The algorithm described most accurately matches RSA. CEH cryptography coverage explains that RSA is a widely used public-key cryptosystem that supports both encryption and digital signatures. In a typical RSA-based signature process, the sender generates a hash of the message and applies their private key using modular exponentiation to create a digital signature. The recipient then uses the sender’s public key to verify the signature, also through modular exponentiation operations involving large prime numbers and a modulus. The scenario specifically references modular exponentiation for generating digital signatures, which is a defining mathematical operation in RSA.

Diffie-Hellman is primarily a key exchange algorithm and does not provide digital signatures by itself. It enables two parties to establish a shared secret over an insecure channel but does not authenticate messages directly through signing. ElGamal does support encryption and can be adapted for signatures, but in standard CEH-oriented contexts, RSA is the most commonly referenced algorithm for public-key encryption and digital signatures in payment systems. DSA is strictly a digital signature algorithm and does not provide encryption functionality; the prompt describes a broader public-key cryptosystem used for authenticity of payment confirmations, which aligns more directly with RSA’s dual capability.

Additionally, RSA’s reliance on key pairs stored and retrieved from directories fits the description of public-key verification in enterprise payment infrastructures. Therefore, RSA is the correct identification.

CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim’s role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

Passive reconnaissance focuses on collecting information without directly touching or interacting with the target’s systems. CEH materials stress that any action that sends network traffic to the target—such as scanning, probing, fingerprinting, or enumeration—creates logs and increases the risk of detection. Email headers, however, are considered an excellent source of passive intelligence because they reveal internal IP structures, routing paths, mail server hostnames, internal domain formats, and technology stacks without requiring interaction with the target environment. Since these headers are already in the possession of the ethical hacker through legitimate communication records, examining them does not generate traffic or trigger monitoring systems. SSL certificates and WHOIS data provide valuable external information, but they rarely disclose internal addressing schemes. Active scanning tools, such as Nmap, would immediately violate the requirement to avoid detection. Therefore, analyzing previously received email headers is the most effective and covert method for extracting internal network details during the reconnaissance phase.

CEH’s Malware Analysis module outlines a structured approach:

Identify suspicious indicators (e.g., JavaScript, OpenAction)

Extract and analyze embedded objects

Determine behavior and exploit logic

PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.

Option B is correct.

Option A is useful but insufficient for deep analysis.

Option C only aids identification, not behavior understanding.

CEH v13 explains that Side-Channel Attacks exploit physical characteristics of cryptographic devices—such as power consumption, timing variations, electromagnetic leakage, or acoustic emissions—to infer confidential data like encryption keys. These attacks do not break the cryptographic algorithm itself but instead analyze unintended signals produced during computation. The scenario describes a classic power analysis and timing analysis attack, where the attacker monitors fluctuations during encryption operations on a smart card. CEH details how Differential Power Analysis (DPA) and Simple Power Analysis (SPA) allow attackers to extract secret keys by statistically correlating measured power traces to cryptographic operations. This type of attack is extremely dangerous because it bypasses mathematical strength and targets hardware implementation flaws. Options A, C, and D do not relate to side-channel exploitation. CEH specifically categorizes this method as observing hardware emissions to deduce secrets, making Option B the most accurate match.

The CEH Web Application Security module explains that race conditions occur when systems improperly handle simultaneous requests, leading to unexpected behavior. In token-based authentication systems, poor synchronization between token expiration checks and validation logic can allow attackers to exploit timing gaps.

The observed pattern—failed attempts with expired tokens followed by successful access—suggests the attacker exploited a race condition where the application inconsistently validated token state.

Option C is correct.

Option A would not involve expired tokens.

Option B is highly impractical given secure token entropy.

Option D typically succeeds without repeated failures.

CEH highlights race conditions as subtle but dangerous logic flaws.

The correct choice is OS command injection in nginxWebUI because the question describes untrusted input being passed into backend processing in a way that affects system-level operations. CEH web application material classifies command injection as an injection flaw that occurs when a vulnerable application allows attacker-controlled input to be interpreted by the operating system or shell environment. The key clue is that the tester manipulates parameters associated with uploaded content, and those altered values influence commands executed in the server-side web service context. That is the hallmark of command injection rather than SSRF, which would involve the server making unintended outbound requests, or certificate validation issues, which relate to TLS trust decisions. The mention of no direct shell access is also consistent with command injection, because the attacker does not need an interactive shell if malicious input can still alter system commands behind the application. CEH guidance repeatedly stresses that unvalidated input in web applications can lead to injection attacks, including command injection, when user-controlled values reach backend interpreters without strict sanitization, parameter control, or allow-list validation.

The behavior described—manipulating request parameters so the application retrieves and exposes files from the server’s local directories—is characteristic of Local File Inclusion (LFI). LFI occurs when an application uses user-controllable input to construct a file path (often for templates, language files, includes, or uploads) and fails to properly validate or constrain it. An attacker can then supply values such as relative path traversal sequences to force the application to access unintended local resources, leading to disclosure of sensitive files (configuration files, credentials, keys, environment files) and sometimes further impact depending on context.

In the scenario, Sophia is testing a “template upload feature,” then “modifying the input parameters in an upload request” to “trick the application into retrieving sensitive files from the server’s local directories,” allowing her to view internal configuration files. That is a textbook LFI outcome: unauthorized read access to local files through a web interface, caused by improper input validation and insecure file path handling.

Why the other options are less accurate:

Insecure deserialization (A) involves unsafe processing of serialized objects, often leading to remote code execution; it is not about retrieving local files via path manipulation.

Cookie poisoning (B) is tampering with cookie values to escalate privileges or alter application behavior; it does not inherently explain local file retrieval.

File injection (C) is a broader term and can refer to multiple file-related abuses, but the specific pattern of including or reading local files via parameters is most precisely labeled Local File Inclusion.

Therefore, the correct answer is D. Local File Inclusion.

To determine which specific system on the sender’s side processed the message, the most relevant email-header detail is the sender’s mail server, typically revealed in the chain of Received: headers. Each mail transfer agent (MTA) that handles the message adds a Received line indicating the system that passed the message along and the system that received it. By reviewing these headers from bottom to top (earliest hop upward), analysts can identify the originating outbound infrastructure used by the sender—such as the initial submission server, outbound relay, or gateway that first accepted the email for delivery.

The scenario’s goal is to “map the sender’s outbound email infrastructure” and identify “which specific system on the sender’s side processed the message.” That maps more directly to identifying the mail server hostnames involved (the MTAs), because those are the processing systems that relayed the email. While an IP address can help locate a host, the question emphasizes the “specific system” responsible for processing, which is typically expressed as the mail server identity (hostname/domain) shown in header traces. In practice, investigators correlate the sender mail server information with IPs, TLS details, and authentication results, but the primary header clue for the processing system is the server identified in Received lines.

Why the other options are less suitable:

Date and time (A) helps with timeline analysis, not identification of the processing system.

Sender’s IP address (C) can indicate a source network, but the message may traverse NAT, relays, or cloud email services; it doesn’t always name the processing system.

Authentication system used (D) (e.g., SPF/DKIM/DMARC results) indicates validation outcomes, not which server processed the message.

Therefore, the correct choice is B. Sender’s mail server.

The best answer is Block all unnecessary ports, ICMP traffic, and unnecessary protocols such as NetBIOS and SMB. CEH web server hardening guidance emphasizes reducing the attack surface of internet-facing servers by disabling or filtering unnecessary services and protocols that are not required for web operation. In the scenario, Apache was compromised through an outdated vulnerability, but the answer options ask for the best hardening strategy among the listed choices. Option C reflects standard server-hardening practice by minimizing exposed network services and blocking protocols that are irrelevant or risky on a web server. A dedicated machine can support separation of roles, but it does not directly address service exposure. A risk assessment is useful for prioritization, not as the immediate control itself. Eliminating unnecessary files within jar files is not a standard Apache-specific hardening measure. CEH materials consistently recommend hardening web servers by closing unnecessary ports, disabling superfluous protocols, limiting reachable services, and reducing the overall attack surface in addition to patching. Among the available options, blocking unnecessary ports and protocols is the most appropriate security recommendation.

CEH v13 states that the only viable way to attack WPA2-PSK is by capturing the four-way handshake. De-authentication forces clients to reconnect, allowing the handshake to be captured and later cracked offline.

MITM, jamming, and rogue AP attacks do not directly expose the PSK.

In CEH network security concepts, a common way to verify whether a host is running a sniffer is to test for promiscuous-mode behavior using an active stimulus and then observing whether the suspected machine reacts to traffic it should normally discard. The “ping method” is a classic approach: the tester sends ICMP Echo Request traffic crafted so the Ethernet frame uses an incorrect destination MAC address, while the IP layer still targets the suspected host’s IP. Under normal NIC operation, frames with a destination MAC that does not match the interface (and is not broadcast/multicast) are dropped at the data-link layer and never reach the IP stack, so the host will not respond.

If the interface is in promiscuous mode, the NIC passes more frames up to the operating system for processing. In some configurations, this can allow the IP stack to see and respond to the ICMP request even though the frame’s MAC destination was wrong. That unexpected reply is used as an indicator that the host may be capturing traffic promiscuously, consistent with sniffer presence.

The other options are less aligned with the “classic active verification” described. Reverse DNS monitoring is an indirect heuristic and not a reliable confirmation of promiscuous mode. An NSE script is tool-specific rather than the classic foundational technique the question emphasizes. ARP-based methods exist for sniffer detection, but the option presented is less directly tied to the well-known ICMP incorrect-MAC confirmation described in CEH materials.

CEH describes SQL injection testing as a core part of web application assessment. One of the first and safest validation techniques is using a tautology-based SQL injection payload, such as ' OR ' 1 ' = ' 1. If the application concatenates user input directly into SQL queries, such an input will cause the query to always evaluate as true, often returning additional records such as multiple user profiles. This confirms the presence of SQL injection without causing destructive effects like dropping tables. Testing XSS does not validate SQL injection, brute-forcing credentials is unrelated, and directory traversal attacks target file path manipulation rather than backend queries. CEH emphasizes avoiding destructive queries and starting with non-intrusive injection payloads that reveal improper input sanitization, making ' OR ' 1 ' = ' 1 the correct technique for confirming SQL injection vulnerabilities in URL parameters.

CEH v13 classifies state-sponsored hackers as highly skilled professionals who operate under government direction to conduct espionage, intelligence gathering, sabotage, or cyber warfare. These attackers often target foreign governments, critical infrastructure, and strategic industries.

The defining characteristics are:

Government backing

National or geopolitical objectives

Advanced resources and long-term campaigns

Options B, C, and D do not fit. Organized hackers are typically financially motivated cybercriminal groups. Gray hats operate without authorization but not for national interests. Hacktivists pursue ideological or political causes independently.

CEH v13 explicitly associates covert intelligence operations with state-sponsored actors, making Option A correct.

CEH v13 identifies Slowloris as a low-bandwidth yet highly effective application-layer DoS technique that works by opening many HTTP connections and sending headers very slowly, never completing the request. Because the server must maintain these half-open HTTP sessions, its connection pool becomes saturated, preventing it from servicing legitimate users. Slowloris is particularly dangerous because it does not rely on malformed packets, high traffic volume, or protocol abuses; instead, it mimics legitimate HTTP behavior, making it difficult for firewalls or IDS systems to distinguish malicious traffic. This aligns exactly with the described scenario, where thousands of legitimate-looking HTTP connections are gradually consuming server resources. Fragmentation attacks (Option B) target packet reconstruction, UDP floods (Option C) generate high-bandwidth noise, and SYN floods (Option D) impact the TCP handshake layer, not the HTTP header behavior. Slowloris’ unique use of slow HTTP headers directly matches the symptoms described.