The correct answer is D. Application Keylogger because the scenario describes keystroke capture from desktop applications on a Windows workstation without installing kernel drivers and without requiring physical access or browser-level script injection. In CEH-aligned keylogger classifications, an application (user-mode) keylogger operates at the application layer by using user-space techniques such as hooking common Windows APIs (for example, keyboard input functions and message-handling routines) to intercept keystrokes as they are processed by applications. This enables logging of credentials typed into local programs, draft emails written in desktop clients, and sensitive text entered into business tools—exactly the outcome Tyler observed.

The question provides two strong eliminators. First, it states no kernel drivers were installed, which rules out kernel keyloggers that capture input at the kernel level (often requiring driver installation and deeper OS integration). Second, it states the attack did not require browser injection, which rules out a JavaScript keylogger (typically implemented by injecting script into a web page/application to capture form inputs within a browser session). It also explicitly notes that there was no physical device access, which rules out a hardware keylogger (a physical device placed between keyboard and computer or embedded in a keyboard) that requires in-person installation.

Application keyloggers are frequently used in post-exploitation because they can be deployed quickly with standard user-level privileges (though higher privileges may expand coverage), can target a broad range of applications, and can run covertly. From a defense perspective, monitoring for suspicious API hooking behavior, unusual process injection, abnormal input-capture patterns, and endpoint controls that detect credential access techniques are common countermeasures.

Therefore, given the constraints and the observed logging of desktop application input, the most likely keylogger type is an application keylogger.

The correct answer is B. NTP Enumeration because the indicators and the data obtained match enumeration of the Network Time Protocol (NTP) service, which commonly runs on UDP port 123. In CEH-aligned reconnaissance and enumeration concepts, attackers often enumerate exposed services to learn configuration and internal details that can assist with follow-on attacks. When NTP is reachable from untrusted networks and is misconfigured (or supports certain query modes), it can leak information about the time server’s peers, synchronization status, and operational metrics such as offset and delay—exactly the attributes described in the scenario.

The prompt also notes that Joe can gather internal hostnames and client IP addresses connected to the time server. This aligns with how NTP can reveal associated systems and relationships: time servers often have multiple internal clients, upstream peers, or configured associations. Queries that expose peer/association information can unintentionally disclose internal naming conventions, IP address ranges, and network structure—valuable intelligence for an attacker conducting mapping and target selection. In addition, time infrastructure is frequently centralized, so enumerating it can provide a hub-like view of the environment.

Why the other options are incorrect: DNS zone transfer enumeration is associated with DNS AXFR and typically yields DNS records such as subdomains and MX/CNAME entries—not NTP peers/offsets/delays and not UDP 123. VoIP enumeration targets telephony protocols and services (e.g., SIP) on different ports and would not center on time synchronization metrics. NetBIOS enumeration involves ports 137–139 and returns NetBIOS name and session information, not NTP operational data.

Therefore, the technique used to obtain peer, offset, delay, and connected client details from a UDP/123 time server is NTP enumeration.

Security awareness and training is the most effective primary countermeasure against social engineering because these attacks exploit human trust, curiosity, urgency, and lack of familiarity with deception tactics rather than purely technical weaknesses. In CEH guidance, phishing, vishing, and baiting succeed when users fail to recognize red flags such as unexpected requests, pressure to act quickly, suspicious links or attachments, caller spoofing, or offers that seem too good to be true. A structured awareness program directly reduces the chance of disclosure by teaching employees how to identify common pretexts, verify unusual requests, and follow safe reporting procedures.

While identity verification (option B) is an important practice, employees typically perform it correctly only when they have been trained on verification steps, escalation paths, and what “good verification” looks like under pressure. Two-factor authentication (option C) helps protect accounts even if credentials are stolen, but it does not prevent employees from sharing sensitive information such as customer data, internal documents, OTP codes, or approving fraudulent requests—many social engineering campaigns aim beyond passwords. Policies and procedures (option D) are necessary, but policies alone are often ignored or misunderstood without ongoing training, reinforcement, and real-world simulations.

CEH-aligned best practice is a layered approach: start with awareness training, reinforce it with clear handling policies, require verification for sensitive requests, conduct phishing simulations, and ensure employees know how to report suspicious emails/calls immediately. This combination reduces both successful compromise and the impact of attempts, but training is the foundational priority because it directly targets the human element being attacked.

According to CEH v13 Social Engineering, social engineering attacks manipulate human trust rather than technical vulnerabilities. Option A describes a classic pretexting attack, where the attacker impersonates IT staff and fabricates a false issue to trick a victim into revealing credentials.

This scenario aligns perfectly with CEH definitions because:

The attacker relies on authority impersonation

The victim is socially manipulated

No technical exploitation is required

Option B is a legitimate security activity.

Option C is accidental malware introduction, not social engineering.

Option D is physical negligence exploitation, not direct social engineering interaction.

CEH v13 stresses that pretexting attacks are extremely effective against new employees who lack familiarity with procedures. Therefore, Option A is correct.

In CEH v13 Cloud Computing, serverless architectures introduce unique security challenges, particularly around Function-as-a-Service (FaaS) permissions. When a serverless function is compromised through an insecure third-party API, the damage depends largely on what the function is allowed to do.

Implementing function-level permission models and enforcing the principle of least privilege ensures that even if a function is exploited, its ability to execute malicious actions is strictly limited. CEH v13 strongly emphasizes granular IAM controls in serverless environments.

While cloud-native security platforms (Option A) and CASBs (Option C) provide visibility and governance, they do not directly prevent excessive permissions. Regular patching (Option D) is important but does not mitigate permission abuse.

CEH v13 identifies least privilege as the single most critical control in preventing serverless abuse and privilege escalation. Therefore, Option B is the correct answer.

The described bypass is most consistent with using an in-line comment technique. Many simplistic SQL injection filters look for specific “blocked” keywords such as SELECT, UNION, OR, or DROP as contiguous strings. If the tester breaks a keyword apart by inserting tokens the database will ignore—most commonly comment delimiters—the filter may fail to match the forbidden keyword, while the SQL parser still reconstructs the intended meaning. For example, inserting comment markers inside a keyword can cause the application-layer filter to miss the pattern, yet the database can still process the statement depending on the DBMS and parsing rules. This is why comment-based obfuscation is a common SQLi evasion approach against weak signature filters.

The scenario’s wording “broken apart with unexpected symbols” maps well to comment markers such as /**/ (or other DBMS-specific comment forms). These characters look “unexpected” to a naïve filter, but to the SQL engine they are treated as comments/whitespace and effectively ignored during parsing, allowing the attacker’s intended keyword to be interpreted correctly.

Why the other options are less aligned:

String concatenation (A) is an obfuscation approach where attackers build keywords/strings using concatenation operators or functions (DBMS-specific). The scenario emphasizes splitting keywords with symbols that the DB interprets correctly as separators/ignored content, which more directly matches comment insertion.

Hex encoding (B) encodes parts of a payload (strings, sometimes function names) in hexadecimal form. That is a different technique than splitting keywords with inserted symbols.

Null byte (D) is historically used to terminate strings in certain contexts (more common in older file/path handling bugs) and is not the primary technique for bypassing keyword filters in modern SQL parsing.

Therefore, the SQL injection evasion technique is C. In-line Comment.

This scenario aligns with a Golden SAML attack because the attacker is not stealing a user password or bypassing MFA directly; instead, the attacker compromises the identity trust mechanism itself and forges valid authentication assertions. In federated cloud environments, the identity provider issues signed assertions that cloud services trust. Once the signing material is obtained, an attacker can create forged SAML tokens that appear fully legitimate to the relying cloud applications. That is why the access in logs appears normal and why no credential replay or multifactor prompt is required. This distinguishes the technique from Man-in-the-Cloud, which commonly abuses synchronization tokens, and from Cloud Hopper, which is associated with service-provider pivoting and long-term intrusion campaigns. CEH cloud coverage emphasizes that cloud trust relationships, identity infrastructure, and the mechanisms used to broker access are critical attack surfaces because compromise at that layer can grant broad service access with little visible anomaly. In practical defensive terms, protecting token- signing infrastructure is as important as protecting privileged user credentials in a cloud identity architecture.

CEH training outlines the standard methodology for attacking WPA2-PSK networks: capture the 4-way handshake and then attempt offline cracking of the pre-shared key. The most reliable way to force handshake generation is to perform a de-authentication attack using tools like Aireplay-ng. This attack momentarily disconnects a wireless client, forcing it to reauthenticate with the access point. During this reauthentication, the AP and client exchange the 4-way handshake packets necessary for offline cracking. CEH emphasizes that WPA2 encryption itself cannot be brute-forced directly; attackers must obtain the handshake and then apply dictionary or brute-force attacks offline. Attempting XSS or router spoofing does not capture the handshake and is unrelated to WPA2 key extraction. The deauth attack is also a classic wireless attack vector described extensively in CEH because it is effective, does not require interaction with the encryption algorithm, and works regardless of the strength of the AP’s passphrase. Once the handshake is captured, tools such as Hashcat are used to attempt key recovery.

The correct answer is LLMNR/NBT-NS Poisoning. CEH system hacking coverage explains that when a Windows host cannot resolve a name through normal DNS, it may fall back to Link-Local Multicast Name Resolution or NetBIOS Name Service. An attacker on the local network can answer those broadcasts and falsely claim to be the requested resource. If the victim then attempts authentication, NTLM or NTLMv2 challenge-response data can be captured and later cracked offline. That is exactly what this question describes: a non-existent host lookup, a quick malicious response, capture of NTLMv2 hashes, and later credential cracking. Kerberoasting targets service tickets in Active Directory, not broadcast name resolution. Pass-the-Ticket involves Kerberos tickets, and Internal Monologue abuse is a different authentication abuse pattern. CEH materials specifically connect LLMNR/NBT-NS poisoning with tools such as Responder and highlight that these protocols can be abused to collect hashes for lateral movement or privilege escalation. The scenario’s sequence of name-resolution spoofing followed by hash capture is the defining signature of an LLMNR/NBT-NS poisoning attack.

The symptoms point to a rogue DHCP scenario, which CEH materials commonly describe as a method attackers use to disrupt networks or perform man-in-the-middle attacks. If an unauthorized device begins answering DHCP requests faster than the legitimate DHCP server, endpoints may receive incorrect IP settings such as a fake default gateway or DNS server. This causes loss of connectivity to internal applications like a CRM system and can silently redirect traffic through an attacker-controlled host. The question explicitly mentions “irregular IP assignment attempts” tied to an unfamiliar device, which aligns strongly with rogue DHCP behavior rather than ARP-only manipulation or simple MAC-limit violations.

DHCP snooping is a Layer 2 security feature on Cisco switches that filters untrusted DHCP messages and allows only authorized DHCP servers on trusted ports. When enabled for the affected VLAN, the switch will drop DHCP offers and acknowledgments arriving on untrusted access ports, stopping the rogue device from leasing addresses. Option A, ip dhcp snooping vlan 10, is the command that applies DHCP snooping protection to the specific VLAN experiencing the issue, which matches the “subnet logs” and the localized impact described.

Option B, Dynamic ARP Inspection, primarily mitigates ARP spoofing and relies on DHCP snooping bindings, but it does not directly stop rogue DHCP leasing. Option D, port security, can limit MAC addresses but does not specifically block DHCP server behavior. Option C enables the feature globally but does not target the VLAN; the VLAN-specific activation in A best matches the scenario and the immediate restoration of correct addressing and connectivity.

The question focuses on passive reconnaissance using Google advanced search operators, a technique commonly referred to in CEH materials as Google hacking or Google dorking. This method leverages publicly indexed data without directly interacting with the target systems, making it a non-intrusive reconnaissance approach. The goal here is to locate potentially exposed administrative interfaces within .edu domains.

Option C, site:.edu inurl:admin, is the most effective query for this purpose. The site operator restricts results to the .edu top-level domain, ensuring that only educational institutions are searched. The inurl operator filters results to pages where the term “admin” appears in the URL itself. Administrative panels and backend management interfaces frequently include terms such as admin, administrator, or adminpanel directly in the URL path. Therefore, this search string increases the likelihood of discovering exposed login portals or backend directories.

Option A focuses on PDF files with “admin” in the title, which is unlikely to reveal active administrative interfaces. Option B searches for pages with “admin login” in the title, which may find login pages but is less precise than filtering by URL structure. Option D searches anchor text references, which does not directly identify actual admin pages.

In CEH methodology, properly constructed Google dorks such as inurl:admin combined with site-specific filtering are effective in identifying exposed resources while maintaining passive reconnaissance discipline.

CEH training emphasizes that highly tailored social engineering attacks—those exploiting trust in internal workflows and perceived technical authority—are far more effective than generic or mass-distributed phishing attempts. A fake IT support portal that mirrors internal systems leverages procedural familiarity: IT departments commonly instruct employees to log into support portals for troubleshooting, credential verification, or ticket updates. When the attacker enhances the pretext with insider terminology and references to real internal systems, employees are more likely to trust the portal and enter credentials. CEH highlights that successful social engineering attacks mimic legitimate processes to avoid suspicion. Phone calls posing as executives often introduce risk due to real-time interaction and scrutiny. Generic phishing lacks personalization and is easily detected. Physical impersonation introduces operational risk and may not yield credentials. Therefore, a fake IT support portal aligned with IT workflows is the optimal method.

In CEH v13 Information Security and Ethical Hacking Overview, a penetration tester is defined as a trusted, authorized security professional hired to simulate real-world attacks in order to identify and exploit vulnerabilities with explicit permission.

The primary objectives of a penetration tester are:

Identify weaknesses in systems, networks, and applications

Demonstrate real-world impact of vulnerabilities

Help organizations improve their security posture

Unlike malicious hackers (Option A) or malware authors (Options B and D), penetration testers operate under strict legal and ethical guidelines, following scopes of engagement and reporting findings responsibly.

CEH v13 emphasizes that penetration testing is proactive defense, not crime. Therefore, Option C accurately defines the role.

This scenario is a textbook example of a Whaling Attack, a highly targeted phishing technique described in the CEH v13 Social Engineering module. Whaling specifically targets senior executives or high-ranking individuals, exploiting their authority, access privileges, and decision-making roles.

In the given case, the attacker crafts a personalized email, impersonates the CEO, and uses legitimate corporate branding to build trust. The malicious PDF attachment delivers a backdoor, aligning with CEH v13 descriptions of advanced spear-phishing techniques used against executives.

CEH v13 differentiates whaling from other phishing types:

Broad phishing targets large groups indiscriminately.

Pharming redirects users via DNS manipulation.

Email clone attacks copy legitimate emails but typically target peers, not executives.

Whaling attacks are particularly dangerous because executives often bypass security scrutiny and possess elevated system access. CEH v13 emphasizes executive awareness training as a key mitigation strategy.

Therefore, the correct answer is Whaling attack aimed at high-ranking personnel.