312-50v13 Certified Ethical Hacker Exam (CEHv13) Questions and Answers

A bootkit is the rootkit type that best matches the described behavior because it compromises the system boot process and executes before the operating system fully loads, often before many security controls, drivers, and monitoring services start. CEH materials describe bootkits as a highly persistent class of malware that targets components such as the Master Boot Record, Volume Boot Record, or bootloader. By gaining execution at boot time, a bootkit can load malicious code very early, then hook or tamper with OS loading routines, kernel initialization, or security mechanisms. This early execution is exactly what the scenario emphasizes: the payload runs “before any system-level drivers or services are active,” enabling covert control while evading traditional user-mode detection.

This also explains why administrators see suspicious network activity but forensics do not easily find malicious user-level artifacts. Bootkits can hide by manipulating what the OS and security tools can see after startup, including concealing files, processes, registry keys, or even redirecting reads so scanners receive “clean” data. Because the malicious component is anchored in the boot chain, it can survive reboots and remain present even if many OS-level indicators are cleaned.

A kernel-mode rootkit operates within the OS kernel but typically loads after the OS begins booting and drivers initialize. A hypervisor rootkit relies on virtualization to sit beneath the OS at runtime, but the scenario specifically highlights boot-time execution prior to drivers and services. Firmware rootkits persist in BIOS/UEFI or device firmware, which is possible, but the most direct match to “boot process compromise below the OS” in CEH terminology is a bootkit.

CEH v13 explains that packet fragmentation is a classic and effective IDS evasion technique. By breaking malicious payloads into smaller fragments, attackers attempt to prevent the IDS from reconstructing the full packet stream correctly, thereby avoiding signature detection.

Many IDS systems rely on packet reassembly and pattern matching. Fragmented packets can confuse or overload the reassembly process, especially if the IDS is poorly configured. CEH v13 specifically lists fragmentation, overlapping fragments, and out-of-order packets as evasion techniques used to bypass network defenses.

Option B describes malware propagation, not IDS evasion. Option C is a social engineering attack, unrelated to IDS detection. Option D is a denial-of-service attempt, not a stealth evasion method.

CEH v13 highlights that defending against fragmentation-based evasion requires proper normalization and reassembly configuration in IDS/IPS systems. Therefore, Option A is the correct answer.

Passive reconnaissance focuses on collecting intelligence without interacting with the target's systems. CEH materials emphasize reviewing publicly available information, including leaked documents, breach data, reports, or exposed metadata, as this yields internal network structure details while generating no detectable traffic. This method avoids triggering monitoring systems and aligns with stealth requirements for covert intelligence gathering.

According to CEH v13 Cloud Computing, backup integrity and resilience are critical components of cloud security. The 3-2-1 backup model is a widely recommended best practice to mitigate unauthorized access, data corruption, and ransomware-related incidents.

The 3-2-1 rule dictates that organizations should maintain:

3 copies of critical data

Stored on 2 different media types

With 1 copy stored offsite or offline

This approach ensures that even if one backup is compromised, altered, or deleted—as described in the scenario—clean and trusted versions of the data remain available for restoration. CEH v13 emphasizes that offline or immutable backups significantly reduce the impact of malicious modification.

Option A focuses on physical security, which does not protect cloud backups. Option B addresses availability, not integrity. Option C is relevant to web application security, not backup protection.

CEH v13 explicitly highlights backup segregation and redundancy as key countermeasures against cloud data compromise. Therefore, Option D is the most direct and effective mitigation strategy.

Client-side controls, such as JavaScript validation and CAPTCHA enforcement, are explicitly described in CEH v13 as inherently untrustworthy, since they run on the user’s device. The most effective way to bypass them is by intercepting and modifying HTTP requests after client-side validation but before server-side processing.

Using a proxy tool (such as Burp Suite) allows the tester to manipulate parameters invisibly, without disabling JavaScript or injecting code that could raise alarms. This makes Option B the most stealthy and effective method.

Disabling JavaScript (Option A) is noisy and easily detected. Injecting JavaScript (Option C) may trigger client-side protections. Reverse-engineering encryption (Option D) is complex and unnecessary.

CEH v13 emphasizes proxy-based manipulation as the preferred technique for bypassing client-side security mechanisms. Therefore, Option B is correct.

CEH v13 highlights that encrypting session data in transit is one of the strongest defenses against session hijacking. IPsec VPN encrypts the entire IP packet, preventing attackers from capturing usable session tokens.

IPS helps detection but not prevention. Physical security and awareness do not address technical hijacking.

Therefore, Option A is correct.

The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata. CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

The capability described is Kubernetes self-healing, a core behavior emphasized in CEH cloud and container security coverage when discussing resilience, availability, and fault tolerance in containerized environments. Self-healing means Kubernetes continuously monitors the desired state of workloads and automatically acts when the current state deviates due to failures. If a node crashes, a container exits unexpectedly, or a pod becomes unhealthy, Kubernetes responds by restarting containers, recreating pods, and rescheduling workloads onto healthy nodes to maintain service continuity. This directly matches the scenario where containers are “automatically replaced and rescheduled” from failed nodes to keep payment services highly available.

While several Kubernetes components participate in achieving this outcome, the feature name most aligned with the described behavior is self-healing. Kubernetes uses controllers and the scheduler to implement it: deployments and replica sets ensure the correct number of pod replicas exist; liveness and readiness probes detect unhealthy containers; and when nodes become NotReady, pods are evicted and recreated elsewhere. This is exactly how Kubernetes supports uninterrupted operations for critical applications such as payment processing platforms.

Option B, kube-controller-manager, is a control-plane component that runs multiple controllers, and it contributes to enforcing desired state, but the question asks for the feature capability rather than the specific internal process that provides it. Option C, container orchestration, is broader and includes deployment, scaling, and management, but it is less precise than self-healing for the specific behavior of automatic replacement and rescheduling after failures. Option A is unrelated to availability behavior.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 underscores that modern multi-vector DDoS attacks—particularly SYN floods combined with Layer 7 HTTP floods—cannot be effectively mitigated by traditional firewalls, IPS devices, or local traffic filters. These systems become overwhelmed or risk blocking legitimate clients. CEH emphasizes the use of cloud-based DDoS mitigation platforms that provide traffic scrubbing, distributed filtering, rate shaping, and automatic scaling to absorb massive volumes of malicious traffic. Such services differentiate legitimate versus malicious traffic using global intelligence, behavioral analysis, and multi-layer protection strategies. Increasing bandwidth or blocking broad traffic categories is ineffective and harmful to users. An IPS cannot scale to handle volumetric attacks. Only cloud scrubbing solutions (e.g., Cloudflare, Akamai, AWS Shield Advanced) meet CEH’s recommended defenses for high-volume distributed attacks. These services ensure continuous availability and minimize collateral damage by filtering traffic upstream before it reaches the organization's infrastructure.

CEH describes FIN scans as stealthy scans that send packets with the FIN flag without initiating a TCP handshake. According to TCP RFC behavior, closed ports respond with RST packets while open ports ignore the probe, producing no response. This allows enumeration of port states while evading IDS systems that typically monitor SYN-based scans.

This scenario is a classic vishing (voice phishing) attempt: the attacker calls employees, impersonates a vendor, and tries to persuade them to disclose sensitive payment information. The most direct, practical countermeasure that employees can apply in every interaction is verifying the requester’s identity before sharing any information. That means using a trusted verification method—such as calling back using an official number from an internal directory/vendor contract, confirming through a known manager or procurement channel, or following an established verification workflow—rather than trusting the caller ID, the caller’s confidence, or claimed affiliation.

Option B is the best answer because it directly breaks the social engineering tactic being used: pretexting (posing as a vendor) relies on getting the victim to accept identity and urgency without validation. If employees consistently verify identity through independent channels, the attacker’s pretext collapses and the request is denied or escalated. This is the most immediate control at the human decision point, where the data disclosure risk occurs.

Why the other choices are less direct:

Security awareness programs (A) are important, but the question asks for the practical step employees must apply in each interaction. Training supports the behavior; it is not the specific action that stops the call from succeeding.

Policies and procedures (C) provide governance and guidance, but the direct operational control during a phone call is still identity verification.

Two-factor authentication (D) protects login processes but does not prevent an employee from verbally disclosing payment details over the phone.

Therefore, the prioritized countermeasure is B. Employees must verify the identity of individuals requesting information.

CEH’s SQL Injection coverage distinguishes between classic (error-based), union-based, boolean-based blind, and time-based blind SQL injection. Time-based blind SQL injection is used when the application does not return database errors or query results to the attacker (no visible output), but the attacker can infer execution behavior by measuring response delays.

A time-based payload intentionally triggers a database delay function (for example, SLEEP(), WAITFOR DELAY, pg_sleep() depending on DBMS). If the injection is successful, the page response time increases predictably, confirming that attacker-controlled SQL is being executed.

Option C is the correct time-based blind probe because it uses conditional logic (IF(1=1, SLEEP(5), 0)) to cause a measurable delay only when the injected condition evaluates true. CEH teaches that this technique is particularly effective against hardened applications that suppress errors and sanitize outputs, because timing becomes the side-channel for confirmation.

Option A and Option D are UNION-based payload patterns intended to extract data via returned result sets, which time-based blind scenarios typically do not provide. Option B is a classic authentication-bypass/boolean test; it can indicate injection but does not specifically validate time-based blind behavior when output is not observable.

CEH mitigation guidance includes parameterized queries, strict input validation, least-privilege DB accounts, WAF tuning, and centralized logging to detect anomalous query timing patterns.

Social engineering attacks that target business processes are especially effective when they mimic legitimate workflows. CEH learning materials emphasize that attackers often exploit trust relationships and organizational procedures rather than attempting broad or generic phishing methods. In the context of HR operations, onboarding portals are highly trusted and frequently accessed by new employees who expect to enter personal information, submit documents, and receive initial network credentials. By creating a fake onboarding portal that closely resembles the organization’s internal system, an attacker can collect credentials without triggering suspicion because the action being requested appears normal and expected. This method leverages procedural familiarity, brand consistency, and the implied authority of HR communications, making it far more effective than generic phishing emails or unsolicited social media messages. Phone calls, while sometimes useful, involve real-time interaction and increase the chance of detection. The fake portal, however, seamlessly integrates into existing processes, making it the most effective and lowest-profile approach for acquiring network credentials.

The capabilities described match an enterprise Wireless Intrusion Prevention System (WIPS) tightly integrated with WLAN infrastructure: it uses access points as sensors (placing selected APs into passive scan/monitor mode), correlates and aggregates alarms from multiple controllers into a central engine for analysis and forensic retention, and can push automated countermeasures across the campus (such as coordinated channel scanning and remote configuration enforcement) when a device is classified as malicious. This is most consistent with Cisco Adaptive Wireless IPS.

Cisco’s adaptive WIPS model uses the existing Cisco wireless architecture (controllers and APs) to provide campus-wide monitoring and enforcement. The phrase “selected APs into a passive scan mode” is a strong indicator of adaptive sensor use—APs can be dedicated or time-sliced for scanning, and the system can coordinate coverage across channels. The centralized engine concept also aligns with enterprise WIPS deployments that collect events and alarms from multiple controllers for correlation and long-term storage, supporting incident investigation and compliance.

Why the other options are less fitting:

Fern WiFi Cracker (C) is an attack/assessment tool, not a production defensive platform, and it does not provide centralized alarm aggregation and automated enterprise countermeasures.

RFProtect (B) is a known wireless security/WIPS solution family, but the question’s feature set and wording (“adaptive,” APs used for passive scanning, controller-integrated countermeasures) most closely matches Cisco’s adaptive WIPS concept.

WatchGuard Wi-Fi Cloud WIPS (A) is a vendor-managed WIPS offering; while it can provide monitoring, the scenario stresses multi-controller aggregation into a central engine and coordinated campus countermeasures via WLAN infrastructure—again aligning best with Cisco’s controller/AP ecosystem.

Therefore, the best answer is D. Cisco Adaptive Wireless IPS.

The question focuses on passive reconnaissance using Google advanced search operators, a technique commonly referred to in CEH materials as Google hacking or Google dorking. This method leverages publicly indexed data without directly interacting with the target systems, making it a non-intrusive reconnaissance approach. The goal here is to locate potentially exposed administrative interfaces within .edu domains.

Option C, site:.edu inurl:admin, is the most effective query for this purpose. The site operator restricts results to the .edu top-level domain, ensuring that only educational institutions are searched. The inurl operator filters results to pages where the term “admin” appears in the URL itself. Administrative panels and backend management interfaces frequently include terms such as admin, administrator, or adminpanel directly in the URL path. Therefore, this search string increases the likelihood of discovering exposed login portals or backend directories.

Option A focuses on PDF files with “admin” in the title, which is unlikely to reveal active administrative interfaces. Option B searches for pages with “admin login” in the title, which may find login pages but is less precise than filtering by URL structure. Option D searches anchor text references, which does not directly identify actual admin pages.

In CEH methodology, properly constructed Google dorks such as inurl:admin combined with site-specific filtering are effective in identifying exposed resources while maintaining passive reconnaissance discipline.

This scenario strongly suggests a race condition attack in the application’s token validation logic, as described in CEH v13 Web Application Hacking. A race condition occurs when an application processes multiple requests simultaneously and fails to properly synchronize validation checks.

The presence of multiple failed attempts using expired tokens followed by successful access within a short time window indicates the attacker exploited a timing flaw. During this window, the system may have inconsistently validated token expiration, allowing an expired token to be accepted.

Option A is unlikely because the logs specifically reference expired tokens. Option B is incorrect because replaying expired tokens should fail unless a validation flaw exists. Option C is highly improbable due to token entropy.

CEH v13 highlights race conditions as advanced logic flaws that are difficult to detect and often missed during standard testing. They are commonly exploited in authentication, payment processing, and session management systems.

Therefore, Option D is the correct and CEH-aligned answer.

The tool described is most consistent with Bettercap. Bettercap is a lightweight, extensible framework commonly used in controlled security testing for man-in-the-middle (MITM) operations on local networks. It supports ARP spoofing/ARP poisoning to position the attacker between victims and gateways, enabling interception of traffic. It also supports DNS manipulation/spoofing (e.g., redirecting domain lookups to attacker-controlled destinations) and packet injection capabilities for modifying or inserting traffic. Importantly, it provides an interactive interface that allows real-time session visibility and control, which matches the scenario’s emphasis on interactive monitoring while intercepting internal web application traffic.

The objective described—capturing and manipulating session tokens in transit—is consistent with a MITM platform that can observe HTTP traffic (or influence traffic where TLS is not properly enforced or where testing includes trusted certificates in a lab). Bettercap’s design as an “all-in-one” local network attack and monitoring tool makes it a typical choice for demonstrating risks from weak network segmentation, insecure DNS, lack of HTTPS/HSTS, or insufficient endpoint protections against ARP spoofing.

Why the other options are less suitable:

Wireshark (A) is primarily a packet analyzer/sniffer; it does not inherently perform ARP spoofing, DNS manipulation, or injection as an active MITM tool.

Hetty (B) and Caido (C) are web-focused interception/testing tools (proxy-style workflows). They can intercept HTTP/S when configured as a proxy, but they do not natively specialize in LAN-layer ARP spoofing and DNS manipulation for transparent MITM in the same way as Bettercap.

Therefore, the most likely tool is D. Bettercap.

The correct answer is A. Switch(config)# ip dhcp snooping because the question asks for the global setting that must be enabled first, before applying more specific (granular) DHCP Snooping controls. In Cisco switching, DHCP Snooping is the primary Layer 2 security feature used to mitigate rogue DHCP server attacks. Once enabled, the switch can distinguish between trusted ports (where legitimate DHCP server responses are allowed, typically uplinks toward the authorized DHCP server) and untrusted ports (typically access ports to end-user devices), where DHCP server responses (DHCPOFFER/DHCPACK) are filtered to prevent a rogue server from handing out malicious network configuration (gateway/DNS) to clients.

The scenario’s defense goal—“reject DHCP responses from untrusted ports”—is exactly what DHCP Snooping enforces after it is enabled and ports are assigned trust states. Conceptually, the workflow is:

Enable DHCP Snooping globally (feature activation),

Enable it for the relevant VLAN(s), and

Mark the legitimate DHCP-facing interface(s) as trusted so only those ports can send DHCP server responses.

Options C and D are part of the later, granular steps:

C enables DHCP snooping for a specific VLAN, which is necessary but is not the global prerequisite the question highlights.

D is applied under an interface to designate a port as trusted; again, this is granular and only meaningful after DHCP snooping is activated.

Option B is a different feature (Dynamic ARP Inspection) and is used to mitigate ARP spoofing/poisoning rather than rogue DHCP.

Therefore, the global command Jason should recommend first is Switch(config)# ip dhcp snooping.

According to CEH v13, black box testing refers to a testing approach where the ethical hacker has no prior knowledge of the internal structure, source code, or configuration of the system.

The attacker simulates a real-world external attacker, relying solely on discovery and exploitation techniques.

White box testing = full knowledge

Gray box testing = partial knowledge

A polymorphic virus is specifically designed to change its code appearance while keeping the same underlying functionality, which aligns exactly with the scenario. In CEH terms, polymorphism allows malware to mutate its decryptor routine, instruction ordering, register usage, junk code insertion, and other syntactic elements every time it propagates or executes. This causes each instance to look different at the binary level, producing different hashes and signatures, even though the malicious payload and behavior remain the same. That is why the security team sees inconsistent antivirus detection and why “traditional hash-based comparison” fails. The key indicator is that static analysis shows the “underlying logic remains unchanged,” but “code patterns vary unpredictably,” which is the hallmark of polymorphism: behavior stays consistent, signature changes.

The other options do not fit as well. A cavity virus typically hides by inserting itself into unused spaces within legitimate executable files to avoid changing the overall file size, but it does not inherently generate unpredictable code variants per infection. A macro virus primarily targets macro-enabled documents and spreads through document templates and user actions, which is not suggested here. A stealth virus focuses on evading detection by intercepting system calls and hiding its presence, such as returning “clean” file reads, but it does not necessarily produce many structurally different binaries that break hash matching. Therefore, the most likely cause of the described outbreak is a polymorphic virus.

This scenario is a classic example of DLL hijacking (also called DLL search order hijacking). On Windows, when an application attempts to load a required DLL without using a fully qualified path, the operating system searches for that DLL in a defined search order (including, in many cases, the application directory and other locations that may be writable by a low-privileged user). If an attacker can place a malicious DLL with the same name as the expected library into a directory that is searched before the legitimate DLL’s location, Windows will load the attacker’s DLL first. When the trusted application starts, the malicious DLL is loaded into the process, causing the attacker’s code to execute in the context and privileges of that application.

The question’s clues align tightly with DLL hijacking:

A “non-privileged process loaded a malicious library instead of the intended library” indicates a library preloading/search-order issue rather than exploiting a kernel bug.

The attacker “placed the rogue file in a directory Windows searched before the legitimate location,” which directly describes search order manipulation.

“When the trusted application started, the attacker’s code executed with the application’s privileges” reflects how DLL hijacking can lead to privilege escalation when the target process runs with higher privileges (e.g., as admin or SYSTEM).

“No registry changes … were involved” helps rule out techniques like certain COM hijacks or registry-based persistence and also points away from UAC bypass methods that often rely on registry keys or auto-elevated behaviors.

Why the other options don’t fit:

Exploiting vulnerabilities (A) is too generic and would typically reference a software flaw (buffer overflow, kernel exploit, etc.).

Access token manipulation (C) involves stealing/impersonating tokens, not DLL search order behavior.

Bypassing UAC (D) targets elevation prompts and auto-elevation mechanisms, not DLL loading precedence.

Therefore, the technique is B. Privilege Escalation Using DLL Hijacking.

This scenario describes fileless malware using covert command-and-control (C2) channels over commonly allowed protocols such as HTTP and DNS, a technique heavily emphasized in CEH v13 Malware Threats. Such malware avoids writing files to disk and instead leverages memory, legitimate system tools, and trusted protocols to evade traditional defenses.

Signature-based antivirus updates (Option A) are ineffective against fileless malware because there are no static artifacts to match. Blocking known malware ports (Option C) is also ineffective, as the malware intentionally uses ports 80 and 53, which must remain open for normal business operations. Restricting plain HTTP (Option B) may reduce visibility but does not stop DNS tunneling or encrypted malicious traffic.

CEH v13 identifies behavioral analytics as the most effective countermeasure against advanced malware. Behavioral solutions establish a baseline of normal system and network activity, then detect anomalies such as:

Unusual outbound DNS query patterns

Abnormal HTTP beaconing intervals

Legitimate applications behaving suspiciously

PowerShell or system tools generating network traffic unexpectedly

By monitoring how systems behave rather than what files exist, behavioral analytics can identify stealthy C2 communications and disrupt them early. Therefore, Option D is the most effective and CEH-aligned response.

This task describes passive reconnaissance using advanced search operators, a technique covered in CEH as search engine reconnaissance or Google dorking. The objective is to find potentially exposed documents on hidden services while avoiding direct interaction with forums or services. The most important element in the query is restricting results to hidden service domains using the site:onion operator. Any option that does not include site:onion is less suitable because it will return results from the public web rather than from .onion resources.

Option A is the strongest fit because it combines three high-value filters: filetype:pdf to focus on document artifacts that are commonly leaked or shared, intitle:"admin access" to target titles suggesting privileged access or administrative information, and site:onion to restrict the scope to hidden services. In CEH reporting and threat intelligence workflows, targeting high-signal keywords such as admin access, credentials, password list, or vpn access in document metadata is a practical way to identify likely leak sources without active engagement.

Option B lacks site:onion, so it fails the hidden-service requirement. Option C includes site:onion but the phrase secure login is more generic and may return many benign pages, reducing precision. Option D includes site:onion and filetype targeting, but user accounts is broader and less indicative of immediate access data than admin access. Therefore, A best supports efficient passive discovery of high-risk documents relevant to credential exposure on hidden services.

IoT devices that transmit data without encryption expose all communication to interception. CEH explains that attackers can position themselves between the IoT device and cloud service to manipulate or capture traffic. A MitM attack enables interception of commands, credentials, and firmware data due to the absence of TLS protections.

CEH v13 explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit using obfuscation is far more likely to evade detection.

Metasploit payloads and rootkits are commonly flagged, and SMS phishing relies on user interaction. Therefore, custom obfuscated exploit code is the most stealthy and effective method.

The technique being used is Error Message Analysis, because the tester is intentionally supplying a special character payload and then interpreting the application’s returned database or SQL parsing error to infer the presence of an injection point. In CEH-aligned SQL injection methodology, one of the earliest indicators of SQL injection is when crafted input causes the application to generate a database error, such as syntax errors, unclosed quotation marks, type conversion failures, or context-related messages that reveal how the input is being embedded into a query. A long series of single quotes is a classic trigger: if user input is concatenated into a SQL statement without proper sanitization or parameterization, the quotes can break the query structure and force the database engine or ORM layer to throw an error that exposes the query context.

The scenario explicitly states the response is an error message indicating the application cannot handle the input “in the current SQL context.” That means the application is leaking information through error responses, which CEH highlights as both a detection opportunity for testers and a security weakness because detailed errors can guide attackers toward successful payload construction.

This is not primarily “Detecting SQL Modification,” which focuses on confirming changes in query logic or results, often using boolean-based techniques. It is not “Function Testing,” which validates application functions rather than probing input handling at the SQL layer. While the input resembles fuzzing, fuzz testing is broader and does not specifically depend on interpreting SQL error messages as the detection signal. Here, the decisive evidence is the SQL-context error returned, making Error Message Analysis the correct technique.

CEH v13 classifies state-sponsored hackers as highly skilled professionals who operate under government direction to conduct espionage, intelligence gathering, sabotage, or cyber warfare. These attackers often target foreign governments, critical infrastructure, and strategic industries.

The defining characteristics are:

Government backing

National or geopolitical objectives

Advanced resources and long-term campaigns

Options B, C, and D do not fit. Organized hackers are typically financially motivated cybercriminal groups. Gray hats operate without authorization but not for national interests. Hacktivists pursue ideological or political causes independently.

CEH v13 explicitly associates covert intelligence operations with state-sponsored actors, making Option A correct.

The method described—sending TCP packets with no flags set—is a NULL scan. In TCP header terminology, a NULL packet has all control flags cleared (no SYN, ACK, FIN, RST, PSH, URG). The scanner then interprets the target’s response behavior to infer port state. Traditionally, for many TCP/IP stacks, a closed port responds with RST, while an open port may respond with no reply (silence) because the packet does not correspond to any valid state in the TCP state machine. This behavior can vary by OS and filtering devices, but the defining characteristic is the “no flags” probe.

The scenario also highlights stealth: compared to a TCP connect scan, which completes a full three-way handshake and is easily logged, NULL scans can be less conspicuous because they avoid a normal connection setup. Some intrusion detection systems focus heavily on repeated SYN handshakes or completed connections; unusual flag scans may slip through weak detection, though modern IDS/IPS can still detect them.

Why the other options are incorrect:

TCP Connect Scan (A) uses the operating system’s connect() call to establish a full TCP connection; it is not a “no flags” technique and is generally noisier.

FIN Scan (B) sends packets with the FIN flag set; it is a different “stealth” scan type, but not “no flags.”

ACK Scan (D) sends packets with the ACK flag set and is typically used to map firewall rules (filtered vs unfiltered), not to determine open vs closed ports in the same way, and again it is not “no flags.”

Therefore, the scanning method is C. NULL Scan.

CEH v13 emphasizes that insecure deserialization is one of the most dangerous application vulnerabilities because it can lead to arbitrary code execution, bypassing authentication, authorization, and session protections entirely.

Even with MFA, encrypted cookies, and WAFs, deserialization flaws allow attackers to manipulate serialized objects used in session handling. When deserialized without validation, these objects may execute attacker-controlled code.

CSRF relies on authenticated users. Side jacking is mitigated by encryption. Session fixation is ineffective if session regeneration and MFA are implemented. Insecure deserialization, however, attacks the application logic itself, making it the most effective option.

Thus, Option D is correct.

The best choice is encrypting stored data with quantum-resistant algorithms because the scenario’s core risk is long-term confidentiality of data at rest in a cloud environment under a future where large-scale quantum computing could break widely used public-key schemes. In CEH cryptography coverage, the most direct way to protect confidentiality is to use strong encryption that remains secure against the expected attacker capabilities. “Harvest now, decrypt later” is a practical concern: adversaries can copy encrypted data today and wait until new capabilities make decryption feasible. Therefore, the control must be cryptographic and future-resistant, not merely procedural or architectural.

Option B aligns with post-quantum readiness by moving encryption and key-establishment mechanisms toward quantum-resistant primitives. This is especially important for protecting stored records over long retention periods. Even if symmetric encryption such as AES is generally more resilient to quantum attacks than classical public-key algorithms, organizations still must ensure appropriate key sizes, robust key management, and quantum-resistant approaches where public-key cryptography is used for key exchange, key wrapping, or digital signatures that support storage encryption workflows.

Option A, distributing fragments, can improve availability and limit exposure in some breach scenarios, but it does not replace encryption and does not guarantee confidentiality if fragments are obtained. Option C is not applicable because the problem is stored cloud data, not quantum communications. Option D is a good governance practice, but it is not itself a cryptographic control that ensures confidentiality. The priority, per CEH-aligned cryptographic defense principles, is quantum-resistant encryption and key management for data at rest.

CEH reconnaissance and enumeration modules explain that LDAP services often support anonymous binding by default unless explicitly disabled. Anonymous bind allows unauthenticated users to query certain directory attributes, which can lead to disclosure of usernames, organizational hierarchy, and email addresses—critical information for password attacks, phishing campaigns, and privilege escalation planning. In the scenario described, the tester obtained directory data without providing any credentials, demonstrating that anonymous bind permissions were enabled. LDAPS requires TLS encryption and authentication, which contradicts the observed access. Kerberos authentication mandates valid credentials. LDAP via RADIUS is used for authentication integration, not for information disclosure. Since the query was successful with no authentication and no access controls triggered, this aligns exactly with CEH’s description of anonymous LDAP binding.

The CEH SQL Injection module defines stacked (piggybacked) queries as attacks where an attacker appends an additional SQL statement using a statement delimiter such as a semicolon.

In this scenario, the attacker executed a second query (DROP TABLE users) after the original query, resulting in destructive behavior.

Option B is correct.

Option A retrieves data, not execute destructive commands.

Option C infers logic outcomes.

Option D relies on error messages for data extraction.

CEH classifies stacked queries as high-impact SQL injection attacks.

CEH v13 identifies encrypted communication channels as one of the most common and effective firewall evasion techniques. Firewalls that rely on packet inspection or signature-based filtering often cannot inspect encrypted payloads without SSL/TLS interception capabilities.

By encrypting malicious traffic—using HTTPS, VPN tunnels, or encrypted C2 channels—attackers can bypass firewall rules that inspect packet contents. CEH v13 emphasizes that this technique is widely used in malware communication, data exfiltration, and command-and-control operations.

IP spoofing (Option A) is limited by ingress and egress filtering and is less effective against modern firewalls. Open-source operating systems (Option B) do not inherently evade firewalls. Social engineering (Option D) targets users, not firewalls.

Therefore, Option C is the correct and CEH-aligned answer.

The scenario describes a wireless discovery method where the tester only listens to the airwaves and does not transmit probe requests or inject frames. In CEH terms, this is passive reconnaissance, commonly referred to as passive footprinting in the wireless context. Passive footprinting relies on capturing and analyzing existing 802.11 management traffic such as beacon frames (periodically broadcast by access points) and probe responses sent to other clients, allowing the tester to identify SSIDs, BSSIDs (MAC addresses of access points), channel numbers, supported data rates, and sometimes security capabilities, all without generating traffic that could alert administrators or trigger wireless intrusion detection systems.

Active footprinting, by contrast, involves transmitting frames—most notably probe requests—to solicit probe responses from access points, which increases detectability. The question explicitly says Ethan does not send probe requests and does not inject data packets, which rules out active methods. “Network Discovery Software” is too generic; tools can be used for either passive or active discovery, but the technique in use is defined by behavior on the wireless medium, not the presence of software. “Wash” is a specific tool/command associated with enumerating WPS-enabled access points; while it can be used during reconnaissance, the question is testing the broader technique rather than a specific utility, and the defining characteristic here is silent listening.

CEH defensive guidance notes that passive discovery is stealthier because it leverages normal beaconing behavior. Organizations mitigate reconnaissance by using wireless monitoring, rogue AP detection, strong encryption configurations, disabling unnecessary broadcasts where feasible, and maintaining continuous wireless security assessments.

CEH v13 defines a white hat hacker as a security professional with explicit authorization to perform penetration testing, vulnerability assessments, and exploitation attempts within legal and contractual boundaries. Their objective is to strengthen security, not compromise it. White hats follow structured methodologies, document findings, and provide remediation recommendations. A black hat (Option A) acts maliciously and without permission. A grey hat (Option B) operates without authorization but without harmful intent, which is not compliant with corporate penetration testing procedures. Script kiddies (Option C) rely on pre-built tools without deep knowledge and are not employed for legitimate engagements. Therefore, the individual described is a white hat, operating under legal and ethical guidelines with organizational consent.

This scenario represents a Botnet-Based Distributed Denial-of-Service (DDoS) attack, as described in CEH v13 Network Attacks. Compromised internal devices become part of a botnet and are used to launch attacks against external targets.

CEH v13 notes that botnets frequently include IoT devices and employee workstations, making insider-originated DDoS activity a serious concern.

The best answer is Remediation because the workflow centers on fixing confirmed vulnerabilities through an organized, prioritized plan and coordinating corrective actions with operations teams. In CEH-aligned vulnerability management, the lifecycle typically moves from asset identification and risk context, to scanning and validation, to analysis and prioritization, and then into remediation where weaknesses are actually reduced or eliminated. The question explicitly states that after vulnerabilities are detected and validated, Priya’s team “develop a structured timeline to address the confirmed vulnerabilities” and prioritize “high-risk findings affecting mission-critical systems.” Creating the remediation plan, assigning owners, scheduling patch windows, implementing configuration hardening, disabling unnecessary services, updating vulnerable software, and applying compensating controls are all core remediation activities.

Although the final step mentions rescanning to confirm resolution and producing a compliance report, that verification step occurs after remediation work has been performed. Verification is an important follow-on phase, but it is not the main phase being executed throughout the described workflow. Vulnerability analysis refers more to interpreting scan results, validating false positives, mapping weaknesses to impact, and determining exploitability. Risk assessment focuses on evaluating business impact and likelihood to prioritize work. Here, those phases are present, but the primary emphasis is on coordinating and executing fixes and driving them to closure, which is remediation.

In short, Priya is in the remediation phase, with verification used afterward to confirm the remediation was effective.

CEH v13 highlights the Idle Scan as one of the stealthiest reconnaissance methods available, designed specifically to avoid detection by IDS and security monitoring tools. Idle scanning leverages a “zombie host”—a system with a predictable IPID sequence—to route all probe packets through it. Since no packets ever originate directly from the attacker’s IP, IDS systems are unable to attribute the port scan to the attacker. CEH emphasizes that this technique creates zero direct traffic between the attacker and the target, making it extremely evasive and ideal for highly monitored networks. FIN scans (Option A) are somewhat stealthy but still originate from the attacker and are detectable. TCP Connect scans (Option C) are the most detectable because they complete full connections. ICMP Echo scans (Option D) are easily logged and flagged by IDS. Idle scanning is uniquely suited for bypassing advanced detection systems while still identifying open ports and live hosts.

This scenario primarily simulates dumpster diving because the key action involves retrieving sensitive information from discarded materials and then using it to gain access. In CEH social engineering coverage, dumpster diving is a physical information-gathering technique where an attacker searches trash, recycling bins, unsecured disposal containers, or shredding waste to find documents and artifacts that can be exploited. Common targets include access codes, employee directories, printed emails, shipping labels, invoices, internal memos, and partially shredded documents—exactly what Priya finds in the unsecured maintenance container. The question even emphasizes “discarded packaging,” “shipping labels,” “shredded office material,” and a “crumpled document listing temporary access codes,” which are classic dumpster-diving indicators.

The later use of recovered access codes to enter the break room is the impact of the dumpster-diving phase, but the primary social engineering technique tested is how improper disposal leads to compromise. Tailgating would involve following an authorized person through a secure door without proper authentication. Eavesdropping refers to listening in on conversations or communications to capture sensitive information. Shoulder surfing involves visually observing someone’s screen or keyboard while they enter credentials or view confidential data. None of those describe the initial method of obtaining the access codes.

CEH-aligned mitigations include enforcing clean-desk and secure disposal policies, using locked disposal bins, shredding sensitive documents properly with secure destruction processes, training staff on handling printed data, and restricting access to loading docks and waste areas. Regular audits of disposal practices and physical security checks reduce the likelihood that attackers can harvest usable access details from trash.

The IT team’s requirement is automatic, real-time detection of abnormal session activity using predefined rules and traffic signatures. That description aligns most directly with an Intrusion Detection System (IDS), particularly a network IDS (NIDS) that monitors traffic, compares it to known patterns (signatures) and/or behavioral rules, and generates alerts when suspicious activity is detected. Session hijacking attempts often produce recognizable anomalies—unexpected packet sequences, suspicious flags, unusual injection patterns, resets, or protocol misuse—that IDS rules can be designed to detect across many hosts and segments without requiring an analyst to manually inspect each capture.

The scenario explicitly contrasts this desired capability with “manual analysis,” which rules out option B. Tools like packet sniffers are valuable for investigation and confirmation, but they do not provide organization-wide automated alerting by themselves. An IDS is built for continuous monitoring and alert generation, making it appropriate for detecting red-team-simulated packet injection and session manipulation attempts.

Why the other options are less suitable:

Checking for predictable session tokens (A) is an application-layer defensive review (and a good hardening practice), but it does not automatically detect packet injection behaviors occurring on the network in real time.

Monitoring for ACK storms (C) can be one specific indicator in some TCP manipulation or desynchronization scenarios, but it is too narrow and does not represent a general detection system. The requirement is broader: a monitoring system that flags suspicious session activity using rules and signatures—an IDS fits that role.

Manual packet analysis (B) is explicitly what they want to avoid.

Therefore, the correct answer is D. Use an Intrusion Detection System (IDS).

CEH defines passive reconnaissance as collecting information without directly engaging the target.

Option A is incorrect for passive reconnaissance because Nmap scanning actively probes systems, generating detectable traffic.

Options B, C, and D rely on publicly available information and are standard passive techniques.

CEH classifies Nmap scanning as active footprinting.

DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.

DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.

Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.

CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.

Covert channel communication is one of the most sophisticated evasion techniques described in CEH v13 Evasion Techniques. By embedding malicious data within unused or rarely inspected protocol fields (such as IP headers), attackers can bypass firewalls, IDS, and IPS systems entirely.

Unlike polymorphic malware (Option C), which can still be detected using behavior analysis, covert channels blend seamlessly into legitimate traffic. Packet fragmentation (Option D) is well-known and often mitigated. Honeypot spoofing (Option B) is rare and defensive in nature.

CEH v13 emphasizes that covert channels are difficult because:

They do not violate protocol specifications

They evade signature-based and stateful inspection

They appear as normal traffic

Detecting covert channels often requires deep protocol analysis and statistical traffic inspection, making them extremely challenging to mitigate.

Thus, Option A is the correct answer.

CEH cloud security modules highlight that Azure Managed Identities allow workloads such as functions, VMs, and automation tasks to authenticate to Azure resources without storing secrets. If an attacker obtains the token associated with a managed identity, they can impersonate that identity and access any Azure resources it is permitted to use. In this scenario, the captured access token is used to authenticate via Azure PowerShell and retrieve storage account keys, demonstrating unauthorized privilege usage by hijacking the managed identity. This aligns directly with managed identity abuse, where attackers leverage identity tokens instead of user credentials. NSG rule gathering and AzureGraph enumeration are reconnaissance activities, and Stormspotter is used for visualizing attack paths, not abusing identities. Therefore, this scenario clearly illustrates exploitation of managed identities.

An HTTP flood is an application-layer (Layer 7) DoS/DDoS technique that targets web application resources by sending large volumes of seemingly valid HTTP GET/POST requests. Because the traffic can look “legitimate” at the protocol level, controls that primarily focus on network/transport characteristics (such as basic firewalls) are often insufficient. The tool described in the scenario is explicitly inspecting and filtering malicious HTTP traffic while allowing legitimate customer requests—that behavior aligns most directly with a Web Application Firewall (WAF).

A WAF is designed to protect web applications by analyzing HTTP/S requests and responses, applying security rules that detect and block abnormal or malicious patterns. In an HTTP flood scenario, a WAF can enforce rate limiting, detect request anomalies (e.g., repeated requests to resource-intensive endpoints like checkout), identify bot-like behavior, and apply signatures/behavioral policies to mitigate attacks while continuing to permit valid users. The key clue is the focus on HTTP-level inspection and filtering to maintain service continuity—a classic WAF use case during Layer 7 attacks.

Why the other options are less suitable:

A Load Balancer (A) improves availability by distributing traffic across servers, but it does not inherently inspect and filter malicious HTTP requests. It can help absorb load, yet it’s not primarily a security inspection/filtering control.

An Intrusion Prevention System (C) can block malicious activity, but many IPS deployments are stronger at network/transport-layer patterns and may not provide the same depth of application-aware HTTP policy enforcement as a WAF for targeted web endpoints.

A traditional Firewall (D) mainly filters by IP/port/protocol and cannot reliably distinguish malicious vs legitimate HTTP GET/POST floods when they use allowed ports (80/443).

White-hat hackers perform security assessments with authorization. CEH defines ethical hacking as legal, structured testing of network defenses with the goal of improving security rather than causing harm.

The Certified Ethical Hacker (CEH) Cryptography and Quantum Computing section introduces the concept known as “Harvest Now, Decrypt Later”. This threat model describes adversaries capturing encrypted data today, even if they cannot decrypt it immediately, with the expectation that future quantum computers will be able to break currently secure public-key algorithms such as RSA and ECC.

Option A accurately reflects this concept.

Option B describes a method (Shor’s algorithm) but not the threat model itself.

Option C is unrelated to cryptographic attacks.

Option D refers to quantum communication attacks, not classical encrypted data harvesting.

CEH emphasizes post-quantum cryptography as a mitigation strategy.

CEH teaches that insufficient input validation on mobile applications enables code injection attacks. Injecting JavaScript or crafted payloads into fields validates whether the application improperly processes untrusted data. If executed, it confirms that the app is vulnerable to injection-based attacks.

This scenario represents a classic baiting attack, a social engineering technique explicitly described in CEH v13 Social Engineering. In baiting, attackers exploit human curiosity or greed by leaving behind a malicious physical device—most commonly a USB drive—with an enticing label. When the victim plugs the device into a system, malware is automatically executed, leading to compromise.

Option A precisely captures this behavior. The label “Employee Salary Info 2024” is intentionally designed to entice the victim into interacting with the device. CEH v13 highlights USB baiting as particularly dangerous because it bypasses technical controls and relies solely on human behavior.

Option B describes pretexting, which involves impersonation. Option C refers to dumpster diving. Option D describes tailgating, a physical access attack. None of these match the USB-based lure described.

CEH v13 emphasizes that baiting attacks are highly effective in corporate environments and recommends strong security awareness training and disabling USB autorun features as mitigation.

Padding oracle attacks exploit systems that reveal differences in error responses when incorrectly padded ciphertext is submitted. CEH explains that these variations allow attackers to iteratively determine valid padding bytes and ultimately decrypt or modify encrypted data without knowledge of the key.

CEH v13 highlights behavioral analytics as one of the most effective techniques for identifying ambiguous or stealthy threats such as data exfiltration, command-and-control traffic, and insider abuse. When interactions appear suspicious but not definitively malicious, behavioral profiling provides the most direct visibility.

Behavioral analytics tools establish a baseline of normal system and network behavior, including typical communication patterns, data transfer volumes, destinations, and timing. Deviations from this baseline trigger alerts, allowing analysts to detect previously unknown threats without relying on signatures.

Option C is the most appropriate because it both identifies anomalies and supports continuous mitigation. A full zero-trust shutdown (Option A) is disruptive. Forensics (Option B) is reactive and better suited after confirmation of compromise. Training (Option D) does not address system-level interactions.

CEH v13 emphasizes that modern attacks often blend into normal traffic, making behavioral analysis essential. Therefore, Option C is the correct answer.

Operational Technology and ICS environments often suffer from misconfigurations such as unchanged factory-default passwords. CEH identifies exploiting default credentials as a direct and effective method because ICS devices frequently lack strong authentication controls. Using these built-in credentials grants immediate unauthorized access to supervisory controls, enabling adversaries to manipulate configurations, disrupt processes, or escalate attacks across critical systems.

The described behavior is consistent with Shell Injection (OS Command Injection). The critical clues are that the application forwards user-supplied input to system-level functions and that crafted input can cause unexpected system commands to execute, resulting in unauthorized control of the underlying operating environment. That is the defining characteristic of command injection: the application constructs or passes command strings to the operating system (directly or indirectly), and inadequate input validation/escaping allows an attacker to alter command structure and execute arbitrary commands.

In an internal administration portal, this often occurs when developers integrate convenience features like “ping a host,” “lookup a file,” “run diagnostics,” “convert/export,” or “invoke a backend script,” and they pass user input into command interpreters or shell calls. If input is not strictly validated (allowlisting) and properly handled (parameterization, safe APIs, escaping), attackers can append operators or metacharacters to change execution flow, allowing system command execution under the application’s privileges.

The other options do not align with “system commands”:

LDAP Injection (B) targets directory queries by manipulating LDAP filter syntax to bypass authentication or extract directory data, not execute OS commands.

SQL Injection (C) manipulates database queries to read/modify database content; while severe, it is fundamentally a database-layer issue, not direct OS command execution as described.

XSS (D) executes script in a user’s browser context, impacting clients, sessions, and web content—not the server’s operating environment through system command execution.

Therefore, the vulnerability being demonstrated is A. Shell Injection.

Tailgating, as defined in CEH v13 Social Engineering, is a physical social engineering attack where an unauthorized individual gains access by following an authorized person into a restricted area.

The attacker exploits human courtesy rather than technical vulnerabilities. Options B, C, and D describe phishing, pretexting, and baiting respectively.

Thus, option A is the correct representation of tailgating.

The best answer is D. Insecure routing protocols because the scenario describes legacy neighbor-to-neighbor device communications that lack encryption and integrity validation, allowing operational routing data to be exchanged without verification. In CEH-aligned network hacking concepts, this is a classic weakness of older or improperly secured routing protocols (and related network control-plane exchanges) where routers trust updates from neighbors and do not cryptographically validate the authenticity and integrity of routing information.

When routing updates are accepted without strong verification, an attacker who can position themselves on the same segment (or spoof a trusted neighbor) may inject or manipulate routing information. This can enable attacks such as route injection, route poisoning, man-in-the-middle (MITM) traffic redirection, blackholing traffic, or causing instability/denial of service by continuously advertising bad routes. The mention of “neighboring systems” and “operational data” strongly maps to routing adjacencies where devices exchange reachability and topology information. The absence of integrity checks makes it feasible to alter routing messages in transit or forge them, and the absence of encryption can expose routing details that further assists reconnaissance and targeted manipulation.

Why the other options are less accurate:

Firewall vulnerabilities relate to filtering and policy enforcement, but the core issue here is the trust model and protection of routing/control messages, not firewall rule flaws.

Lack of password protection is too generic and typically refers to weak/no credentials on management access, not unauthenticated routing exchanges.

Lack of authentication is conceptually related, but the question asks for the type of vulnerability most clearly present given “legacy communication mechanisms” between neighbors carrying operational data—this is most specifically categorized in CEH terms as insecure routing protocols (i.e., routing updates lacking authentication/integrity and sometimes encryption).

In practice, organizations mitigate this by enabling routing protocol authentication (where supported), using cryptographic integrity protections, restricting routing adjacencies, and segmenting or filtering routing/control-plane traffic to trusted peers only.

The scenario clearly describes baiting, a physical social engineering technique covered in CEH under human-based attacks. Baiting involves enticing a victim with something appealing or intriguing, such as free software, confidential documents, or valuable information, in order to trick them into compromising security. In this case, the USB drive is deliberately labeled “Confidential 2025 Budget Plans,” which is designed to trigger curiosity and urgency. The attacker relies on human psychology, specifically curiosity and perceived importance, to motivate the target to plug the device into a company system.

Unlike phishing, which typically occurs through email or electronic communication, baiting often involves physical media such as USB drives left in public areas like parking lots or lobbies. CEH materials highlight that attackers may preload such devices with malware that executes automatically when inserted, granting access to the internal network. Even though this experiment uses a harmless tracking script, the methodology mirrors real-world attacks where malicious payloads could establish backdoors, exfiltrate data, or deploy ransomware.

Hoaxes spread false warnings to create panic but do not necessarily require interaction with physical devices. Pretexting involves fabricating a scenario or identity to elicit information directly from a target through conversation or interaction. The use of a strategically placed USB labeled with enticing information fits the definition of baiting precisely. This test reinforces the importance of policies prohibiting unknown removable media usage and promoting employee awareness training.

NFS Enumeration is the correct choice because the scenario is centered on TCP port 2049 and the use of a standard utility to list exported remote file systems. In CEH-aligned reconnaissance and enumeration, port 2049 is the primary service port for Network File System NFS. When a tester identifies 2049 as open on a Linux or UNIX-like host, a common next step is to enumerate NFS exports to learn which directories are shared and what access rules apply. The “standard utility” described is consistent with tools such as showmount, which queries the target to retrieve a list of exported file systems and, in some cases, the clients allowed to mount them. This directly supports the stated objective of “requesting a list of remote file systems shared across the network” to map accessible resources.

The distractor checks mentioned in the scenario reinforce why the answer is NFS. Telnet enumeration would relate to TCP 23 and interactive plaintext terminal access, not file-share exports. NTP enumeration aligns to UDP 123 and focuses on time synchronization information and server behavior, not shared directories. SNMP enumeration typically involves UDP 161 and extracts device and system details via community strings and management information bases. NetBIOS enumeration is associated with Windows networking services such as UDP 137 and TCP 139, which are unrelated to NFS on 2049.

Therefore, the active enumeration method demonstrated is NFS enumeration through export listing on TCP port 2049.

CEH v13 defines the five phases of ethical hacking as a structured methodology that mirrors real-world attack progression:

Reconnaissance – Information gathering

Scanning – Identifying live hosts, ports, and vulnerabilities

Gaining Access – Exploiting vulnerabilities

Maintaining Access – Establishing persistence

Covering Tracks – Removing evidence

Option C matches this exact sequence. CEH v13 emphasizes that understanding this order is critical for both attackers and defenders, as it enables systematic testing and effective mitigation strategies.

All other options misplace phases and contradict the CEH methodology.

The described evasion relies on preventing the IDS from correctly reassembling packets, which points directly to packet fragmentation. In fragmentation-based evasion, the attacker breaks the probe payload into multiple IP fragments. Some IDS sensors—especially if misconfigured, overloaded, or using limited reassembly logic—may fail to fully reconstruct the original packet stream, causing the malicious or suspicious content to evade signature matching and detection. Meanwhile, the target host (or a downstream device) may correctly reassemble the fragments and process the probe normally. This mismatch between what the IDS “sees” and what the target ultimately receives is the core concept behind fragmentation evasion.

The scenario explicitly says “IDS devices are unable to reassemble the packets correctly,” which is essentially the textbook rationale for fragmentation as an IDS evasion method. Attackers may vary fragment size, overlap fragments, or manipulate offsets to stress or confuse reassembly engines. Even when modern IDS systems support reassembly, fragmentation can still be used to reduce detection reliability if sensors are under resource pressure or if traffic normalization is not enforced.

Why the other options don’t match:

Source routing (B) attempts to influence the path packets take through the network; it does not inherently prevent IDS reassembly.

Decoy scanning (C) floods the target/IDS with scans from multiple spoofed addresses to obscure the true scanner source. This is about attribution noise, not packet reassembly failure.

IP spoofing (D) for scanning can disguise origin, but it does not inherently cause IDS reassembly problems.

Therefore, Maria is applying A. Packet Fragmentation.

The correct answer is A. ms-sql-m because TCP/1434 is commonly associated with Microsoft SQL Server Monitor / SQL Server Browser–related services, which are used to help clients discover SQL Server instances and their connection details. In standardized service naming, ms-sql-m corresponds to Microsoft SQL “monitor” functionality tied to instance discovery and related metadata exposure. When this port is reachable from networks where it is not needed, it can increase attack surface by exposing information that helps attackers identify database instances, target the correct ports, and focus exploitation attempts.

In the context of a legacy server that is “not listed in the company’s active inventory,” an open 1434 is a red flag because it suggests an unnecessary or unmanaged database discovery component may be running. Attackers often use exposed database-related ports for reconnaissance (identifying instance names, versions, and listening endpoints) and then pivot to authentication attacks or exploitation of known weaknesses. Even when the core SQL service port is controlled, discovery services can still leak useful environment details that lower the cost of an attack.

Why the other options are incorrect:

ms-sql-s typically refers to the primary Microsoft SQL Server service, most commonly associated with TCP/1433 (the default SQL Server port), not 1434.

sql*net is associated with Oracle SQL*Net/Net8 traffic, typically using Oracle listener ports such as 1521, not 1434.

sqlsrv is not the standardized assignment for 1434 in the way ms-sql-m/ms-sql-s are used for Microsoft SQL-related services.

Therefore, based on standardized port associations and the database discovery/monitoring role of this service, the exposure most likely indicates ms-sql-m on TCP/1434, and it warrants further review and potential restriction if not required.

Priya is performing Verification because the team has already completed the remediation work (patches and fixes), and is now conducting follow-up scans and attack-surface review to confirm that the applied changes actually resolved the identified vulnerabilities. In a standard vulnerability-management lifecycle, remediation is the phase where vulnerabilities are addressed through actions such as patching, configuration hardening, compensating controls, or removing vulnerable services. Verification comes immediately after remediation to ensure fixes are effective, nothing was missed, and no new issues were introduced.

The scenario’s sequencing is the strongest clue: “already applied patches and fixes” means remediation is done; “run follow-up scans…to confirm” indicates validation of remediation outcomes; and “only after this step will she prepare a compliance report” reflects that organizations typically require evidence that remediation is effective before reporting status to leadership or auditors. Verification often includes rescanning the affected assets, checking configuration baselines, validating that vulnerable versions are no longer present, ensuring services are running as intended, and confirming that the original finding cannot be reproduced.

Why the other options do not match:

Remediation (D) would be the patching/fixing activity itself, which has already occurred.

Risk Assessment (C) is the prioritization and impact evaluation stage, typically performed before remediation to decide what to fix first and how urgently.

Monitoring (A) is ongoing observation and continuous assessment (tracking exposure, trends, new vulnerabilities), but Priya’s specific task is a post-fix confirmation step, which is verification.

Therefore, the correct phase is B. Verification.

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

This scenario is a textbook example of a Whaling Attack, a highly targeted phishing technique described in the CEH v13 Social Engineering module. Whaling specifically targets senior executives or high-ranking individuals, exploiting their authority, access privileges, and decision-making roles.

In the given case, the attacker crafts a personalized email, impersonates the CEO, and uses legitimate corporate branding to build trust. The malicious PDF attachment delivers a backdoor, aligning with CEH v13 descriptions of advanced spear-phishing techniques used against executives.

CEH v13 differentiates whaling from other phishing types:

Broad phishing targets large groups indiscriminately.

Pharming redirects users via DNS manipulation.

Email clone attacks copy legitimate emails but typically target peers, not executives.

Whaling attacks are particularly dangerous because executives often bypass security scrutiny and possess elevated system access. CEH v13 emphasizes executive awareness training as a key mitigation strategy.

Therefore, the correct answer is Whaling attack aimed at high-ranking personnel.

This scenario best illustrates impersonation, which is a core social engineering technique emphasized in CEH under pretexting and physical security testing. Impersonation occurs when an attacker assumes a believable identity, such as an IT technician, vendor, maintenance worker, or delivery person, to gain trust and bypass access controls. In the prompt, the red team member adopts a third-party IT technician role and is granted entry because the receptionist assumes the visit is legitimate and does not verify credentials. That is the defining moment of impersonation: exploiting human trust and procedural gaps to obtain unauthorized physical access.

While the attacker later observes open terminals, unattended printouts, and sticky notes, those observations are opportunistic data collection that becomes possible only after successful impersonation. Shoulder surfing is specifically observing a user entering credentials or viewing a screen while standing nearby, typically during active use. Eavesdropping focuses on capturing spoken or transmitted information, such as listening to conversations or intercepting communications. Dumpster diving involves retrieving sensitive information from trash or discarded materials in waste bins, not simply seeing sticky notes left on desks.

CEH guidance highlights that impersonation often succeeds when organizations lack visitor verification, badge enforcement, escort policies, and security awareness training. Controls include validating work orders, requiring government-issued ID, issuing visitor badges, escorting visitors, enforcing clean desk practices, locking workstations, and secure printing to prevent exposure of credentials and sensitive data.

Time-based blind SQL injection is used when applications suppress error messages and do not display query results. According to CEH v13, attackers rely on response time delays to infer whether injected SQL statements are executed.

The BENCHMARK() function forces the database to perform a CPU-intensive operation repeatedly, causing a noticeable delay if the injected condition is executed successfully. Option D explicitly introduces such a delay and is a textbook time-based blind SQL injection payload.

Options A, B, and C are used for union-based or boolean-based SQL injection and rely on visible output or content changes, which are ineffective in blind scenarios.

CEH v13 clearly states that time-delay functions such as SLEEP(), WAITFOR DELAY, and BENCHMARK() are the primary indicators for time-based blind SQL injection testing. Hence, Option D is correct.

CEH teaches that ARP-based attacks vary in sophistication from basic poisoning to more specialized techniques such as switch port stealing. In environments where ARP poisoning defenses or inspection tools limit traditional attacks, attackers may exploit timing vulnerabilities in ARP reply behavior. Switch port stealing works by sending spoofed ARP replies at precisely the right moment—before the legitimate ARP response from the target host—causing the switch’s CAM table to update temporarily and associate the target’s IP address with the attacker’s MAC address. CEH emphasizes that switches trust the latest ARP update, so even brief timing windows enable partial packet interception. This is different from fully persistent ARP poisoning, which continuously overwrites ARP tables, and from passive sniffing, which cannot capture unicast traffic on a switched network. This attack is particularly useful when ARP spoofing is mitigated because it relies on opportunistic timing rather than full table poisoning. The intermittent nature of intercepted packets matches CEH’s description of switch port stealing behavior.

CEH v13 highlights the importance of route tracing during internal reconnaissance to identify key infrastructure devices such as distribution switches, firewalls, and core routers. When a single IP address consistently appears as the penultimate hop across multiple network paths, this typically indicates that the device serves as a core router responsible for inter-VLAN or inter-subnet routing. Core routers aggregate traffic from various segments before forwarding to endpoint subnets, explaining why it appears before diverse destinations. CEH emphasizes recognizing core infrastructure because compromising such devices provides attackers with significant visibility and potential control over network-wide communications. DNS poisoning would affect name resolution, not hop patterns. Loopback misconfigurations would affect single hosts, not multiple segments. A transparent proxy would appear only for traffic routed through application-layer inspection, not all traceroute tests. The consistency across subnets strongly points to a centralized routing device.

The correct answer is A. Measured service because the scenario describes a core cloud characteristic where resource usage is metered, monitored, controlled, and reported, enabling pay-as-you-go billing and supporting accountability and auditability. In CEH cloud computing coverage (aligned with standard cloud definitions), measured service refers to the cloud provider’s ability to automatically track and quantify consumption of resources such as CPU/compute time, storage capacity, memory, and network bandwidth. This metering is fundamental to cloud economics: customers pay based on actual usage rather than fixed, up-front infrastructure costs.

In the Black Friday context, demand is bursty and unpredictable. Measured service allows the organization to scale resources up during peak shopping hours and scale down afterward, while billing remains tied to what was truly consumed. This is especially important for cost control in e-commerce environments where overprovisioning for peak loads on-premises would be expensive and inefficient. Additionally, because the provider records usage in detail, the organization can perform chargeback/showback internally, validate invoices, and maintain evidence for audits and compliance reviews—all of which depend on accurate, granular measurement.

Why the other options are not the best fit: Broad network access describes availability over networks and access via standard mechanisms (not usage tracking). On-demand self-service refers to users provisioning resources automatically without human interaction from the provider (not billing metering). Resource pooling refers to multi-tenant pooling of provider resources dynamically assigned and reassigned according to demand (again, not the billing/audit measurement function).

Therefore, the feature of detailed tracking of compute hours, storage usage, and bandwidth consumption that supports pay-per-use and auditing is best explained by measured service.

CEH v13 distinguishes between vertical and horizontal privilege escalation. Vertical escalation occurs when an attacker moves upward in the hierarchy of privileges—such as from a regular user to an administrator or root—by exploiting vulnerabilities, misconfigurations, or insecure privilege boundaries. This allows the attacker to perform tasks that were previously restricted, such as modifying system settings, accessing sensitive data, installing malware, or controlling the entire environment. Horizontal escalation, on the other hand, involves accessing another user’s resources at the same privilege level, which the other options describe. Exploiting unquoted service paths or weak access controls may facilitate privilege abuse, but they do not inherently elevate the user to a higher privilege tier unless they specifically lead to administrative execution. The scenario that aligns perfectly with the CEH definition of vertical privilege escalation is the escalation from regular user to administrator.

Colasoft Packet Builder is specifically designed for creating and editing custom packets, making it the best match for a scenario where the tester “crafts custom network packets” and “carefully designs their headers” to test or evade firewall filtering. In CEH methodology, packet crafting is a common technique used to validate how filtering devices respond to unusual or borderline traffic patterns, including altered TCP flags, manipulated fragmentation behavior, spoofed fields, and protocol edge cases. A packet builder tool enables precise control over Layer 2 through Layer 4 fields and, in many cases, supports building application payloads as well. This supports testing for weaknesses such as overly permissive rules, inconsistent state handling, improper reassembly, and inadequate normalization that could allow malicious traffic to pass.

Metasploit is primarily an exploitation framework used to deliver payloads and run modules after targets and weaknesses are identified. While it can generate traffic, it is not the most direct tool for low-level, manual header crafting as described. Nmap is mainly used for host discovery, port scanning, service detection, and scripting-based enumeration; it can manipulate some packet characteristics, but its core purpose is not interactive custom packet construction. Traffic IQ Professional is typically associated with network analysis and traffic monitoring rather than crafting bespoke packets to probe firewall rule behavior.

Therefore, the tool most aligned with CEH-style custom packet creation for firewall evasion testing is Colasoft Packet Builder.

CEH training emphasizes that highly tailored social engineering attacks—those exploiting trust in internal workflows and perceived technical authority—are far more effective than generic or mass-distributed phishing attempts. A fake IT support portal that mirrors internal systems leverages procedural familiarity: IT departments commonly instruct employees to log into support portals for troubleshooting, credential verification, or ticket updates. When the attacker enhances the pretext with insider terminology and references to real internal systems, employees are more likely to trust the portal and enter credentials. CEH highlights that successful social engineering attacks mimic legitimate processes to avoid suspicion. Phone calls posing as executives often introduce risk due to real-time interaction and scrutiny. Generic phishing lacks personalization and is easily detected. Physical impersonation introduces operational risk and may not yield credentials. Therefore, a fake IT support portal aligned with IT workflows is the optimal method.

This scenario describes Living-off-the-Land (LotL) malware techniques, where attackers modify or abuse legitimate system binaries and services to evade detection. CEH v13 identifies this as a highly stealthy persistence mechanism commonly used in advanced persistent threats (APTs).

The most effective countermeasure is file integrity monitoring (FIM), specifically by tracking cryptographic hashes of critical system executables. CEH v13 emphasizes that monitoring file hashes enables early detection of unauthorized modifications to binaries such as PowerShell, cmd.exe, or Windows services.

Backups (Option A) aid recovery but do not prevent or detect compromise. Antivirus updates (Option C) often fail against modified legitimate tools. Firewall hardening (Option D) reduces attack surface but does not detect tampering of trusted binaries.

CEH v13 explicitly recommends hash-based integrity verification as a core defense against stealthy persistence mechanisms. Therefore, option B is correct.

Cloud-based DDoS mitigation services provide upstream traffic scrubbing, detecting and filtering high-volume attacks such as DNS amplification and HTTP floods before the traffic reaches the victim’s network. These services use distributed infrastructures capable of handling multi-vector attacks that surpass the capacity of traditional on-premises firewalls and IDS. Traffic scrubbing centers distinguish legitimate traffic from malicious traffic, allowing normal operations to continue without service disruption.

Whaling is the correct answer because the scenario describes a highly targeted phishing attempt aimed at a “big fish”—a senior executive (the CEO). In CEH terminology, whaling is a specialized form of phishing that focuses on high-profile, high-authority individuals (e.g., CEOs, CFOs, directors) to maximize impact. These targets often have access to sensitive data, financial approvals, privileged systems, and strategic communications, making their credentials significantly more valuable than those of typical employees.

The attacker (Clara) uses classic social engineering drivers emphasized in CEH training: authority (impersonating the legal department), urgency/fear (a “pending lawsuit”), and trust in internal processes (a link to a supposed internal portal). This combination is designed to short-circuit normal verification behavior and prompt quick compliance. The inclusion of a credential-harvesting link aligns with common phishing goals: capturing usernames/passwords, enabling account takeover, and potentially facilitating broader compromise (e.g., email access for business email compromise, lateral movement, or privileged escalation).

Why the other options are less accurate: Spear phishing is also targeted, but it is a broader category aimed at specific individuals or groups at any level. The defining clue here is the executive-level target, which elevates it to whaling. Clone phishing involves copying a legitimate email previously received and swapping a malicious link or attachment—this detail is not present. Consent phishing typically abuses legitimate OAuth/app consent flows rather than a fake portal requesting credentials.

CEH v13 details the standard penetration testing workflow, where confirmed critical vulnerabilities—especially those affecting core systems like database servers—should be prioritized for exploitation only after verification and when explicitly permitted by the rules of engagement. Exploiting a known vulnerability using vetted tools (e.g., Metasploit, CVE-specific exploits) provides evidence of real-world risk and validates the severity rating. Brute-forcing logins (Option B) is inefficient and often outside scope. Ignoring a critical vulnerability (Option C) violates CEH’s prioritization guidelines. A DoS attack (Option D) is never appropriate unless the engagement explicitly authorizes destructive testing, which is rare. CEH stresses that high-impact vulnerabilities should be exploited to demonstrate business risk, privilege escalation potential, data exposure, or lateral movement possibilities—making Option A fully aligned with CEH methodology.

The most likely tool/command is dig @server axfr, which attempts a DNS zone transfer (AXFR) from a specified DNS server. In CEH-aligned reconnaissance and enumeration methodology, DNS is a high-value target because it reveals how an organization’s names map to systems. A successful zone transfer can expose an entire DNS zone database, often including hostnames (subdomains), mail exchanger (MX) records, canonical name (CNAME) aliases, and sometimes internal-facing entries if the zone is misconfigured. The scenario’s outcome—receiving “a full list of subdomains, MX records, and aliases”—matches exactly what an AXFR zone transfer can disclose when a DNS server is improperly configured to allow transfers to unauthorized hosts.

The clue about a “secondary server” is also significant. In DNS architecture, organizations frequently deploy primary (master) and secondary (slave) DNS servers. Secondary servers legitimately request zone transfers from the master to stay synchronized. If the secondary server is misconfigured (for example, allowing AXFR to any requester or to a broader range than intended), an attacker can exploit this and retrieve the zone file. This results in detailed visibility into the organization’s naming scheme and infrastructure layout—information that can be used to identify high-value targets (mail servers, VPN portals, admin hosts), locate staging points, and plan follow-on attacks such as credential harvesting, targeted exploitation, or social engineering.

Why the other options do not fit: smtp-user-enum.pl is used for enumerating valid users on SMTP servers, not DNS records. ldapsearch enumerates directory information from LDAP services, not DNS zones. nbtstat -A queries NetBIOS name tables for Windows hosts, which may reveal local names and shares but not DNS-wide subdomains and MX/CNAME records. Therefore, the enumeration described is most consistent with a DNS zone transfer using dig with AXFR.

The observed characteristics point most strongly to WPA2 because the scenario explicitly identifies CCMP-like headers and AES-based encryption, along with replay protection using a packet number (PN) and the familiar four-way handshake. WPA2 (based on IEEE 802.11i) replaced older approaches that relied on RC4 and TKIP, introducing AES-CCMP as the standard data confidentiality and integrity mechanism for Wi-Fi protected networks. CCMP uses AES in a mode designed for wireless frames and includes a per-packet number to prevent replay attacks.

The mention that these features were “introduced to replace older TKIP/RC4 approaches” is a major clue. Original WPA was designed as a transitional upgrade over WEP and commonly used TKIP with RC4, whereas WPA2 standardized the stronger AES-CCMP mechanism. The four-way handshake is used to derive and install fresh session keys (pairwise transient keys) between the client and access point, and the packet number increases with each encrypted frame to provide replay protection and maintain encryption correctness.

Why the other options don’t fit as well:

WEP (D) uses RC4 with weak IV handling and lacks the robust key management and handshake properties described.

WPA (B) typically centers on TKIP/RC4 rather than AES-CCMP as the defining feature set, especially in CEH-style distinctions.

WPA3 (C) introduces improvements such as SAE (Simultaneous Authentication of Equals) replacing the legacy PSK handshake method in WPA2-Personal, and enhanced protections (e.g., stronger password-based authentication). While WPA3 can still use AES-based encryption, the scenario’s emphasis is on CCMP/AES replacing TKIP/RC4—most directly the WPA2 shift.

Therefore, the access point is most likely using A. WPA2.

The CEH Web Application Hacking module identifies Session Fixation as a powerful session management attack that can bypass advanced authentication controls, including MFA.

In session fixation, the attacker forces the victim to authenticate using a session ID already known to the attacker. Once authentication completes, the attacker hijacks the valid session without needing credentials.

Option A directly targets session management logic.

Option B exploits authorization logic, not session handling.

Option C is unrelated to session management.

Option D is mitigated by encrypted cookies and HTTPS.

CEH explicitly warns that applications must regenerate session IDs after authentication.

In CEH v13 Mobile, IoT, and OT Hacking, firmware-level attacks on Programmable Logic Controllers (PLCs) are categorized as high-impact and stealth-oriented threats, often designed to evade traditional network-based defenses. Malicious firmware compromises the integrity of the device itself, allowing attackers persistent and covert control over industrial processes.

The first and most critical step is to verify the integrity of the firmware and software running on the PLCs. CEH v13 emphasizes that before containment or mitigation actions are applied, accurate identification and confirmation of compromise must occur. Firmware inspection enables analysts to detect unauthorized code injections, modified logic blocks, altered checksums, or tampered boot loaders—hallmarks of OT malware such as Stuxnet-like attacks.

Immediate isolation (Option A) may be necessary later, but premature isolation can disrupt industrial operations and destroy volatile forensic evidence. IDS enhancements (Option C) focus on traffic patterns and are ineffective against firmware-resident malware. Restricting remote access (Option D) is preventative but does not validate or remove an existing firmware compromise.

CEH v13 stresses that OT environments require forensic verification at the device level, especially when abnormal behavior originates from controllers themselves. Firmware validation using vendor-approved tools and hash verification is the correct first step to confirm compromise and plan remediation without risking operational safety.

Email headers typically contain multiple time-related fields, but they do not all carry the same evidentiary value for tracing message handling. In CEH-aligned reconnaissance and email analysis, the most reliable way to determine when an email was processed by the sender’s infrastructure is to examine the earliest “Received” header entry—specifically, the timestamp showing when the message was accepted by the sender’s originating mail server (the first mail transfer agent in the chain). This aligns with option C: the date and time received by the originator’s email servers.

The “Date” header (option A) is set by the sender’s mail client and can be manipulated or misconfigured, making it less trustworthy for forensic timing. Option B (sender’s mail server) is useful for identifying infrastructure and routing, but it does not directly provide the exact processing moment unless paired with the correct “Received” timestamp. Option D (authentication system such as SPF/DKIM/DMARC results) helps validate whether a message is authorized for a domain and detect spoofing, but it does not pinpoint when the sender’s system processed the email.

CEH guidance emphasizes that analysts should correlate multiple “Received” lines from bottom to top (earliest to latest), validate time zones, and look for inconsistencies such as impossible hops, private IP anomalies, or missing hops that indicate header forgery. However, for the specific “moment processed by the sender’s system,” the first acceptance timestamp at the origin mail server is the key artifact.

The CEH Mobile Platform Security module explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit with obfuscation is far more likely to bypass detection.

CEH explicitly teaches that:

Zero-day or unpatched vulnerabilities

Custom, obfuscated payloads

Minimal use of known frameworks

are the most effective for bypassing endpoint defenses during controlled testing.

Option A is correct.

Options B and C are easily detected.

Option D is social engineering, not a technical exploit.

This scenario describes Differential Cryptanalysis, a powerful cryptanalytic technique covered in CEH v13 Cryptography. Differential cryptanalysis focuses on analyzing how small changes in plaintext input affect the resulting ciphertext output, with the goal of uncovering patterns related to the secret encryption key.

CEH v13 explains that symmetric algorithms rely on complex transformations—such as substitution and permutation—to obscure relationships between plaintext and ciphertext. However, in some algorithms, predictable differences may propagate through encryption rounds in a way that reveals statistical biases. By carefully selecting pairs of plaintext inputs with controlled differences and comparing the resulting ciphertexts, attackers can infer information about intermediate states and eventually the encryption key.

This method does not attempt every possible key (brute force), nor does it rely on execution timing or system performance metrics (timing attacks). It also differs from chosen-ciphertext attacks, which involve submitting chosen ciphertexts for decryption rather than observing encryption behavior.

Differential cryptanalysis was instrumental in breaking early block ciphers and is a key reason why modern algorithms like AES are designed with resistance to differential attacks. CEH v13 emphasizes that understanding this attack is critical for evaluating the strength of symmetric encryption algorithms and their internal structure.

Therefore, Option A accurately describes the technique being employed.

The described bypass is most consistent with using an in-line comment technique. Many simplistic SQL injection filters look for specific “blocked” keywords such as SELECT, UNION, OR, or DROP as contiguous strings. If the tester breaks a keyword apart by inserting tokens the database will ignore—most commonly comment delimiters—the filter may fail to match the forbidden keyword, while the SQL parser still reconstructs the intended meaning. For example, inserting comment markers inside a keyword can cause the application-layer filter to miss the pattern, yet the database can still process the statement depending on the DBMS and parsing rules. This is why comment-based obfuscation is a common SQLi evasion approach against weak signature filters.

The scenario’s wording “broken apart with unexpected symbols” maps well to comment markers such as /**/ (or other DBMS-specific comment forms). These characters look “unexpected” to a naïve filter, but to the SQL engine they are treated as comments/whitespace and effectively ignored during parsing, allowing the attacker’s intended keyword to be interpreted correctly.

Why the other options are less aligned:

String concatenation (A) is an obfuscation approach where attackers build keywords/strings using concatenation operators or functions (DBMS-specific). The scenario emphasizes splitting keywords with symbols that the DB interprets correctly as separators/ignored content, which more directly matches comment insertion.

Hex encoding (B) encodes parts of a payload (strings, sometimes function names) in hexadecimal form. That is a different technique than splitting keywords with inserted symbols.

Null byte (D) is historically used to terminate strings in certain contexts (more common in older file/path handling bugs) and is not the primary technique for bypassing keyword filters in modern SQL parsing.

Therefore, the SQL injection evasion technique is C. In-line Comment.

According to CEH v13 Mobile, IoT, and OT Hacking, Advanced Persistent Threat (APT) groups prioritize stealth, persistence, and long-term control. In IoT environments, the most attractive and effective entry point is firmware-level zero-day vulnerabilities.

IoT devices often:

Run outdated or proprietary firmware

Lack regular patching mechanisms

Operate with high privileges

Have minimal monitoring

Exploiting a zero-day vulnerability in firmware allows attackers to gain deep, persistent access that survives reboots and avoids traditional security controls. This aligns directly with APT objectives.

Credential theft (Option B) is common but less reliable for IoT systems. Encrypted MitM (Option C) is complex and less persistent. DDoS (Option D) disrupts services but does not provide control.

CEH v13 explicitly identifies firmware exploitation as the primary APT vector in IoT and OT environments. Therefore, Option A is correct.

Bluesnarfing is a Bluetooth attack described in CEH v13 Wireless Network Hacking, where attackers exploit misconfigured Bluetooth devices to access sensitive data such as contacts, messages, and files—often without user interaction.

One of the most critical enablers of Bluesnarfing is Bluetooth discoverable mode. When devices are discoverable, attackers can easily identify them and attempt unauthorized connections or exploit vulnerabilities in Bluetooth services.

Disabling discoverable mode significantly reduces the attack surface by preventing unauthorized devices from locating Bluetooth-enabled systems. CEH v13 explicitly recommends setting Bluetooth devices to non-discoverable mode when not pairing.

While firmware updates (Option B) are important, they do not immediately prevent discoverability-based attacks. Stronger PINs (Option C) help against pairing attacks but do not stop unauthorized queries. Network-level encryption (Option D) is inherent in Bluetooth protocols and does not mitigate discovery abuse.

CEH v13 highlights that visibility control is the most immediate and effective defense against Bluesnarfing. Therefore, Option A is the correct answer.

This scenario clearly indicates a SYN Flood attack, a classic Denial-of-Service technique discussed in CEH v13 Network and Perimeter Hacking. In a normal TCP three-way handshake, a client sends a SYN, the server responds with SYN-ACK, and the client completes the connection with an ACK. In a SYN flood, attackers send a massive number of SYN packets but never complete the handshake.

As described in CEH v13, the server allocates memory and resources for each half-open connection, placing them in the SYN_RECEIVED state. When these connections are not finalized, the server’s connection table becomes saturated, preventing legitimate users from establishing new sessions.

Other options are incorrect:

Smurf attacks rely on ICMP amplification, not TCP handshakes.

Ping of Death uses malformed ICMP packets.

UDP Floods overwhelm ports using UDP, not TCP session states.

CEH v13 emphasizes SYN floods as one of the most common Layer 4 DoS attacks due to their simplicity and effectiveness.

The Certified Ethical Hacker (CEH) Web Application Hacking and DoS/DDoS module identifies Slowloris as an application-layer denial-of-service attack that targets web servers by maintaining a large number of half-open HTTP connections.

Slowloris works by sending partial HTTP requests very slowly, preventing the server from closing the connections. CEH documentation highlights that this attack does not rely on high bandwidth, making it difficult to detect using traditional network-based defenses.

Option C accurately matches the described symptoms and CEH’s definition.

Options A and B are network-layer flooding attacks, which were explicitly ruled out.

Option D is a packet fragmentation attack, not an application-layer DoS technique.

CEH stresses tuning connection timeouts and using reverse proxies as mitigations.

This scenario represents a Tautology-Based SQL Injection, a fundamental SQL injection technique covered under the Web Application Hacking module in the CEH v13 curriculum. The defining characteristic of this attack is the injection of a condition that always evaluates to TRUE, thereby bypassing authentication or authorization controls.

In the given example, the injected input 1 OR 'T'='T'; -- manipulates the logical condition of the SQL query. A typical vulnerable login query may resemble:

SELECT * FROM users WHERE user_id = 1 AND password = 'input';

When the attacker submits the injected payload, the resulting SQL statement becomes:

SELECT * FROM users WHERE user_id = 1 OR 'T'='T'; --';

The expression 'T'='T' is a tautology, meaning it always evaluates to TRUE regardless of context. As a result, the database returns records without properly validating the user’s credentials, granting unauthorized access.

According to EC-Council CEH v13, tautology-based SQL injection is classified as a Boolean-based injection technique where attackers exploit improper input validation to alter the logical flow of SQL queries. This attack does not depend on database error messages (as in Error-Based SQL Injection), does not extract data using UNION statements (Union-Based SQL Injection), and does not rely on response delays (Time-Based Blind SQL Injection).

CEH v13 emphasizes that such attacks are especially effective against login forms and authentication mechanisms when developers fail to implement input sanitization, parameterized queries, or prepared statements. This attack is one of the most common and exam-tested SQL injection types because it clearly demonstrates how flawed logic can compromise application security without advanced techniques.

Understanding tautology-based SQL injection is critical for ethical hackers, as it forms the foundation for identifying and mitigating more complex SQL injection variants.

CEH v13 explains that IDS systems are often tuned to detect active scanning behavior, especially port scans and TCP/UDP probing that generate recognizable signatures. The command nmap -sn -PE performs a pure ICMP Echo Request ping sweep without sending any TCP SYN, UDP probes, or other packets normally associated with port enumeration. Since this mode disables port scanning entirely, it produces minimal traffic that resembles legitimate network behavior. CEH emphasizes that many networks allow ICMP Echo traffic internally for diagnostics, so such pings may not be treated as suspicious unless rate thresholds are exceeded. Because the tester avoided SYN packets, ACK probes, and UDP scans, the IDS saw no malicious pattern or connection attempts. The effectiveness of this technique is highlighted in CEH under passive and stealth reconnaissance, where minimal interaction is used to avoid detection. Thus, the scan succeeded because it relied solely on ICMP host discovery, not port scanning.

CEH explains that hash functions alone, such as SHA-256, only provide integrity checks and do not verify authenticity or non-repudiation. Attackers can modify data and recompute the hash.

Digital signatures combine hashing with asymmetric cryptography, ensuring:

Integrity

Authentication

Non-repudiation

Option D is correct.

Options A and B provide confidentiality, not integrity assurance.

Option C secures communication channels, not standalone data integrity.

CEH explicitly recommends digital signatures for protecting data integrity against tampering.

The command that best matches Bob’s goal is ntpq -p. In CEH-aligned coverage of network services and operational troubleshooting, NTP is highlighted as a critical dependency because inaccurate time can break authentication, distort logs, and cause incorrect transaction ordering. When investigating suspected time drift, the most useful first step is to view the active NTP associations and their quality metrics. The ntpq utility queries an NTP daemon and reports peer status and performance data. Specifically, ntpq -p displays a peer table that includes each configured or discovered time source along with fields such as delay, offset, and jitter. These values help determine whether the server is locked to a stable source or being influenced by a poor or rogue time server. Offset indicates how far the local clock differs from the peer, delay reflects network latency to the peer, and jitter shows the variability in timing measurements, all of which are directly mentioned in the question.

Option A, ntptrace, is used to trace the chain of NTP servers back to a reference clock and is useful for understanding hierarchy, but it does not provide the detailed delay, offset, and jitter peer metrics in the same way. Option C, ntpdc, is an older monitoring tool that can query NTP, but CEH references more commonly emphasize ntpq for peer statistics and associations. Option D is a generic ntpq invocation with interactive command support, but the -p option is the explicit mode that outputs the peer list with the required metrics.

CEH v13 emphasizes that well-secured applications use HTTPS, secure cookies, and session regeneration to defend against common session hijacking techniques. In such hardened environments, traditional attacks like session fixation or simple XSS-based token theft often fail because session IDs change at login and secure flags prevent exposure. The remaining viable approach is session token prediction, an advanced attack that analyzes statistical patterns, entropy weaknesses, or timing issues in session ID generation algorithms. CEH discusses that weak pseudorandom number generators (PRNGs) or predictable sequences can allow attackers to compute a valid session ID without intercepting traffic. This method bypasses cookie security and does not rely on manipulating user input, making it suitable for environments with strong defenses. MITM attacks (Option A) require certificate compromise, which is impractical. Session fixation (Option B) fails because the application regenerates tokens. XSS (Option D) is ineffective when secure flags prevent JavaScript access to cookies. Thus, token prediction is the correct answer.

Security awareness and training is the most effective primary countermeasure against social engineering because these attacks exploit human trust, curiosity, urgency, and lack of familiarity with deception tactics rather than purely technical weaknesses. In CEH guidance, phishing, vishing, and baiting succeed when users fail to recognize red flags such as unexpected requests, pressure to act quickly, suspicious links or attachments, caller spoofing, or offers that seem too good to be true. A structured awareness program directly reduces the chance of disclosure by teaching employees how to identify common pretexts, verify unusual requests, and follow safe reporting procedures.

While identity verification (option B) is an important practice, employees typically perform it correctly only when they have been trained on verification steps, escalation paths, and what “good verification” looks like under pressure. Two-factor authentication (option C) helps protect accounts even if credentials are stolen, but it does not prevent employees from sharing sensitive information such as customer data, internal documents, OTP codes, or approving fraudulent requests—many social engineering campaigns aim beyond passwords. Policies and procedures (option D) are necessary, but policies alone are often ignored or misunderstood without ongoing training, reinforcement, and real-world simulations.

CEH-aligned best practice is a layered approach: start with awareness training, reinforce it with clear handling policies, require verification for sensitive requests, conduct phishing simulations, and ensure employees know how to report suspicious emails/calls immediately. This combination reduces both successful compromise and the impact of attempts, but training is the foundational priority because it directly targets the human element being attacked.

Side-channel attacks, as explained in CEH v13 OT and SCADA Security, extract sensitive information by observing physical characteristics of a system rather than exploiting software flaws directly. These characteristics may include power consumption, electromagnetic emissions, timing variations, or thermal output.

In SCADA environments, side-channel attacks are especially dangerous because they bypass traditional network defenses. The most reliable way to confirm such an attack is by analyzing hardware-level anomalies—such as unexpected power usage spikes or irregular signal emissions during normal device operations.

Option B directly aligns with CEH v13 guidance.

Options A, C, and D focus on software, cryptography, or network behavior, which are not primary indicators of side-channel exploitation.

Therefore, Option B is correct.

The weakness described is that a device can reboot and still execute tampered firmware or pre-boot code “without any integrity check before the operating system loads.” The secure development practice that most directly prevents this is Secure Boot. Secure boot establishes a chain of trust starting at power-on, where each stage of the boot process verifies the integrity and authenticity of the next stage (bootloader, kernel, firmware components) before execution. If the verification fails (because firmware was modified, unsigned, or improperly signed), the device can halt, fall back to a known-good image, or enter a recovery mode—preventing malicious pre-OS code from running as if it were legitimate.

This matters especially for IoT devices such as smart climate control units, where attackers may attempt to persist by modifying firmware so that malware survives reboots. Without pre-boot integrity verification, a compromised device can continually load attacker-controlled instructions, making detection and remediation difficult.

Why the other options are less direct:

Code signing (A) is important, but by itself it does not guarantee the device will verify signatures at boot time. Secure boot is the enforcement mechanism that validates signed boot components before they run.

Secure firmware/software updates (B) reduce the chance of malicious updates being installed (e.g., signed OTA updates, authenticated update channels), but they do not necessarily prevent execution of already-tampered firmware at startup if boot-time verification is missing.

Secure communication protocols (C) protect data in transit and device communications, but they do not address firmware integrity during the boot process.

Therefore, the most direct preventive practice for this pre-OS integrity gap is D. Ensure secure boot.

CEH materials describe RDDoS (Ransom DDoS) attacks as threat-driven extortion campaigns where attackers demand payment and demonstrate capability by launching a short-lived DDoS burst. The purpose is to intimidate the victim into paying before a larger, sustained attack begins. The attack described uses HTTP floods with incomplete POST requests—an application-layer DDoS technique that consumes server resources by forcing the target to hold open connections. This kind of demonstration followed by an extortion email aligns precisely with RDDoS behavior. DRDoS attacks involve reflection/amplification through third-party servers, which is not occurring here. Pulse wave attacks use timed bursts and do not involve extortion, while recursive GET floods do not match the incomplete POST behavior. Therefore, the correct classification is RDDoS.

CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

Option D is correct.

Options A and B support resilience but do not detect tampering.

Option C alone is insufficient against LotL attacks.

CEH courseware describes rootkits as specialized malware designed to conceal their presence while providing persistent, unauthorized access to system-level functions. Rootkits typically modify low-level components of the operating system—such as kernel modules, drivers, or system processes—to hide files, processes, registry keys, and network connections. Their primary purpose is to grant attackers administrative privileges without triggering alerts, making them extremely stealthy and dangerous. CEH emphasizes that rootkits often accompany other malware to maintain long-term control after initial compromise. In contrast, viruses replicate by attaching to files, keyloggers record keystrokes but do not hide system-level access, and ransomware encrypts data rather than conceals operations. The defining characteristics in this scenario—cloaking activity, providing admin-level control, persisting undetected—are directly aligned with rootkit behavior as described in CEH training material.

The behavior described most closely matches an insider attack, because the actor is a temporary contractor who has physical proximity and implicit access to internal areas where employees work and handle sensitive information. In CEH guidance, an “insider” is not limited to permanent employees; it includes contractors, vendors, interns, and any trusted or semi-trusted individuals who can enter facilities or access internal environments. The attack combines two common insider-facilitated techniques: shoulder surfing and dumpster diving. Recording employees entering passwords is a form of shoulder surfing, where credentials are harvested by observing or capturing authentication entry through direct viewing or recording devices. Finding sensitive documents in a trash bin indicates dumpster diving, where attackers recover confidential information from improperly disposed materials.

These actions are typically feasible because the attacker is already inside the perimeter and can exploit weak operational security practices, such as lack of clean-desk enforcement, inadequate shredding policies, and insufficient physical monitoring of visitor or contractor activity. CEH materials emphasize that insider threats are particularly dangerous because they bypass many external perimeter controls and can blend into normal workplace behavior.

The other options do not fit. A distribution attack generally refers to compromise introduced through supply chain or third-party distribution channels, not on-site observation and trash retrieval. A passive attack is too generic and does not capture the key element of an authorized or trusted presence enabling the compromise. “Cisco-in attack” is not a standard CEH attack category for this scenario. Therefore, the most accurate classification is an insider attack.

This scenario demonstrates a classic case of Session Fixation, a session hijacking technique explicitly covered under the CEH v13 Web Application Hacking module. Session fixation occurs when an attacker sets or predicts a valid session identifier and forces a victim to authenticate using that same session ID.

In the given question, two critical vulnerabilities are highlighted:

The session ID is embedded in the URL

The application does not regenerate the session ID after login

According to CEH v13, secure applications must regenerate session identifiers after successful authentication to prevent fixation attacks. If this does not occur, an attacker can craft a URL containing a known session ID and trick the victim into clicking it. Once the victim logs in, the attacker reuses the same session ID to gain unauthorized access.

CEH documentation states that session fixation is particularly effective when:

Session IDs are passed via URL parameters

Sessions persist across authentication

Secure cookie attributes are not enforced

Other options are incorrect because:

XSS-based cookie theft requires client-side script injection.

DNS cache poisoning is unrelated to session management.

CSRF exploits user trust but does not directly hijack sessions.

Thus, Session Fixation by pre-setting the token in a URL is the most effective attack in this case.

The behavior described matches the countermeasure commonly referred to in CEH materials as escaping or encoding special characters, most notably the single quote character. SQL injection frequently relies on breaking out of a quoted string in the SQL statement using the single quote, then appending logical operators such as OR 1=1, comments, or additional clauses. When an application replaces special characters with escaped equivalents before the SQL statement is executed, it attempts to ensure the input is treated purely as data rather than executable SQL syntax. A classic example is transforming a single quote into an escaped form such as \' or doubling it to '' depending on the database and escaping rules. By doing so, the database parser interprets the quote as part of the literal string value, preventing the attacker from terminating the string and altering query logic.

Option B is therefore the best fit because it precisely describes encoding or escaping the single quote, which is the most commonly targeted delimiter in SQL injection payloads. Option A, user input validation, is broader and typically refers to allowlisting accepted characters and formats, but the question specifically emphasizes replacement with escaped equivalents rather than rejecting invalid input. Option D, parameterized queries or prepared statements, is the strongest modern control recommended in CEH guidance because it separates code from data at the API level, but it is different from character escaping and does not rely on rewriting input characters. Option C limits damage but does not prevent injection. The observed mechanism is clearly single-quote encoding.

Zero-day exploits are considered the most dangerous mobile attack vector in CEH v13 Mobile Platform Hacking. These exploits abuse previously unknown vulnerabilities, meaning no patches, signatures, or defenses exist at the time of attack.

In healthcare environments, mobile devices access sensitive EHR systems and operate under strict compliance requirements. Zero-day exploits can bypass mobile OS security, sandboxing, and antivirus controls entirely.

App spoofing and Bluejacking are easier to detect and mitigate through user awareness and Bluetooth controls. Side-channel attacks are highly specialized and rare in enterprise mobile environments.

CEH v13 stresses that zero-day attacks pose the greatest risk due to lack of detection mechanisms, making Option A correct.

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

The described behavior strongly matches HTTP Response Splitting. This vulnerability occurs when an application includes unsanitized user input in HTTP response headers. By injecting carriage return and line feed characters (CRLF), an attacker can “split” the server’s response into multiple parts—causing additional headers to appear or injecting unintended body content. The scenario explicitly says Raj’s payloads cause “additional headers to appear” and “inject unintended content into the output,” which is the classic outcome of response splitting.

Why this matters: response splitting can enable attacks such as web cache poisoning, cookie manipulation, redirection, and cross-site scripting-like impacts through header/body injection. For example, if an attacker can inject a Set-Cookie header, they may set or overwrite cookies in the victim’s browser. If they can inject a Location header, they may force redirects. If they inject content into the body, they may deliver malicious scripts or alter page behavior—especially when combined with caching intermediaries. The vulnerability typically arises in features that reflect user input into headers such as Location, Set-Cookie, Content-Disposition, or custom headers.

The other options do not match the symptoms:

XML Poisoning (B) and XXE (C) relate to XML parsing and entity resolution; they do not directly cause added HTTP headers in responses.

SSRF (D) involves forcing the server to make outbound requests to internal/external resources; it may expose data but does not primarily manifest as injected response headers and altered response structure.

Therefore, Raj is most likely exploiting A. HTTP Response Splitting.

This scenario describes a worm infection, as defined in CEH v13 Malware Threats. Worms are self-replicating malware that spread autonomously across networks without user interaction. Their propagation often results in excessive network traffic, system crashes, and resource exhaustion, which aligns with the symptoms described.

CEH v13 differentiates worms from other malware:

Ransomware encrypts data but does not self-propagate aggressively.

Trojans require user execution.

Rootkits focus on stealth and persistence rather than replication.

The appropriate response prioritizes containment and eradication. Quarantining affected systems prevents further spread. A network-wide antivirus sweep with updated signatures removes known worm variants. Updating operating systems closes vulnerabilities that worms exploit for propagation.

CEH v13 stresses rapid isolation and patching as critical measures to control worm outbreaks and restore network stability. Therefore, Option A is correct.

The behavior described—manipulating request parameters so the application retrieves and exposes files from the server’s local directories—is characteristic of Local File Inclusion (LFI). LFI occurs when an application uses user-controllable input to construct a file path (often for templates, language files, includes, or uploads) and fails to properly validate or constrain it. An attacker can then supply values such as relative path traversal sequences to force the application to access unintended local resources, leading to disclosure of sensitive files (configuration files, credentials, keys, environment files) and sometimes further impact depending on context.

In the scenario, Sophia is testing a “template upload feature,” then “modifying the input parameters in an upload request” to “trick the application into retrieving sensitive files from the server’s local directories,” allowing her to view internal configuration files. That is a textbook LFI outcome: unauthorized read access to local files through a web interface, caused by improper input validation and insecure file path handling.

Why the other options are less accurate:

Insecure deserialization (A) involves unsafe processing of serialized objects, often leading to remote code execution; it is not about retrieving local files via path manipulation.

Cookie poisoning (B) is tampering with cookie values to escalate privileges or alter application behavior; it does not inherently explain local file retrieval.

File injection (C) is a broader term and can refer to multiple file-related abuses, but the specific pattern of including or reading local files via parameters is most precisely labeled Local File Inclusion.

Therefore, the correct answer is D. Local File Inclusion.

CEH teaches that certain advanced intrusion evasion techniques rely on understanding how firewalls differentiate between new connections and established traffic. Most perimeter firewalls scrutinize SYN packets and initial HTTP requests but allow ACK packets from established sessions to pass with minimal filtering. ACK tunneling leverages this behavior by embedding malicious payloads inside ACK packets, which appear to be part of a legitimate, pre-established session. Because ACK packets are often considered "safe," they bypass deep inspection engines, intrusion detection systems, and application-layer gateways. This method allows attackers to move data or commands covertly between compromised internal systems and external hosts. CEH references such evasion strategies when discussing bypassing stateful firewalls and making malicious traffic appear legitimate. Port knocking and SYN scans would initiate new connections—precisely what the firewall is heavily inspecting. ICMP flooding is noisy and easily detected. ACK tunneling is specifically designed for stealth and is aligned with red team tradecraft for avoiding packet-level inspection mechanisms.

The correct answer is B. NetBIOS Enumeration because the ports and services described map directly to NetBIOS over TCP/IP (NBT) and the actions align with querying NetBIOS name table and session services. In Windows networking (especially older systems), NetBIOS provides naming and session-layer services that can reveal valuable host and user information. Specifically, UDP 137 is used for the NetBIOS Name Service (NBNS), UDP 138 for NetBIOS Datagram Service, and TCP 139 for NetBIOS Session Service. Observing activity on UDP 137/138 and an open TCP 139 strongly indicates that NetBIOS services are reachable and can be interrogated.

The scenario states Jake “uses a utility to query the name table and session services,” which is a hallmark of NetBIOS enumeration. NetBIOS name table queries can disclose machine names, domain/workgroup names, and sometimes logged-in usernames (depending on configuration and what names are registered). Session/service enumeration can reveal information about active sessions and available resources. The fact that Jake obtains machine names, usernames, and shared folders without authentication is consistent with weakly configured legacy Windows networking where NetBIOS/SMB information disclosure is possible through null/unauthenticated queries.

Why not the other options: NFS enumeration targets UNIX/Linux file sharing and is unrelated to ports 137–139. SNMP enumeration uses UDP 161/162 and relies on SNMP communities, not NetBIOS naming/session queries. SMB enumeration is closely related and often overlaps operationally, but the question emphasizes “query the name table and session services” and explicitly references the classic NetBIOS port set (137/138/139), making NetBIOS enumeration the most precise classification for this behavior.

In practice, defenders mitigate this exposure by disabling NetBIOS where unnecessary, restricting these ports at network boundaries, enforcing SMB hardening, and limiting anonymous/null session information disclosure.

The indicators described align most strongly with the Search and Exfiltration phase of the APT lifecycle. In CEH-aligned APT models, attackers typically progress from initial access to establishing footholds, expanding access through internal reconnaissance and lateral movement, then locating valuable data and exfiltrating it. While spear-phishing is a common Initial Intrusion technique, the scenario explicitly includes multiple signals that the attackers are already deep inside the environment and actively handling sensitive information.

The key evidence is the “unusually large data transfers during non-business hours” tied to the R&D department and “unexpected outbound traffic to unfamiliar IP addresses.” Those are classic signs of staging and exfiltration, where collected data is aggregated internally and then sent out to attacker-controlled infrastructure, often at times chosen to reduce detection. The observation that attackers have “intimate knowledge of the organization’s internal data structure” further supports that they have already performed internal discovery and are now targeting specific high-value repositories.

Unauthorized firmware on printers and routers suggests the attackers may have created durable internal collection points or covert channels, but that activity supports and enables the data-theft mission rather than being the primary phase indicated by the full pattern of events. Therefore, the combination of targeted access to R&D resources, anomalous outbound connections, and large off-hours transfers most closely matches the Search and Exfiltration phase in CEH APT lifecycle coverage.

The Certified Ethical Hacker (CEH) Social Engineering module defines tailgating as a physical social engineering attack where an unauthorized person follows an authorized individual into a restricted area.

Option C precisely matches CEH’s definition.

Option A is pretexting.

Option B is baiting.

Option D is phishing.

CEH stresses physical security awareness as critical as cyber defenses.

CEH courseware categorizes hackers based on intent, authorization, and affiliation. State-sponsored hackers are defined as individuals or teams who conduct cyber operations on behalf of a government to advance national interests. These operations often include espionage, cyber warfare, intelligence gathering, and covert offensive actions. Unlike organized hackers or cybercriminal groups, whose motivations may include financial gain or ideological activism, state-sponsored units follow strategic directives issued by government agencies. CEH materials explain that such groups operate with access to advanced tools, long-term funding, and classified intelligence, enabling them to execute highly sophisticated and covert operations targeting foreign governments, corporations, or critical infrastructure. Hacktivists pursue political or social causes, while gray-hat hackers operate without explicit permission but without malicious intent. Only state-sponsored hackers match the scenario where cyber experts are formally trained, resourced, and authorized by a national government to conduct operations that remain undetected. Therefore, the correct classification is state-sponsored hackers.

The CEH Network Scanning module explains that ICMP Echo Requests are often filtered or blocked by firewalls, routers, or host-based security controls as a defensive measure to reduce reconnaissance exposure.

When systems fail to respond to ICMP Echo Requests but continue to function normally for other services, CEH indicates that this behavior typically means ICMP traffic is being blocked, not that the host is offline or compromised.

Option B is correct.

Option A would affect all services.

Option C lacks supporting indicators.

Option D is speculative and unreliable.

CEH emphasizes that ICMP filtering is common in hardened networks.

An HTTP GET POST attack is the most likely answer because the key indicator in the scenario is the measurement unit and behavior: 398 million requests per second. In CEH-aligned DoS and DDoS coverage, volumetric network-layer attacks like SYN floods are typically discussed in packets per second or bits per second, and they primarily exhaust connection tables or bandwidth at Layer 3 and Layer 4. By contrast, an HTTP flood targets Layer 7 and is commonly measured in requests per second because the attacker is sending large volumes of seemingly valid web requests. This overwhelms web servers, application stacks, and upstream components such as reverse proxies, load balancers, and API gateways, leading to degraded performance and dropped sessions, exactly as described when “active connections drop unexpectedly.”

The mention of “customer-facing platforms” and “numerous compromised devices” also matches typical botnet-driven application-layer flooding, where many distributed sources generate massive HTTP request rates to evade simple IP-based blocking. A TCP SACK panic attack is a vulnerability-triggered crash condition related to TCP handling, not a request-rate spike scenario. An RST attack involves sending TCP reset packets to tear down sessions, which would not normally present as an extreme requests-per-second event in server logs.

Therefore, the evidence most strongly supports an application-layer DDoS: an HTTP GET POST flood designed to exhaust server and application resources and cause intermittent service disruption.

CEH identifies brute-force cryptanalysis as a method in which an attacker systematically tests every possible key, password, or passphrase until the correct one is found. When an attacker obtains initial bytes from an encrypted container—often referred to as known plaintext—they can use this to validate attempts as the tool iterates through candidate keys. Automated brute-force tools compare decrypted results with known header patterns, file signatures, or expected byte structures to determine when the correct key is reached. This process aligns precisely with brute-force password testing described in CEH cryptography modules. Quantum solving is not part of CEH scope, digest comparison relates to collision attacks, and analyzing output length pertains to padding oracle detection. The correct classification is automated brute-force cryptanalysis.

The CEH Footprinting and Reconnaissance module describes DNS interrogation as a valuable technique for extracting publicly available infrastructure information such as A records, MX records, NS records, and subdomains.

DNS can reveal:

Subdomains (via zone transfers, brute forcing, or enumeration)

Mail server IP addresses (MX records)

Server locations inferred from IP geolocation

However, DNS does not store authentication credentials. Usernames and passwords are protected within authentication systems and directories, not DNS records.

Therefore, option A is correct.

CEH clearly states that DNS reconnaissance is limited to infrastructure metadata, not sensitive user credentials.

Spear-phishing is a targeted form of phishing that uses personalized and context-rich information to increase credibility. CEH emphasizes that referencing specific internal projects, financial data, or organizational events significantly raises the success rate when attacking high-value targets such as executives. This tailored approach avoids suspicion and exploits trust more effectively than broad or generic phishing attempts.

CEH v13 explains that WPA2-PSK security relies on the strength of the pre-shared key. Once the 4-way handshake is captured, the attacker must attempt offline cracking. CEH emphasizes that the dictionary attack is the most efficient and commonly used cracking method because it tests structured wordlists, human-derived passwords, and hybrid permutations, dramatically reducing time compared to full brute force. Brute forcing (Option B) is computationally heavy and often impractical unless the password is extremely short. XSS (Option A) and SQL injection (Option D) have no relevance to WPA2 authentication, which occurs at the wireless protocol level, not the router’s web interface. The dictionary attack is highlighted in CEH as the principal technique used with tools like aircrack-ng, hashcat, and pyrit, allowing rapid key testing using optimized GPU or CPU cracking. Thus, Option C is the most effective and CEH-aligned method.

Creating scheduled tasks is the most likely persistence technique because it can be configured to execute automatically at system startup or on reboot without requiring a user to log in or manually launch anything. In CEH-aligned post-exploitation and persistence concepts, attackers commonly use operating system native mechanisms that blend into normal administrative activity. A scheduled task fits this goal well because it can be named to look legitimate, set to run under a specific account, and triggered by events such as system boot, user logon, or a timed schedule. The scenario explicitly states the payload launches on every reboot without user interaction, which aligns with a boot-triggered scheduled task.

Injecting into the startup folder usually triggers execution when a user logs on, not strictly on system reboot, and it depends on an interactive user session. That contradicts the requirement of no user interaction. Modifying file attributes, such as setting hidden or system attributes, improves stealth and makes a file less noticeable, but it does not create an automatic execution mechanism by itself. Installing a keylogger is a capability for capturing keystrokes, not a persistence method, and it does not inherently guarantee execution after reboot unless paired with an auto-start mechanism.

Therefore, the action that directly ensures the binary runs after each reboot in a controlled and reliable way is creating scheduled tasks, which is a classic persistence method emphasized in ethical hacking workflows for demonstrating real-world attacker behavior and improving defensive detection and hardening.

CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

The CEH Enumeration module explains that SMTP supports commands such as VRFY, EXPN, and RCPT TO, which can be abused to enumerate valid email users if not properly restricted.

In this scenario, the smtp-enum-users Nmap script successfully uses EXPN and RCPT, indicating that the server responds differently to valid and invalid usernames.

Option C is correct because unrestricted SMTP user verification allows attackers to harvest usernames for further attacks such as phishing or brute force.

Option A involves authentication, not enumeration.

Option B affects confidentiality, not user discovery.

Option D is unrelated to SMTP enumeration.

CEH strongly recommends disabling or restricting these SMTP commands.

According to CEH v13 Security Operations and Incident Response, zero-day vulnerabilities pose one of the highest operational risks because exploits exist before official remediation is available. When active exploitation is observed and no vendor patch exists, immediate compensating controls must be deployed.

The first and most effective action is implementing virtual patching, typically through a Web Application Firewall (WAF) or Intrusion Prevention System (IPS). CEH v13 defines virtual patching as a security measure that blocks exploitation attempts at the network or application layer without modifying the vulnerable software. This approach allows organizations to maintain service availability while reducing exposure.

Shutting down the server (Option A) may prevent exploitation but introduces unacceptable business disruption and is not recommended as a first response. Backups and incident response planning (Option C) are critical but do not actively prevent exploitation. Passive monitoring (Option D) allows attackers to continue exploiting the vulnerability unchecked.

CEH v13 emphasizes that virtual patching is the preferred first response for zero-day threats, especially when systems are mission-critical. It provides immediate risk reduction while allowing time for vendor patch development and controlled deployment.

The CEH v13 content explains that stealth scanning involves modifying scan timing parameters to reduce packet frequency, randomize intervals, and avoid recognizable patterns typically flagged by intrusion detection systems. Slow, randomized timing—often achieved with Nmap’s T0 or T1 timing templates—prevents bursts of traffic and allows scans to blend into normal network noise. IDS/IPS systems tuned for high-volume events may fail to detect such gradual reconnaissance. Fast SYN scans generate distinctive patterns easily identified by security monitoring tools. UDP scans, especially across all ports, produce high traffic volume and are extremely noisy. Xmas scans, although sometimes used for stealth against stateless filters, are still signature-detectable and inappropriate when stealth over time is required. Therefore, applying slow, randomized timing options aligns with CEH-approved reconnaissance techniques for evading detection while enumerating open ports.

SQL injection testing commonly involves using tautology-based payloads such as 1 OR 1=1, which force SQL queries to evaluate as true. CEH explains that this confirms improper input sanitization and exposes whether user-supplied fields directly influence database queries. The result often returns all records, indicating successful injection.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes worms as standalone malicious programs capable of self-replication without requiring user assistance. Unlike viruses, which need a host file and are triggered typically by user actions, worms propagate autonomously by scanning networks, exploiting vulnerabilities, or copying themselves to accessible machines. Worms are known for causing rapid, widespread damage by consuming bandwidth, degrading system performance, and creating backdoors for attackers. Classic examples such as Conficker, WannaCry, and SQL Slammer reinforce the destructive potential of automated propagation. CEH stresses that worms often use network shares, open ports, or unpatched vulnerabilities to move laterally. In contrast, keyloggers harvest keystrokes, ransomware encrypts data and demands payment, and viruses require user involvement to spread. The behavior in the scenario—automatic replication across the network—is the defining characteristic of worm activity according to CEH’s malware taxonomy.

In CEH’s web application and mobile security modules, improper session management is defined as a failure to enforce session expiration, token invalidation, or secure session lifecycle controls. When an application does not invalidate a session token after logout, attackers can exploit this by performing a replay attack: reusing previously captured session identifiers to impersonate the user and gain unauthorized access. CEH teaches that replaying a live token is the simplest and most direct exploitation method because it does not require guessing or stealing new tokens—the attacker simply reuses a valid one that should have been invalidated. CSRF relies on exploiting a user’s active session and is not required when the attacker already possesses a reusable token. Brute-forcing session tokens is computationally expensive and unnecessary. SQL injection is unrelated to session lifecycle flaws unless token storage is directly exposed. Therefore, a replay attack is the correct exploitation method.

CEH cloud modules explain that side-channel attacks exploit indirect information leakage based on hardware characteristics—such as CPU timing, power usage, cache access patterns, or electromagnetic emissions. In virtualized cloud environments, multiple tenants share the same physical hardware, creating opportunities for attackers to extract sensitive data from neighboring virtual machines. By placing a malicious VM on the same host as the victim, an attacker can measure minute differences in timing during cryptographic operations, allowing them to infer private keys or sensitive computations. This aligns precisely with CEH’s definition of a side-channel attack. Cryptojacking involves unauthorized cryptocurrency mining, CPDoS targets caching layers rather than key extraction, and metadata spoofing manipulates cloud metadata endpoints. Only side-channel analysis matches the described attack behavior.

CEH v13 identifies automated patch management as the most secure and scalable approach. Automated tools ensure timely deployment, validation, rollback capability, and compliance reporting.

Manual patching increases human error. Applying patches from unknown sources introduces malware risk. Limiting patches contradicts best practices.

Therefore, Option B is correct.

The system described is a Network-Based Intrusion Detection System because it is positioned near the perimeter firewall and inspects traffic flowing across the network segment rather than activity on a single endpoint. In CEH-aligned coverage, a NIDS is deployed at strategic network points such as behind a firewall, on core switches, or on SPAN or TAP links to monitor inbound and outbound packets. Its purpose is to detect suspicious patterns, signatures, protocol anomalies, and indicators of scanning or exploitation attempts across multiple hosts and an entire subnet. The question explicitly says it “analyzes incoming and outgoing traffic” and looks for patterns “across the entire subnet,” which matches NIDS scope and placement.

A Host-Based IDS, by contrast, runs on individual servers or workstations and monitors local events such as system calls, logs, file integrity, registry changes, and local network connections for that specific host. That does not match the perimeter-positioned, subnet-wide traffic analysis described. Host-based firewalls also operate per endpoint, enforcing rules for that machine only, and do not provide centralized subnet-wide packet inspection from a perimeter vantage point. A network-based firewall primarily enforces allow or deny policy and may perform stateful filtering, but it is not primarily described as a detection tool analyzing suspicious patterns; IDS is the detection-focused control.

Therefore, Olivia is attempting to bypass a Network-Based Intrusion Detection System to demonstrate how malicious traffic might evade monitoring controls placed near the firewall and to help the security team strengthen detection coverage and alerting.

According to CEH v13 Social Engineering, social engineering attacks manipulate human trust rather than technical vulnerabilities. Option A describes a classic pretexting attack, where the attacker impersonates IT staff and fabricates a false issue to trick a victim into revealing credentials.

This scenario aligns perfectly with CEH definitions because:

The attacker relies on authority impersonation

The victim is socially manipulated

No technical exploitation is required

Option B is a legitimate security activity.

Option C is accidental malware introduction, not social engineering.

Option D is physical negligence exploitation, not direct social engineering interaction.

CEH v13 stresses that pretexting attacks are extremely effective against new employees who lack familiarity with procedures. Therefore, Option A is correct.

The correct answer is A. Firmware update attack because the scenario describes an attacker delivering an unauthenticated, non-cryptographically verified update/package to a controller and successfully altering its operational logic. In IoT/OT environments, controllers (PLCs, RTUs, PACs, and embedded industrial devices) often support updating firmware or logic over the network for maintenance. If the device does not verify the source, integrity, and authenticity of update packages—typically through signed firmware, certificates, and secure update channels—an attacker can replace legitimate code with a maliciously modified version.

Sameer’s demonstration maps directly to a firmware/logic update compromise: he uploads “altered instructions” and changes how the controller processes commands during operations. This is exactly the type of risk highlighted in OT security: unauthorized modification of controller logic can cause unsafe states, disrupt production, damage equipment, or create stealthy manipulation that is difficult to detect. The explicit mention of “without checking the origin or cryptographic validity” indicates missing controls like digital signatures, hash verification, and trusted update mechanisms, which are central to firmware update security.

Why the other options are less accurate: Forged malicious device usually refers to introducing a rogue or cloned device into the environment to impersonate legitimate equipment. Remote access using backdoor implies an existing hidden access mechanism rather than abuse of the update mechanism itself. Exploit kits are typically collections of exploits used to compromise systems, commonly discussed more in endpoint/web contexts; they don’t specifically describe the act of pushing an altered firmware/logic package that the controller accepts due to missing validation.

Therefore, the technique is best categorized as a firmware update attack, leveraging weak or absent authenticity/integrity checks on update packages to modify OT controller behavior.

An HTTP Flood attack is an Application Layer (Layer 7) DDoS attack, as defined in CEH v13. In this attack, the adversary sends a massive number of seemingly legitimate HTTP GET or POST requests to exhaust server resources such as CPU, memory, and application threads.

CEH v13 emphasizes that HTTP floods are difficult to detect because they mimic normal user behavior and often bypass traditional network-layer defenses.

Other attacks operate at lower layers:

ICMP, UDP, and SYN floods target network and transport layers.

The most critical benefit in this scenario is scalability. CEH-aligned guidance on modern ethical hacking emphasizes that large, distributed enterprise environments create a fundamental operational challenge: the number of assets, configurations, cloud services, and remote endpoints is too large for purely manual assessment methods to maintain consistent coverage within acceptable timelines. The question highlights exactly this constraint by stating “highly complex and distributed” infrastructure and the “sheer scale of the environment.” An AI-driven platform that “automatically scans the entire network” and continuously flags anomalies is primarily valuable because it can expand assessment coverage across many systems simultaneously, helping the red team evaluate more of the attack surface efficiently.

While predictive analysis is a real AI capability, the scenario’s success requirement is not forecasting future attacks; it is executing assessment activities at enterprise scale and keeping pace as conditions change. Simulation and testing is what red teams do regardless of AI, but AI’s differentiator here is the ability to perform continuous, large-scale discovery and prioritization across cloud, servers, and endpoints without proportional increases in human effort. Enhanced reporting helps communicate results, but it is not the primary operational limiter described.

Additionally, the prompt mentions adapting detection models as new behaviors appear. That supports continuous operation, but the deciding factor is still the ability to operate across a massive environment and maintain broad visibility. Therefore, scalability is the key benefit most critical to success in this scenario.

WPA2-Enterprise networks authenticate clients through 802.1X using a RADIUS server. A common attack method described in CEH training is to create an evil-twin access point broadcasting the same SSID as the legitimate one. Combined with de-authentication frames, clients are forced off the real AP and automatically reconnect to the stronger rogue AP. This allows the attacker to capture authentication exchanges for later misuse, including credential harvesting or EAP-based downgrade attacks.

CEH v13 explains that when traditional enumeration techniques—such as SMB null sessions—are disabled, attackers often pivot to misconfigured LDAP services that still allow anonymous binding. LDAP anonymous bind, when not properly restricted, exposes directory information such as usernames, organizational units, group memberships, and other metadata. This aligns directly with the scenario, where the tester must avoid triggering alarms while still gathering internal data. LDAP queries generate minimal noise, often blending with normal authentication-related traffic, making them ideal for covert enumeration. Options A and C would require authentication or violate access restrictions, and DNS zone transfers (Option D) rarely succeed because modern DNS servers disable AXFR requests from unauthorized clients. CEH repeatedly stresses the importance of detecting and securing LDAP anonymous bind due to its potential for silent information leakage—making Option B the correct choice.

CEH’s Malware Analysis module outlines a structured approach:

Identify suspicious indicators (e.g., JavaScript, OpenAction)

Extract and analyze embedded objects

Determine behavior and exploit logic

PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.

Option B is correct.

Option A is useful but insufficient for deep analysis.

Option C only aids identification, not behavior understanding.

The Certified Ethical Hacker (CEH) Social Engineering module defines whaling as a highly targeted phishing attack aimed specifically at senior executives or high-ranking personnel.

This scenario exhibits all whaling characteristics: personalization, impersonation of leadership, business-themed content, and tailored malware delivery.

Option D is correct.

Option A involves copying legitimate emails, but does not necessarily target executives.

Option B lacks targeting.

Option C is unrelated to email-based attacks.

CEH stresses executive awareness training to counter whaling attacks.

UDP scanning produces reliable "closed" results only when an ICMP Port Unreachable is returned. Silent responses indicate either open ports (no reply expected) or filtered ports (blocks dropping packets). CEH emphasizes that non-responses require retransmission or alternate verification techniques.

The described behavior matches DNS Zone Transfer Enumeration. In CEH reconnaissance, DNS enumeration aims to discover hosts and services by querying DNS records. A zone transfer is a special DNS operation intended for legitimate replication between an authoritative primary DNS server and its secondary DNS servers. When misconfigured, a DNS server may allow an unauthorized requester to perform a zone transfer, returning the entire DNS zone database. This can reveal extensive internal naming information such as subdomains, hostnames, mail exchangers, service records, and aliases, exactly like the “full list of internal mappings, including subdomains, mail hosts, and system aliases” described in the question. The clue “secondary system responds unusually” is especially telling, because secondary DNS servers are commonly the ones configured for replication and may be mistakenly left open to transfers from any host.

The other options do not fit the output. LDAP enumeration targets directory services and would not yield DNS-style mappings unless you already had directory access and queries. NTP enumeration relates to time synchronization services and can reveal time/server details, not comprehensive host/subdomain lists. NetBIOS enumeration focuses on Windows networking (names, shares, workgroups) typically on internal networks and would not produce a DNS zone’s record set.

CEH-recommended mitigations include restricting zone transfers to authorized secondary server IPs only, using TSIG keys for authenticated transfers, minimizing publicly exposed DNS data, splitting internal and external DNS (split-horizon), and continuously auditing DNS configurations to prevent inadvertent information leakage.

This activity clearly indicates a TCP SYN scan, also known as a half-open scan, which is a commonly used stealth scanning technique discussed in CEH v13 Reconnaissance and Network Scanning. In a SYN scan, the attacker sends TCP SYN packets to target ports and observes the responses without completing the TCP three-way handshake.

If the port is open, the target responds with a SYN/ACK packet. The scanner then immediately sends a RST packet instead of the final ACK, leaving the connection half-open. This behavior allows attackers to identify open ports while minimizing log entries and reducing detection by security monitoring tools.

The absence of ACK packets in logs supports this explanation, as the handshake is never completed.

Other options are incorrect because:

XMAS scans send packets with multiple flags set.

SYN/ACK scans are primarily used for firewall rule discovery.

TCP Connect scans complete the full handshake and generate ACKs.

CEH v13 emphasizes that SYN scans are widely used because they balance accuracy and stealth, making them a preferred reconnaissance method for attackers.

The described activity most directly matches a firmware update attack. In CEH coverage of IoT and OT threats, firmware represents the low-level code that runs on embedded devices and industrial controllers, and compromising it is one of the most impactful persistence methods because it survives reboots and often persists through normal configuration resets. The scenario states that Sameer “replaces one of the system’s firmware components with a custom payload” and that the payload “maintains access across reboots.” Those are signature characteristics of a firmware-level compromise, typically achieved through insecure firmware update mechanisms, weak signing or verification controls, exposed update interfaces, or inadequate access controls on management ports.

A firmware update attack can occur when devices accept unsigned firmware, use weak integrity checks, allow downgrade to vulnerable versions, or expose update services without strong authentication. Once malicious firmware is installed, it can covertly execute commands, manipulate device behavior, hide its presence from higher-level monitoring, and create a durable foothold in OT environments where patching and reimaging are difficult. CEH emphasizes that OT devices such as programmable controllers and substation automation equipment are especially sensitive because firmware tampering can affect availability and safety, not just confidentiality.

Remote access using a backdoor is a broader concept and could be the payload’s function, but the primary technique here is achieving persistence by modifying firmware. Forged malicious device refers to introducing rogue hardware, and exploit kits are typically used for automated exploitation on endpoints, not controller firmware replacement.

The capability described—administrators instantly provisioning servers, storage, and compute through a web portal without needing the provider to manually intervene—is the NIST cloud characteristic called on-demand self-service. In NIST’s cloud computing model, on-demand self-service means a consumer can unilaterally provision computing capabilities (such as server time and network storage) as needed automatically, without requiring human interaction with each service provider.

The scenario explicitly highlights that the admins can scale resources “instantly” through a dashboard and that there is “no manual involvement from the cloud provider.” That is exactly what on-demand self-service captures: rapid provisioning driven by the customer through automated orchestration and APIs/portals.

Why the other options are not the best match:

Broad network access (D) means cloud capabilities are available over the network and accessed through standard mechanisms by heterogeneous platforms (mobile, laptops, workstations). While the dashboard is accessed over the network, broad access is about reachability and standard access mechanisms, not the self-provisioning behavior.

Resource pooling (C) refers to the provider’s multi-tenant model where physical/virtual resources are pooled and dynamically assigned; it explains how the provider can offer elasticity, but the user-facing “provision it yourself” aspect is on-demand self-service.

Measured service (B) refers to metering and monitoring resource usage for billing/optimization; it doesn’t explain instant self-provisioning.

Therefore, the characteristic is A. On-demand self-service.

According to the CEH Denial-of-Service (DoS/DDoS) module, application-layer DDoS attacks specifically target services such as HTTP, HTTPS, DNS, or APIs by sending requests that appear legitimate but overwhelm server resources.

An HTTP flood attack sends a massive number of HTTP GET or POST requests, consuming CPU, memory, and application threads. CEH highlights that these attacks are particularly dangerous because they:

Mimic normal user behavior

Are difficult to distinguish from legitimate traffic

Bypass traditional network-layer defenses

Option A is correct.

Options B, C, and D operate primarily at the network or transport layers, not the application layer.

CEH stresses that HTTP floods are among the most challenging DDoS attacks to mitigate due to their stealthy nature.

CEH v13 defines a penetration tester as an authorized security professional whose responsibility is to identify, exploit, and report vulnerabilities within an organization’s systems, networks, applications, and processes. Unlike malicious hackers, penetration testers operate strictly within legal boundaries, under documented Rules of Engagement (RoE), and with explicit written permission from the organization. Their goal is not to harm systems but to simulate real-world cyberattacks to help organizations strengthen their defenses. CEH emphasizes the ethical responsibilities of penetration testers, including maintaining confidentiality, avoiding unauthorized data exposure, ensuring minimal operational impact, and providing actionable recommendations. Options B, C, and D describe malicious actors, malware authors, or unauthorized attackers—roles opposite to that of an ethical penetration tester. CEH makes a strong distinction between white-hat ethical hackers and black-hat attackers, with penetration testers firmly falling under the ethical, lawful category. Therefore, Option A accurately reflects CEH’s definition of a penetration tester.

Password cracking is a core component of the system hacking phase. CEH materials highlight that once password hashes are obtained, attackers often perform offline cracking to avoid detection and bypass account lockout policies. Tools like Hashcat make use of hardware acceleration—specifically, GPU or multi-core CPU computing—to significantly increase cracking throughput. Hardware acceleration allows the system to perform thousands to millions of hash calculations simultaneously, dramatically improving cracking efficiency compared to traditional CPU-bound methods. While dumping SAM contents is part of credential extraction, it is not the optimization described in the scenario. Dictionary rules influence cracking strategy but not raw speed. NetBIOS spoofing is unrelated to password cracking. The emphasis here is on maximizing computational power to accelerate the hash-cracking process, aligning directly with CEH’s explanation of hardware-accelerated offline cracking techniques.

A Directory Traversal attack, also known as path traversal, exploits weaknesses in how a web server or web application processes user-supplied file and directory paths through URLs or parameters. In CEH-aligned terminology, the attacker crafts requests that use traversal sequences such as dot-dot-slash patterns or encoded equivalents to escape the intended web root or permitted directory and reach sensitive locations on the underlying file system. The question states Sofia “manipulates resource paths” and successfully accesses “restricted system files,” revealing “sensitive configuration data.” This is the defining outcome of directory traversal: unauthorized access to files that should never be directly retrievable via the web interface, including application configuration files, server configuration, environment files, or other OS-level resources.

The prompt also eliminates other options by describing what the issue is not. It is not header manipulation, which would be more consistent with HTTP response splitting or header injection behaviors. It is not cached content tampering, which points to web cache poisoning. It is not credential compromise, which would indicate password cracking. Instead, the root cause is explicitly “failure to validate input paths,” matching CEH emphasis on inadequate input validation and improper path normalization or canonicalization before file access. Defensive guidance typically focuses on strict allowlisting of accessible resources, canonicalizing paths and enforcing a fixed base directory, blocking traversal tokens and their encoded forms, using indirect references instead of raw file paths, and applying least-privilege permissions to reduce impact if traversal is attempted.

In CEH v13 Reconnaissance and Enumeration, NetBIOS name suffixes are used to identify the role of systems within a Windows network. The <1B> NetBIOS suffix is particularly significant because it uniquely identifies the Domain Master Browser, which in modern Windows environments corresponds to the Primary Domain Controller (PDC).

When an nbtscan is performed, multiple systems may respond with NetBIOS names, but only one system per domain will register the <1B> suffix. This is because the PDC is responsible for maintaining the master browse list and coordinating authentication services across the domain.

Option C is correct because the <1B> entry is explicitly defined in CEH documentation as belonging to the domain controller.

Option A is incorrect because the local system does not advertise <1B>.

Option B is incorrect because DHCP servers use different identifiers and do not register <1B>.

Option D is incorrect because NetBIOS must be enabled for <1B> to appear at all.

CEH v13 highlights identifying <1B> during enumeration as a high-value discovery, since domain controllers are prime targets during privilege escalation and lateral movement phases.

The correct option is B because it uses vendor-based MAC spoofing, which is the most direct way to make traffic appear to come from a device manufactured by a specific, recognizable vendor (in this case, “Dell”). In MAC addressing, the first portion of the MAC address is the OUI (Organizationally Unique Identifier), which identifies the vendor/manufacturer. Many security and asset tools perform lightweight device profiling by correlating observed OUIs with known vendors, and MAC-based logs may record or flag devices based on whether their OUIs match expected corporate endpoints.

Nmap supports MAC spoofing in a way that allows specifying a vendor name so the resulting MAC address is generated with an OUI associated with that vendor. This matches the requirement in the scenario: the tester wants the scan traffic to “blend in with legitimate devices” by adopting a vendor-associated identifier rather than using a random or obviously unusual MAC prefix.

Why the other options are less appropriate:

A provides only a partial prefix-like value (not a full MAC), and it does not explicitly map to a vendor name, making it less aligned with “specific hardware vendor” blending.

C uses 0 (zero), which is commonly associated with generating a random MAC rather than selecting a specific vendor identity; randomization does not guarantee blending with a chosen vendor’s footprint.

D supplies a full explicit MAC address; while this can spoof a MAC, it does not inherently express the intent to “appear as a specific vendor” unless you already know that exact MAC’s OUI belongs to the desired vendor. The question emphasizes selecting a vendor-associated identifier directly, which is exactly what option B does.

So, the best match for vendor-based disguise is B.

CEH v13 explains that a keylogger is a type of spyware designed to capture user input covertly, often storing or transmitting captured data—such as passwords, emails, chat messages, and financial information—to an attacker. Keyloggers can be implemented as software, firmware, or hardware, and they operate silently in the background without affecting system performance, making them ideal for credential theft. CEH categorizes keyloggers under spying and monitoring malware frequently used in the System Hacking phase to escalate privileges or move laterally once credentials are harvested. Unlike rootkits, which hide processes, or ransomware, which encrypts files, a keylogger’s main purpose is passive surveillance. CEH emphasizes how attackers deploy keyloggers post-compromise or use phishing/social engineering to trick victims into installing them. Their covert nature and ability to bypass traditional AV solutions by masquerading as legitimate processes make identifying them crucial during forensics and incident response activities.

When standard protections such as HTTPS, HTTP-only flags, and session regeneration are properly implemented, CEH teaches that predictable session identifiers become one of the few remaining avenues for session hijacking. Session token prediction involves analyzing entropy, randomness, or generation patterns within session IDs to mathematically infer future or valid tokens. If the application uses weak randomization algorithms, insufficient entropy sources, or predictable sequences, attackers may generate a valid session ID without direct interception. Techniques such as MitM interception or CSRF manipulation do not bypass strong transport-layer protections and cookie restrictions. Session fixation fails because the application regenerates the session ID upon login, invalidating pre-set identifiers. Therefore, the advanced and CEH-aligned method to hijack a protected session is predicting session IDs through side-channel or pattern analysis.

The correct answer is A. Passive attack because the activity described involves monitoring and capturing information without altering data, system resources, or communications. In CEH-aligned information security concepts, passive attacks are defined by the attacker’s goal of eavesdropping—observing traffic to collect intelligence such as usernames/passwords, session identifiers, network patterns, or sensitive content—while making minimal changes that would trigger detection. The scenario explicitly states that the actor is “silently capturing clear-text credentials” and “analyzing unencrypted traffic,” and that “no modifications have been made to the data.” These are signature indicators of passive attacks such as packet sniffing and traffic analysis.

On an internal Wi-Fi network, passive attacks are particularly effective when encryption is weak or absent, or when users access services that transmit credentials in clear text. An attacker can capture packets and reconstruct sensitive information, especially where legacy protocols or misconfigurations exist. Because passive attackers do not need to inject or modify packets, they often avoid generating anomalies such as retransmissions, spoofed responses, or unexpected routing changes—helping them remain undetected, consistent with the prompt.

Why the other options do not fit: Distribution attack is not the standard classification for this behavior and does not specifically describe silent observation of traffic. Close-in attack refers to attacks that depend on physical proximity (e.g., shoulder surfing, physical tapping, local interception near the target). While Wi-Fi sniffing can require proximity, the defining characteristic in the question is the non-invasive observation with no data modification—i.e., passive attack. Insider attack relates to the attacker’s identity/role (a trusted internal person), which is not established here; the scenario only describes behavior, not who the actor is.

Therefore, the described credential capture and traffic analysis without modification most clearly indicates a passive attack.

CEH teaches that unrestricted file upload vulnerabilities are among the most dangerous in web applications because they allow attackers to bypass extension checks and upload malicious executable files. When the server fails to validate MIME types, file extensions, or execution permissions, an attacker can upload a web shell disguised as a harmless file, such as “image.php.jpg,” which may pass superficial validation and still be executed by the server’s interpreter. Once executed, the shell provides the attacker with command execution capabilities, allowing full control over the system. CEH emphasizes that web shells can enable privilege escalation, database compromise, lateral movement, or full server takeover. Unlike SQL injection or XSS, file upload exploitation directly affects server-side execution, making it significantly more severe. Unrestricted upload flaws are commonly tested in CEH labs with tools like Burp Suite to alter content-type headers or bypass client-side filters. This is a high-impact vulnerability requiring strict validation and sandboxing controls.

The scenario describes the reuse of stolen Kerberos tickets to authenticate to other domain systems without cracking anything and without needing the user’s plaintext password. That behavior aligns directly with a Pass-the-Ticket (PtT) attack. In Kerberos-based environments (such as Active Directory domains), authentication relies on tickets (for example, Ticket Granting Tickets and service tickets). If an attacker can obtain valid ticket material from a compromised host—commonly from memory, credential caches, or ticket stores—they can present (“pass”) the ticket to access services as that user, as long as the ticket is still valid and accepted by the target service.

The key clues are: (1) Devon “intercepts Kerberos authentication material,” (2) “instead of cracking the data, he reuses the stolen tickets,” and (3) he authenticates “directly to other systems within the domain” to access resources. This is the essential advantage of PtT: it bypasses password guessing or hash cracking by leveraging the fact that possession of a valid ticket can be enough to authenticate to services (file shares, application servers, and other Kerberos-protected resources).

The question also rules out common alternatives:

Kerberoasting (C) involves requesting service tickets for SPNs and then offline cracking the encrypted portion to recover service account passwords. Devon is explicitly not cracking anything.

Pass-the-Hash (D) is an NTLM-based technique that reuses NTLM hashes to authenticate. The scenario explicitly states “No NTLM hashes.”

LLMNR/NBT-NS Poisoning (A) is a name-resolution poisoning technique used to capture/relay credentials on a local network. The scenario states no broadcast poisoning was involved and focuses instead on Kerberos ticket reuse.

Therefore, Devon most likely performed B. Pass-the-Ticket Attack.

CEH v13 identifies covert channels in legacy industrial protocols as among the hardest sniffing techniques to detect. Modbus, widely used in OT and ICS environments, lacks authentication and encryption, making it ideal for covert communication.

Attackers can manipulate function codes and payload timing to exfiltrate data without triggering traditional IDS signatures. CEH v13 highlights that OT protocols often bypass deep inspection tools, making covert channels extremely stealthy.

Other options are less realistic or less persistent in modern enterprise environments.

TCP port 389 is the default port for LDAP (Lightweight Directory Access Protocol). The tester’s actions—performing an anonymous bind and querying directory contents with structured search filters to extract usernames and organizational information—are definitive indicators of LDAP enumeration. LDAP is commonly used for centralized directory services (including environments integrated with Active Directory via LDAP interfaces). If misconfigured to allow anonymous binds or overly permissive searches, an attacker can retrieve valuable identity and structure data.

The scenario describes obtaining usernames, departmental details, and organizational units (OUs). Those are typical LDAP directory attributes and containers. Enumerating them can directly support follow-on attack paths: building targeted password-spraying lists, crafting spear-phishing that references accurate internal roles, identifying privileged groups, and mapping the organization’s structure to prioritize high-value targets. Even without direct credential compromise, directory disclosure increases attacker effectiveness.

Why the other options are incorrect:

SMTP enumeration (A) focuses on email systems (e.g., VRFY/EXPN/RCPT TO behaviors) and typically uses TCP/25 or related mail ports, not 389.

DNS enumeration (B) involves querying DNS records (A/AAAA, MX, NS, TXT, zone transfers) and does not involve directory binds or LDAP filters.

NTP enumeration (D) relates to time services (UDP/123) and provides timing/monlist-style information, not user/OU directory attributes.

Because the service is on TCP/389 and the technique involves binds and directory searches, the correct classification is C. LDAP Enumeration.

The correct answer is B. Known-plaintext attack because the scenario explicitly provides paired samples of plaintext and ciphertext for the same underlying data. In a known-plaintext attack, the analyst possesses one or more examples where the original message (plaintext) is known and the corresponding encrypted output (ciphertext) is also available. These pairs can be used to analyze the cipher’s behavior, validate hypotheses about modes/parameters, and—depending on the algorithm, implementation weaknesses, and key management—attempt to recover the encryption key or decrypt other ciphertexts encrypted under the same key.

Here, Evelyn has “original template records (standard headers and form fields)” and their “encrypted counterparts” in the stolen backup set. Medical record formats commonly contain predictable structures (fixed headers, repeated field names, standardized forms), which increases the likelihood of having accurate known plaintext segments. With enough known plaintext/ciphertext pairs, an attacker may identify patterns caused by weak encryption choices, reused keys, reused IVs/nonces, insecure modes (e.g., ECB revealing structure), or flawed custom crypto. Even when strong algorithms are used, known-plaintext material can still be valuable for confirming the encryption scheme and detecting implementation errors.

Why the other options are not correct: Ciphertext-only assumes the attacker has only encrypted data and no plaintext examples—contradicted by the templates. Chosen-plaintext requires the ability to submit arbitrary plaintexts to an encryption oracle and receive ciphertexts, which the scenario does not indicate. Chosen-ciphertext requires the ability to submit ciphertexts to a decryption oracle and observe outputs, also not described.

Because Evelyn has real, matching plaintext-ciphertext pairs from the same dataset, the most appropriate cryptanalytic approach is a known-plaintext attack.

In CEH network security concepts, a common way to verify whether a host is running a sniffer is to test for promiscuous-mode behavior using an active stimulus and then observing whether the suspected machine reacts to traffic it should normally discard. The “ping method” is a classic approach: the tester sends ICMP Echo Request traffic crafted so the Ethernet frame uses an incorrect destination MAC address, while the IP layer still targets the suspected host’s IP. Under normal NIC operation, frames with a destination MAC that does not match the interface (and is not broadcast/multicast) are dropped at the data-link layer and never reach the IP stack, so the host will not respond.

If the interface is in promiscuous mode, the NIC passes more frames up to the operating system for processing. In some configurations, this can allow the IP stack to see and respond to the ICMP request even though the frame’s MAC destination was wrong. That unexpected reply is used as an indicator that the host may be capturing traffic promiscuously, consistent with sniffer presence.

The other options are less aligned with the “classic active verification” described. Reverse DNS monitoring is an indirect heuristic and not a reliable confirmation of promiscuous mode. An NSE script is tool-specific rather than the classic foundational technique the question emphasizes. ARP-based methods exist for sniffer detection, but the option presented is less directly tied to the well-known ICMP incorrect-MAC confirmation described in CEH materials.

Packet fragmentation is a well-documented IDS evasion technique in CEH v13 Network and Perimeter Hacking. Attackers fragment packets to evade detection by overwhelming or confusing intrusion detection systems, especially those that rely on simple pattern matching.

CEH v13 explains that anomaly-based IDS systems are particularly effective against evasion techniques like packet fragmentation because they analyze deviations from normal network behavior, rather than relying on static signatures. Fragmented packets often create unusual traffic patterns, abnormal packet sizes, or irregular reassembly behavior, which anomaly-based systems are designed to detect.

Signature-based IDS solutions struggle against fragmentation because attackers can split malicious payloads across multiple packets in ways that bypass predefined signatures. Rejecting all fragmented packets (Option C) is impractical and could disrupt legitimate network communication, as fragmentation is a normal part of TCP/IP networking.

Recognizing regular intervals (Option A) is unreliable, as attackers can randomize packet timing. CEH v13 clearly recommends anomaly-based detection to counter advanced evasion techniques.

Thus, Option B is the most effective and CEH-aligned IDS configuration.

This question relates to Malware Analysis, specifically PDF-based malware, as covered in the CEH v13 Malware Threats module. The presence of /JavaScript and /OpenAction keywords identified by pdfid strongly indicates potentially malicious behavior triggered when the PDF is opened.

CEH v13 recommends static analysis of PDF stream objects as the next step to understand embedded malicious logic. Tools such as PDFStreamDumper allow analysts to extract, decompress, and inspect object streams within a PDF file, revealing obfuscated JavaScript code or exploit payloads.

The /OpenAction keyword indicates that the embedded JavaScript executes automatically when the document is opened, a common technique used in PDF-based attacks to exploit reader vulnerabilities or download secondary payloads.

Other options are insufficient:

VirusTotal provides detection results but not behavioral insight.

PE Explorer is irrelevant because PDFs are not Portable Executable files.

Hashing only helps identify known malware, not analyze behavior.

CEH v13 emphasizes manual inspection of embedded scripts to determine intent, making PDFStreamDumper the correct next step.