internal file paths and database connection strings. This aligns directly with XXE behavior, where attackers leverage external entity declarations to retrieve local files such as configuration files, environment settings, or system credentials. In some cases, XXE can also enable server-side request forgery by forcing the server to make internal network requests.

The other options do not match the described behavior. Identification and authentication failures relate to improper access controls, not document parsing. HTTP response splitting involves manipulating headers to inject malicious responses. Security logging and monitoring failures refer to detection gaps, not data exposure through parsing. CEH-recommended mitigation strategies include disabling DTD processing, turning off external entity resolution in XML parsers, validating input formats, implementing least privilege on file access, and using secure parsing libraries that prevent XXE exploitation.

CEH v13 explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit using obfuscation is far more likely to evade detection.

Metasploit payloads and rootkits are commonly flagged, and SMS phishing relies on user interaction. Therefore, custom obfuscated exploit code is the most stealthy and effective method.

Broken Access Control is the correct choice because the scenario describes a user being able to access and modify resources that should be restricted to other users or roles. In CEH-aligned web testing, access control flaws occur when an application fails to enforce authorization checks consistently on the server side. Manipulating session parameters and then retrieving “sensitive medical records not associated with their own account” is a classic indicator of an authorization bypass, often seen as insecure direct object references, parameter tampering, or horizontal and vertical privilege escalation. Horizontal escalation is when one user accesses another user’s data at the same privilege level, while vertical escalation is when a user performs actions reserved for higher-privileged roles. The prompt explicitly states users can perform actions beyond assigned roles, which is the definition of broken authorization enforcement.

The other options do not align with the described root cause. Cryptographic Failures focuses on weak or missing encryption and does not explain why authenticated users can reach unauthorized records. Insecure Deserialization involves unsafe deserialization leading to remote code execution or data tampering via serialized objects, which is not indicated here. Security Misconfiguration is broader and can contribute to exposure, but the scenario emphasizes role and resource permission bypass rather than mis-set server headers, default accounts, or exposed admin interfaces.

Mitigation in CEH best practices includes enforcing server-side authorization on every request, using deny-by-default policies, validating that the authenticated user is allowed to access the specific record identifier, implementing robust role-based access control, logging access denials, and adding automated tests to prevent IDOR and privilege escalation regressions.

CEH v13 clarifies that nbtstat is used only for NetBIOS name table enumeration, not for listing shared resources. Tags such as < 20 > indicate file server services, but share enumeration requires tools like net view or SMB enumeration utilities.

Thus, the inability to list shares is due to tool limitation, not service configuration. Option C is correct.

The correct answer is A. Passive attack because the activity described involves monitoring and capturing information without altering data, system resources, or communications. In CEH-aligned information security concepts, passive attacks are defined by the attacker’s goal of eavesdropping—observing traffic to collect intelligence such as usernames/passwords, session identifiers, network patterns, or sensitive content—while making minimal changes that would trigger detection. The scenario explicitly states that the actor is “silently capturing clear-text credentials” and “analyzing unencrypted traffic,” and that “no modifications have been made to the data.” These are signature indicators of passive attacks such as packet sniffing and traffic analysis.

On an internal Wi-Fi network, passive attacks are particularly effective when encryption is weak or absent, or when users access services that transmit credentials in clear text. An attacker can capture packets and reconstruct sensitive information, especially where legacy protocols or misconfigurations exist. Because passive attackers do not need to inject or modify packets, they often avoid generating anomalies such as retransmissions, spoofed responses, or unexpected routing changes—helping them remain undetected, consistent with the prompt.

Why the other options do not fit: Distribution attack is not the standard classification for this behavior and does not specifically describe silent observation of traffic. Close-in attack refers to attacks that depend on physical proximity (e.g., shoulder surfing, physical tapping, local interception near the target). While Wi-Fi sniffing can require proximity, the defining characteristic in the question is the non-invasive observation with no data modification—i.e., passive attack. Insider attack relates to the attacker’s identity/role (a trusted internal person), which is not established here; the scenario only describes behavior, not who the actor is.

Therefore, the described credential capture and traffic analysis without modification most clearly indicates a passive attack.