The correct answer is A. Measured service because the scenario describes a core cloud characteristic where resource usage is metered, monitored, controlled, and reported, enabling pay-as-you-go billing and supporting accountability and auditability. In CEH cloud computing coverage (aligned with standard cloud definitions), measured service refers to the cloud provider’s ability to automatically track and quantify consumption of resources such as CPU/compute time, storage capacity, memory, and network bandwidth. This metering is fundamental to cloud economics: customers pay based on actual usage rather than fixed, up-front infrastructure costs.

In the Black Friday context, demand is bursty and unpredictable. Measured service allows the organization to scale resources up during peak shopping hours and scale down afterward, while billing remains tied to what was truly consumed. This is especially important for cost control in e-commerce environments where overprovisioning for peak loads on-premises would be expensive and inefficient. Additionally, because the provider records usage in detail, the organization can perform chargeback/showback internally, validate invoices, and maintain evidence for audits and compliance reviews—all of which depend on accurate, granular measurement.

Why the other options are not the best fit: Broad network access describes availability over networks and access via standard mechanisms (not usage tracking). On-demand self-service refers to users provisioning resources automatically without human interaction from the provider (not billing metering). Resource pooling refers to multi-tenant pooling of provider resources dynamically assigned and reassigned according to demand (again, not the billing/audit measurement function).

Therefore, the feature of detailed tracking of compute hours, storage usage, and bandwidth consumption that supports pay-per-use and auditing is best explained by measured service.

The technique described is RST hijacking because the attacker sends spoofed TCP packets with the RST (reset) flag to forcibly terminate established TCP sessions. In TCP, an RST packet is used to immediately abort a connection. If an attacker can craft packets that appear to belong to an existing session (matching the 4-tuple and using plausible sequence/acknowledgment values), the receiving endpoint may accept the reset and tear down the connection. This creates disruption—sessions drop, users are disconnected, and applications experience errors—without the attacker needing to fully take over the session or inject meaningful application data.

The scenario matches this exactly: “spoofed TCP packets carrying the reset flag,” followed by “active sessions…abruptly terminated.” That is the hallmark outcome of RST-based session disruption. It is often used as a demonstration of how fragile sessions can be when attackers can spoof traffic within a path (or on the same network segment) and when defensive controls do not validate or protect sessions adequately.

Why the other options are incorrect:

UDP hijacking (A) doesn’t apply because UDP is connectionless and has no RST flag or session teardown mechanism like TCP.

Blind hijacking (C) refers to injecting traffic without seeing responses (guessing sequence numbers), but the specific mechanism asked here is the reset-flag termination; “blind” could be a property of how it’s done, not the named technique.

TCP/IP hijacking (D) is a broader category that includes multiple methods of taking over or manipulating TCP sessions. The question is specifically about using RST packets to kill sessions, which is most precisely called RST hijacking.

Therefore, the correct answer is B. RST Hijacking.

CEH describes FIN scans as stealthy scans that send packets with the FIN flag without initiating a TCP handshake. According to TCP RFC behavior, closed ports respond with RST packets while open ports ignore the probe, producing no response. This allows enumeration of port states while evading IDS systems that typically monitor SYN-based scans.

The capability described is Kubernetes self-healing, a core behavior emphasized in CEH cloud and container security coverage when discussing resilience, availability, and fault tolerance in containerized environments. Self-healing means Kubernetes continuously monitors the desired state of workloads and automatically acts when the current state deviates due to failures. If a node crashes, a container exits unexpectedly, or a pod becomes unhealthy, Kubernetes responds by restarting containers, recreating pods, and rescheduling workloads onto healthy nodes to maintain service continuity. This directly matches the scenario where containers are “automatically replaced and rescheduled” from failed nodes to keep payment services highly available.

While several Kubernetes components participate in achieving this outcome, the feature name most aligned with the described behavior is self-healing. Kubernetes uses controllers and the scheduler to implement it: deployments and replica sets ensure the correct number of pod replicas exist; liveness and readiness probes detect unhealthy containers; and when nodes become NotReady, pods are evicted and recreated elsewhere. This is exactly how Kubernetes supports uninterrupted operations for critical applications such as payment processing platforms.

Option B, kube-controller-manager, is a control-plane component that runs multiple controllers, and it contributes to enforcing desired state, but the question asks for the feature capability rather than the specific internal process that provides it. Option C, container orchestration, is broader and includes deployment, scaling, and management, but it is less precise than self-healing for the specific behavior of automatic replacement and rescheduling after failures. Option A is unrelated to availability behavior.

The behavior described most closely matches an insider attack, because the actor is a temporary contractor who has physical proximity and implicit access to internal areas where employees work and handle sensitive information. In CEH guidance, an “insider” is not limited to permanent employees; it includes contractors, vendors, interns, and any trusted or semi-trusted individuals who can enter facilities or access internal environments. The attack combines two common insider-facilitated techniques: shoulder surfing and dumpster diving. Recording employees entering passwords is a form of shoulder surfing, where credentials are harvested by observing or capturing authentication entry through direct viewing or recording devices. Finding sensitive documents in a trash bin indicates dumpster diving, where attackers recover confidential information from improperly disposed materials.

These actions are typically feasible because the attacker is already inside the perimeter and can exploit weak operational security practices, such as lack of clean-desk enforcement, inadequate shredding policies, and insufficient physical monitoring of visitor or contractor activity. CEH materials emphasize that insider threats are particularly dangerous because they bypass many external perimeter controls and can blend into normal workplace behavior.

The other options do not fit. A distribution attack generally refers to compromise introduced through supply chain or third-party distribution channels, not on-site observation and trash retrieval. A passive attack is too generic and does not capture the key element of an authorized or trusted presence enabling the compromise. “Cisco-in attack” is not a standard CEH attack category for this scenario. Therefore, the most accurate classification is an insider attack.

The correct answer is B. hashdump because the output described—“a long list of alphanumeric strings representing LM and NTLM values”—matches the Windows password hash formats typically extracted from the local Security Account Manager (SAM) database (with supporting data from the SYSTEM hive). In CEH-aligned post-exploitation and credential access concepts, attackers frequently target LM/NTLM hashes rather than plaintext passwords. Hashes can be taken offline for password recovery attempts (e.g., dictionary/brute-force and rule-based cracking), which aligns with the scenario where the values are transferred to a cracking rig.

Within a Meterpreter context, hashdump is the command commonly associated with dumping local account password hashes from a compromised Windows host. The hashes are useful for simulating credential compromise across an environment because recovered passwords may be reused on other systems, and even without recovery, hashes can sometimes be leveraged in authentication abuse scenarios depending on controls in place.

Why the other options are incorrect:

keyscan_start initiates keystroke logging in Meterpreter; it would not output LM/NTLM hash strings.

getsystem attempts privilege escalation to SYSTEM-level (or equivalent). While higher privileges may be required before successfully dumping hashes, getsystem itself does not produce a list of hashes; it changes/attempts to change the privilege context.

screenshot captures the user’s screen and has no relationship to credential hash extraction.

The “post-exploitation phase” detail is important: credential dumping is a classic activity after gaining a foothold, used to expand access (pivoting/lateral movement) and assess the impact of poor password hygiene. From a defensive perspective, this highlights the need for least privilege, credential protection controls, restricted local admin, strong password policies, and monitoring for suspicious credential-access behaviors.

CEH v13 identifies kernel-level rootkits as among the most dangerous malware types. Because they operate at the lowest OS level, they can hide processes, files, and system calls.

CEH v13 states that the only guaranteed remediation is a complete system wipe and clean OS reinstallation from a trusted source. Attempting removal risks incomplete eradication.

Powering down alone does not remove the rootkit. Honeypots are for detection, not remediation. Tailored removal tools may fail at kernel depth.

Thus, Option C is correct.

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

In CEH v13 Mobile, IoT, and OT Hacking, Bluetooth Low Energy (BLE) attacks often involve capturing pairing exchanges. If the Long-Term Key (LTK) is not captured, decryption is not immediately possible.

CEH v13 explains that in such cases, attackers may attempt Btlejacking, which hijacks an existing BLE connection rather than decrypting it. This allows command injection and data manipulation without needing the LTK.

Options A and B are incorrect because decryption is not the only attack path. hcitool is for discovery, not exploitation. Therefore, Option D is correct.

The command that best matches “directly interact with the NTP daemon and query its internal state,” enabling monitoring and retrieval of statistics, is ntpdc. Option C is correct because ntpdc is designed as a control/query utility for NTP that communicates with the NTP daemon using control messages. It can be used to request internal variables, statistics, and status information and to perform certain monitoring-style checks related to NTP daemon operation.

The scenario also gives a strong exclusion clue: Bob’s goal is not primarily to list peers with delay, offset, and jitter values. That peer listing is most closely associated with ntpq -p (option A), which prints peer relationships and timing metrics. Similarly, ntptrace (option B) is used to trace the chain of NTP servers (who is syncing from whom), which is not what Bob is seeking. Option D (ntpq with -c command) can query certain runtime details, but the question emphasizes a diagnostic command focused on controlling/checking daemon operation and retrieving internal stats—this description aligns more closely with ntpdc in many NTP administration and diagnostic workflows.

In practice, an assessor might use ntpdc to query items like system status, clock variables, and monitoring statistics from the daemon, which can help diagnose synchronization irregularities and understand how the NTP service is behaving internally. That aligns with “query its internal state” and “retrieve statistics.”

Therefore, the correct command is C. ntpdc [-ilnps] [-c command] [host].

CEH v13 highlights the importance of route tracing during internal reconnaissance to identify key infrastructure devices such as distribution switches, firewalls, and core routers. When a single IP address consistently appears as the penultimate hop across multiple network paths, this typically indicates that the device serves as a core router responsible for inter-VLAN or inter-subnet routing. Core routers aggregate traffic from various segments before forwarding to endpoint subnets, explaining why it appears before diverse destinations. CEH emphasizes recognizing core infrastructure because compromising such devices provides attackers with significant visibility and potential control over network-wide communications. DNS poisoning would affect name resolution, not hop patterns. Loopback misconfigurations would affect single hosts, not multiple segments. A transparent proxy would appear only for traffic routed through application-layer inspection, not all traceroute tests. The consistency across subnets strongly points to a centralized routing device.

The Certified Ethical Hacker (CEH) Web Application Security module emphasizes that client-side controls cannot be trusted.

Disabling JavaScript allows attackers to bypass:

Password complexity enforcement

CAPTCHA validation

Input validation logic

Option B is the simplest and most effective CEH-approved method.

Option A is unnecessary and noisy.

Option C risks detection.

Option D is effective but more complex and detectable.

CEH explicitly teaches testers to disable JavaScript to evaluate server-side enforcement.

CEH v13 emphasizes that after identifying vulnerabilities during scanning, testers must validate findings to determine real impact and eliminate false positives. This requires safe, controlled exploitation using approved tools such as Metasploit, Nikto, or custom proof-of-concept scripts. Misconfigurations labeled as medium-risk may still provide privilege escalation, data exposure, or footholds for further attacks. CEH methodology reinforces that exploitation should always follow the scope and rules of engagement and should avoid disruptive activities like brute-forcing or DoS attacks unless explicitly authorized. Ignoring the vulnerabilities is never acceptable in a professional assessment. Verifying the issue helps the organization prioritize remediation using evidence-based results. Therefore, the correct next step is to verify the vulnerability through controlled exploitation.

A Rogue DHCP Server attack best fits the symptoms because it directly explains unexpected gateway changes, IP conflicts, and traffic redirection to deceptive portals. In CEH network attack coverage, DHCP is a foundational service that automatically provides clients with IP configuration such as IP address, subnet mask, default gateway, and DNS servers. If an attacker introduces a rogue DHCP server on the same broadcast domain, clients may accept leases from the rogue server—especially if it responds faster than the legitimate DHCP infrastructure. Once that happens, the attacker can push a malicious default gateway or DNS server to victims. This allows redirection of traffic, man-in-the-middle positioning, and phishing-style interception, which matches the “unfamiliar gateway settings” and “misleading login portals” described.

The mention of “temporary IP address conflicts” also aligns: a rogue server can hand out addresses that overlap with legitimate allocations, causing intermittent connectivity issues and failed connection attempts. While a DHCP starvation attack can create disruption by exhausting the DHCP pool, the key difference is outcome: starvation primarily denies service until a rogue server takes over. Here, the defining observable behavior is not just outage—it is misconfiguration and redirection, which points to the presence of a rogue DHCP server actively issuing malicious leases.

Packet sniffing alone would not change gateway settings, and MAC flooding is aimed at forcing switches to behave like hubs, not issuing IP configuration. Defensive controls include DHCP snooping, port security, network segmentation, and monitoring for unauthorized DHCP offers and anomalous lease patterns.

Local File Inclusion vulnerabilities arise when a web application incorporates user-supplied input into file-handling functions without proper sanitization. CEH courseware emphasizes that attackers can leverage directory traversal sequences (such as ../../) to escape the intended directory structure and access sensitive local files. An LFI payload commonly targets system files like /etc/passwd on Linux to extract user information or escalate the attack further.