CEH teaches that ARP-based attacks vary in sophistication from basic poisoning to more specialized techniques such as switch port stealing. In environments where ARP poisoning defenses or inspection tools limit traditional attacks, attackers may exploit timing vulnerabilities in ARP reply behavior. Switch port stealing works by sending spoofed ARP replies at precisely the right moment—before the legitimate ARP response from the target host—causing the switch’s CAM table to update temporarily and associate the target’s IP address with the attacker’s MAC address. CEH emphasizes that switches trust the latest ARP update, so even brief timing windows enable partial packet interception. This is different from fully persistent ARP poisoning, which continuously overwrites ARP tables, and from passive sniffing, which cannot capture unicast traffic on a switched network. This attack is particularly useful when ARP spoofing is mitigated because it relies on opportunistic timing rather than full table poisoning. The intermittent nature of intercepted packets matches CEH’s description of switch port stealing behavior.

This question describes a classic example of Tautology-Based SQL Injection, a subcategory of SQL Injection attacks which fall under Web Application Hacking in the CEH curriculum.

In a tautology-based SQL injection, the attacker injects a SQL fragment that always evaluates to true, thus bypassing the authentication mechanism. The string ' C ' ll-T; — is a malformed variant, possibly meant to represent ' OR ' 1 ' = ' 1 ' ; --, which is one of the most basic and widely recognized tautology-based injection payloads. When injected into a vulnerable SQL query, this kind of input manipulates the WHERE clause of the query so that it always evaluates to true, regardless of the original conditions.

Here’s how it works:

If the SQL query is:

SELECT * FROM users WHERE username = ' $username ' AND password = ' $password ' ;

And the attacker inputs:

' OR ' 1 ' = ' 1 ' ; --

The query becomes:

SELECT * FROM users WHERE username = ' ' OR ' 1 ' = ' 1 ' ; -- ' AND password = ' ' ;

This results in the execution of:

SELECT * FROM users WHERE ' 1 ' = ' 1 ' ;

Which always evaluates to true, thereby bypassing authentication and allowing unauthorized access.

This method does not rely on error messages (Error-Based), timing delays (Time-Based Blind), or UNION statements (Union-Based). Its goal is to exploit logic within the query structure itself using boolean-based manipulation.

According to EC-Council ' s CEH v13 Module: Web Application Hacking, understanding tautology-based injection is critical because it ' s one of the most common ways attackers bypass login forms on poorly secured web applications.

The strongest indicator in this scenario is that multiple compromised hosts are “behaving like zombies,” communicating outbound to a single unfamiliar external IP over high ports, and “silently accept remote instructions” while performing “coordinated background tasks.” In CEH-aligned malware terminology, these are hallmark characteristics of a botnet: a collection of infected endpoints (bots/zombies) under centralized or semi-centralized command-and-control. Worm-like propagation explains how the compromise rapidly expanded across the internal network—using shared folders and stolen credentials for lateral spread—while the “backdoor component” provides persistent remote control functionality once a system is infected. The observed coordination across many hosts strongly suggests the attacker’s goal is not merely individual surveillance of a single machine, but scalable remote control of many machines at once.

Option A, data exfiltration, is plausible in many intrusions, but the question emphasizes orchestration and remote tasking across many endpoints rather than targeted theft from specific repositories. Option B is inconsistent because there is no mention of encryption, ransom notes, or disruption-focused behavior. Option D, a RAT, typically describes remote control of a host, but the scenario’s defining feature is the creation of many “zombies” with coordinated behavior—this aligns more precisely with building a botnet for command and control, which can later be used for data theft, DDoS, spam, or further intrusion operations.

CEH defensive guidance includes monitoring egress traffic anomalies, detecting C2 patterns, segmenting networks to limit worm spread, disabling unnecessary shares, enforcing strong credential hygiene, and using EDR to identify backdoors and lateral movement behaviors.

Once initial access is obtained—especially through weak or default credentials—the CEH system hacking methodology directs the tester to proceed to privilege escalation. The objective is to elevate user-level access to administrative or system-level privileges so the attacker can perform unrestricted actions such as installing tools, modifying configurations, accessing protected files, and pivoting laterally. CEH materials emphasize using privilege escalation vulnerabilities, such as misconfigured services, kernel exploits, unpatched local privilege escalation flaws, weak file permissions, and token impersonation. A denial-of-service attack is counterproductive and does not support post-exploitation goals. XSS is a web application attack vector and unrelated to operating system privilege manipulation. Brute-forcing the root password is noisy, slow, and unnecessary when authenticated access is already established. Therefore, exploiting a known local privilege escalation vulnerability is the appropriate CEH-aligned next step.

When partial root access exists, preventing further privilege abuse is the immediate priority. CEH v13 explains that Mobile Application Management (MAM) enforces granular access control, application isolation, and permission enforcement—even on compromised devices.

Secure coding (Option A) and testing (Option C) are preventative measures but do not contain an active compromise. Certificate pinning (Option B) protects communications, not application control.

MAM solutions allow administrators to revoke access, enforce policies, and isolate apps, limiting attacker capabilities post-compromise. Therefore, Option D is correct.

CSRF occurs when a vulnerable application processes unauthorized state-changing requests because it does not verify whether the request was intentionally initiated by the authenticated user. CEH v13 explains that exploitation involves tricking a logged-in user into unknowingly executing a crafted HTTP request—usually via a malicious webpage, hidden form submission, embedded image tag, or JavaScript trigger. When the victim visits the attacker-controlled page, the browser automatically includes the user’s active session cookies, allowing the server to treat the forged request as legitimate. This technique is central to CSRF attacks and is highlighted in the CEH curriculum as the correct exploitation path. Directory traversal, SQL injection, and brute-force attacks target different vulnerabilities and do not exploit missing request authenticity validation. The key requirement for CSRF exploitation is user interaction via a malicious external resource, making option B the correct CEH-aligned method.

The correct answer is Credentialed Scanning. CEH vulnerability assessment guidance explains that credentialed scans use authorized login access on the target system so the scanner can inspect the machine from the inside with a much higher level of accuracy and detail. That is why credentialed scanning can identify installed updates, local policy settings, configuration inconsistencies, file permissions, registry issues, and patch gaps that are not always visible from an external network perspective. The question specifically mentions granular host-level findings that required direct system-level inspection, which is a strong indicator that valid credentials were used to query the target systems. Non-credentialed scanning, by contrast, relies on remote observation and network-visible characteristics, so it generally cannot provide the same depth of internal host information. Automated scanning is too broad a label, and application scanning is limited to application-layer targets rather than host operating-system posture. CEH materials consistently note that credentialed scans produce more accurate vulnerability results and reduce false positives because the scanner can verify software versions, patch states, and security settings directly on the target machine rather than merely inferring them from banners or exposed services.

According to CEH v13 Mobile, IoT, and OT Hacking, Advanced Persistent Threat (APT) groups prioritize stealth, persistence, and long-term control. In IoT environments, the most attractive and effective entry point is firmware-level zero-day vulnerabilities.

IoT devices often:

Run outdated or proprietary firmware

Lack regular patching mechanisms

Operate with high privileges

Have minimal monitoring

Exploiting a zero-day vulnerability in firmware allows attackers to gain deep, persistent access that survives reboots and avoids traditional security controls. This aligns directly with APT objectives.

Credential theft (Option B) is common but less reliable for IoT systems. Encrypted MitM (Option C) is complex and less persistent. DDoS (Option D) disrupts services but does not provide control.

CEH v13 explicitly identifies firmware exploitation as the primary APT vector in IoT and OT environments. Therefore, Option A is correct.

CEH v13 defines passive reconnaissance as information gathering without interacting directly with the target or alerting them. The goal is to remain undetected while collecting intelligence from publicly available sources.

Directly interacting with a threat actor on forums—even under a pseudonym—constitutes active engagement. CEH v13 warns that such interaction risks exposure, attribution, and legal complications. It can alert the adversary, cause them to alter behavior, or even retaliate.

WHOIS lookups, DNS queries, archived web content, and anonymous browsing are all passive techniques endorsed in CEH v13. These methods do not notify the target and leave minimal trace.

Thus, Option A should be avoided to maintain a low profile.

This scenario clearly describes the need for Time-Based Blind SQL Injection, an advanced SQL injection technique covered in the CEH v13 Web Application Hacking module. Blind SQL injection is used when an application does not return database errors or visible output, making traditional techniques ineffective.

According to CEH v13, Time-Based Blind SQL Injection is particularly useful when:

The backend database type is unknown

Error messages are suppressed

UNION queries fail

No direct data is returned in responses

In this technique, attackers inject SQL statements that deliberately introduce time delays using database-specific functions such as SLEEP(), WAITFOR DELAY, or BENCHMARK(). The ethical hacker then observes the application’s response time to determine whether the injected condition is true or false.

For example:

' OR IF(1=1, SLEEP(5), 0) --

If the application response is delayed, it confirms that the injected SQL statement was executed successfully. CEH v13 categorizes this method as behavioral-based inference, where the attacker extracts information one bit at a time by analyzing timing differences.

Other options are incorrect because:

Content-Based Blind SQL Injection relies on visible differences in responses, which the question states are unavailable.

Union-Based SQL Injection requires knowing column count and data types.

Error-Based SQL Injection depends on database error messages being displayed.

CEH v13 emphasizes Time-Based Blind SQL Injection as a last-resort yet highly effective technique when dealing with hardened applications that suppress output, making it a frequent exam-tested concept.

The persistence described—“automatically launch every time the system is restarted” with no user interaction—most commonly aligns with Registry Run keys on Windows. Run keys are a classic persistence mechanism where an attacker adds a value referencing their executable to locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run (per-user) or HKLM\Software\Microsoft\Windows\CurrentVersion\Run (system-wide). When Windows starts (and/or when a user logs in, depending on the key), the operating system processes these entries and launches the referenced program automatically. This provides reliable persistence across reboots and is frequently used because it is simple, effective, and blends with legitimate startup entries.

The scenario indicates Meera placed a binary in a hidden directory and configured it to auto-launch after restarts. Registry-based autoruns fit that exact pattern: the binary can reside anywhere (including a hidden folder), while the registry entry points to it. The persistence survives reboot and does not require the attacker to be present.

Why the other options are less likely given the phrasing:

Startup Folder (C) can also auto-launch programs, but it commonly implies a shortcut or executable placed in the user’s startup directory and is generally tied to user logon behavior. The question emphasizes “every time the system is restarted” and is most often tested in CEH contexts as registry autorun persistence.

Scheduled Tasks (A) can run at startup or on triggers and is a valid persistence technique, but the scenario does not mention task scheduling, triggers, or task configuration.

Creating a new service (B) would typically imply installing a Windows service, often requiring elevated privileges and presenting as a managed service; the scenario frames it as a lightweight binary planted and configured to auto-launch, which aligns more naturally with Run keys.

Therefore, the most likely persistence technique is D. Registry run keys.

DNS interrogation is a core passive and semi-active reconnaissance technique described in CEH v13 Reconnaissance Techniques. It allows ethical hackers to gather publicly available information about a target’s domain infrastructure.

Through DNS queries, testers can retrieve:

Subdomains (via zone transfers, brute force, or DNS records)

Mail server IP addresses (via MX records)

Server IP addresses, which can then be mapped to approximate geographic locations

However, DNS does not store authentication credentials such as usernames and passwords. That information resides in authentication systems like Active Directory, LDAP, or application databases, not DNS.

Therefore, Option A is the only choice that cannot be obtained via DNS interrogation. CEH v13 clearly distinguishes between naming infrastructure data and credential-based information, reinforcing why DNS enumeration cannot reveal user credentials.

Thus, Option A is correct.

This technique is known as Boolean-Based Blind SQL Injection, as defined in CEH v13 Web Application Hacking. When applications suppress database errors and return generic responses, attackers use conditional statements to infer database behavior.

By comparing responses to true (1=1) and false (1=2) conditions, the attacker deduces whether injected SQL is being executed successfully.

CEH v13 distinguishes this from:

Error-based SQLi (visible DB errors)

UNION-based SQLi (data extraction)

Time-based SQLi (response delays)

Boolean-based blind SQL injection relies solely on content differences, making option C correct.

Broken Access Control is the correct choice because the scenario describes a user being able to access and modify resources that should be restricted to other users or roles. In CEH-aligned web testing, access control flaws occur when an application fails to enforce authorization checks consistently on the server side. Manipulating session parameters and then retrieving “sensitive medical records not associated with their own account” is a classic indicator of an authorization bypass, often seen as insecure direct object references, parameter tampering, or horizontal and vertical privilege escalation. Horizontal escalation is when one user accesses another user’s data at the same privilege level, while vertical escalation is when a user performs actions reserved for higher-privileged roles. The prompt explicitly states users can perform actions beyond assigned roles, which is the definition of broken authorization enforcement.

The other options do not align with the described root cause. Cryptographic Failures focuses on weak or missing encryption and does not explain why authenticated users can reach unauthorized records. Insecure Deserialization involves unsafe deserialization leading to remote code execution or data tampering via serialized objects, which is not indicated here. Security Misconfiguration is broader and can contribute to exposure, but the scenario emphasizes role and resource permission bypass rather than mis-set server headers, default accounts, or exposed admin interfaces.

Mitigation in CEH best practices includes enforcing server-side authorization on every request, using deny-by-default policies, validating that the authenticated user is allowed to access the specific record identifier, implementing robust role-based access control, logging access denials, and adding automated tests to prevent IDOR and privilege escalation regressions.

The correct classification is Potentially Unwanted Applications (PUAs). In CEH malware taxonomy, PUAs refer to software that is not strictly malicious in the traditional sense but exhibits undesirable behavior such as displaying intrusive advertisements, modifying browser settings, collecting user data, degrading system performance, or bundling with other freeware without clear user awareness. In this scenario, the toolbar and optimization tool were bundled with a legitimate utility installer and presented with vague descriptions—an extremely common PUA distribution method known as software bundling.

The symptoms described—pop-up ads, homepage modification, sluggish performance, and background data transfers—are consistent with adware or browser hijackers, which fall under the broader PUA classification. Importantly, the question specifies there is no immediate file encryption (which would suggest ransomware) and no self-replication (which would suggest a worm). Botnet agents typically establish command-and-control communication and are designed for coordinated malicious activity such as DDoS or spam campaigns; while unexplained traffic may raise suspicion, the described behavior aligns more closely with adware-style monetization rather than structured botnet activity. Logic bombs are dormant code triggered by specific conditions, which is not indicated here.

From a defensive perspective, CEH recommends secure software acquisition policies, user awareness training, disabling unnecessary bundled installations, implementing endpoint protection with PUA detection enabled, and enforcing application allowlisting to prevent unauthorized or bundled software from executing within the enterprise environment.