CEH v13 follows the Incident Response Lifecycle, which prioritizes identification and analysis before containment, unless there is immediate risk of catastrophic damage. In this scenario, the attacker has escalated privileges, but the organization still needs to understand what actions are being taken, what systems are affected, and whether lateral movement is occurring.

Option C aligns with CEH v13 best practices. Real-time monitoring and documentation allow analysts to:

Identify attacker techniques and tools

Preserve volatile evidence

Understand scope and impact

Implement targeted containment

Immediately powering down the server (Option B) may destroy volatile forensic evidence and disrupt services unnecessarily. Engaging forensic teams (Option A) is important but premature without initial analysis. Running vulnerability scans (Option D) does not address the active threat.

CEH v13 stresses that informed containment is more effective than reactive shutdowns. Therefore, Option C is correct.

The vulnerability described is characteristic of XML External Entity (XXE) Injection. In CEH web application security coverage, XXE occurs when an application parses XML input without properly disabling external entity resolution. If the XML parser is configured insecurely, an attacker can define a malicious external entity that references local files or internal system resources. When the parser processes the XML document, it resolves the external entity and may return the contents of sensitive files in the server’s response.

The scenario clearly states that the issue arises from “handling of external references in document parsing” and results in exposure of internal file paths and database connection strings. This aligns directly with XXE behavior, where attackers leverage external entity declarations to retrieve local files such as configuration files, environment settings, or system credentials. In some cases, XXE can also enable server-side request forgery by forcing the server to make internal network requests.

The other options do not match the described behavior. Identification and authentication failures relate to improper access controls, not document parsing. HTTP response splitting involves manipulating headers to inject malicious responses. Security logging and monitoring failures refer to detection gaps, not data exposure through parsing. CEH-recommended mitigation strategies include disabling DTD processing, turning off external entity resolution in XML parsers, validating input formats, implementing least privilege on file access, and using secure parsing libraries that prevent XXE exploitation.

The correct answer is Risk Assessment. CEH vulnerability assessment guidance distinguishes between identifying vulnerabilities and evaluating their business or operational impact. Findings are the raw or organized results showing what weaknesses were discovered. Risk assessment goes a step further by scoping the impact of those weaknesses, ranking them by severity, and highlighting which assets face the greatest exposure. The scenario specifically says the report grouped weaknesses into severity tiers and emphasized relative impact and prioritization across systems. That language aligns directly with risk assessment rather than with a simple findings section. Recommendations would focus on remediation steps, while an assessment overview would summarize the engagement at a higher level. CEH documentation on the vulnerability assessment life cycle explains that after vulnerabilities are identified, risk assessment is used to interpret their significance for the organization so remediation efforts can be prioritized correctly. That is why executives and decision-makers depend on this section: it translates technical weaknesses into exposure levels and response urgency. Because the emphasis here is on impact, prioritization, and severity-based grouping, the report component is best classified as Risk Assessment.

In CEH v13 Information Security and Ethical Hacking Overview, script kiddies are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.

CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.

Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.

CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.

Thus, Option B is the correct answer.

According to the CEH attack methodology, once an attacker obtains initial access—whether through exploitation, misconfiguration, or credential compromise—the next critical phase is privilege escalation. Gaining system-level or administrative control is essential for maintaining persistence, accessing protected data, modifying system configurations, and pivoting further into the network. Privilege escalation exploits target kernel flaws, misconfigured services, improper permission settings, or vulnerable drivers. CEH emphasizes that performing a DoS attack disrupts the engagement and provides no strategic advantage. Similarly, CSRF targets web applications rather than operating systems, and brute-force password attempts are inefficient, noisy, and often ineffective once local access has already been established. By leveraging privilege escalation techniques, the tester converts limited user access into full system control, enabling comprehensive post-exploitation activities aligned with CEH system hacking procedures.

Spear-phishing is a targeted form of phishing that uses personalized and context-rich information to increase credibility. CEH emphasizes that referencing specific internal projects, financial data, or organizational events significantly raises the success rate when attacking high-value targets such as executives. This tailored approach avoids suspicion and exploits trust more effectively than broad or generic phishing attempts.

CEH defines spyware as malware designed to covertly observe user behavior and transmit sensitive information to attackers without the victim’s knowledge. Spyware commonly records keystrokes, browser activity, form submissions, application usage, and other personally identifiable information. CEH highlights that spyware often operates silently and may disguise itself as legitimate software, making detection difficult. Unlike rootkits—which hide processes and files—or worms that self-replicate, spyware focuses exclusively on monitoring and data exfiltration. It is frequently installed through phishing, drive-by downloads, browser vulnerabilities, or malicious installers. Spyware can serve as a stepping stone for further system compromise by providing attackers with credentials for privilege escalation, lateral movement, or financial theft. CEH emphasizes the need for endpoint hardening, updated anti-malware engines, and behavioral analysis tools to detect such stealthy monitoring programs.

The correct answer is B. Predictive analysis because the client’s primary objective is to anticipate future attack patterns before they occur, and the described AI-enabled platform is explicitly being used to forecast potential attack vectors based on historical breaches and anomaly data. In CEH-aligned coverage of modern security capabilities, AI-driven approaches add value by learning from large datasets (logs, alerts, incidents, threat intelligence, and observed attacker behaviors) to identify trends, detect weak signals, and predict the most likely next steps an adversary may take. This directly supports proactive defense planning rather than purely reactive response.

In this scenario, the platform ingests “previous breaches and anomaly data” and produces forward-looking insights. That is the essence of predictive analysis: applying machine learning/analytics to estimate where attacks may emerge (for example, which assets are most at risk, which tactics are trending, what misconfigurations correlate with compromise, or which sequences of events often precede an intrusion). This helps defenders prioritize controls, patching, monitoring, and hardening to disrupt the projected attack paths ahead of time. It also aligns with the retail client’s desire to know whether their defenses can “anticipate” attacks, not merely document them after the fact.

Why the other options are less correct: Scalability is a benefit of AI (automating large-scale analysis), but it does not specifically address forecasting future attack vectors. Enhanced reporting improves how findings are communicated, but it is not the key capability described. Simulation and testing refers to running scenarios or automated testing in environments to measure resilience; that can be AI-assisted, but the prompt focuses on analyzing historical and anomaly data to predict likely attacks, which maps most directly to predictive analysis.

Therefore, the most critical benefit of AI-driven ethical hacking in this case is predictive analysis.

CEH IoT security modules describe insecure network services as vulnerabilities arising when IoT devices communicate over unencrypted channels, use unauthenticated update mechanisms, or expose services that fail to validate data integrity. When operational commands and firmware updates are transmitted over HTTP without cryptographic safeguards, attackers can intercept, replay, or modify the data stream. Firmware integrity verification is a critical component of secure device lifecycle management. Without it, adversaries can perform firmware injection, allowing them remote control, persistent compromise, or sabotage of device functionality. This aligns directly with insecure network services, which CEH defines as improperly protected communication mechanisms and service interactions within IoT ecosystems. Insecure ecosystem interfaces generally relate to cloud APIs and web dashboards, insecure default settings involve weak credentials or factory configurations, and insufficient privacy protection relates to data confidentiality rather than command manipulation. The described scenario most clearly fits insecure network services.

CEH v13 highlights that encrypting session data in transit is one of the strongest defenses against session hijacking. IPsec VPN encrypts the entire IP packet, preventing attackers from capturing usable session tokens.

IPS helps detection but not prevention. Physical security and awareness do not address technical hijacking.

Therefore, Option A is correct.

CEH v13 identifies Man-in-the-Browser (MitB) attacks as one of the most dangerous and difficult-to-detect session hijacking techniques, especially in online banking environments. In MitB attacks, malware operates inside the user’s browser, intercepting and manipulating transactions in real time.

Unlike XSS or session fixation attacks, MitB bypasses server-side security controls entirely. Even strong encryption, multi-factor authentication, and secure cookies are ineffective because the attack occurs after authentication, within a trusted session.

Passive sniffing is limited by encryption, and session fixation relies on poor session management. Covert XSS requires injection points and is more easily mitigated.

CEH v13 emphasizes that MitB attacks can modify transaction details without user awareness, making detection extremely difficult. Therefore, Option B is correct.

The CEH v13 content explains that stealth scanning involves modifying scan timing parameters to reduce packet frequency, randomize intervals, and avoid recognizable patterns typically flagged by intrusion detection systems. Slow, randomized timing—often achieved with Nmap’s T0 or T1 timing templates—prevents bursts of traffic and allows scans to blend into normal network noise. IDS/IPS systems tuned for high-volume events may fail to detect such gradual reconnaissance. Fast SYN scans generate distinctive patterns easily identified by security monitoring tools. UDP scans, especially across all ports, produce high traffic volume and are extremely noisy. Xmas scans, although sometimes used for stealth against stateless filters, are still signature-detectable and inappropriate when stealth over time is required. Therefore, applying slow, randomized timing options aligns with CEH-approved reconnaissance techniques for evading detection while enumerating open ports.

According to the CEH Cryptography module, strong symmetric encryption algorithms are essential for protecting data confidentiality and obscuring traffic content.

AES (Advanced Encryption Standard) is the industry-standard symmetric encryption algorithm approved by NIST and recommended by CEH for encrypting data in transit and at rest. AES provides strong resistance against cryptanalysis and prevents attackers from deriving meaningful information from encrypted traffic.

Option D is correct because AES is efficient, secure, and widely implemented.

Option A (HMAC) provides integrity and authentication, not encryption.

Option B (RSA) is computationally expensive and not suitable for bulk traffic encryption.

Option C (DES) is deprecated due to weak key length.

CEH materials clearly recommend AES over legacy algorithms.

CEH v13 teaches that NetBIOS enumeration is a key technique for gathering information in Windows environments without raising alarms. Ports 137 and 139 indicate that NetBIOS Name Service (NBNS) and SMB services are active. The tool nbtstat -A < IP > retrieves valuable information including computer names, logged-in users, domain/workgroup membership, and system roles—all passively and without authentication. CEH emphasizes that querying NetBIOS is often overlooked by defenders and generates minimal noise, making it ideal for stealth enumeration. LDAP enumeration (Option A) requires directory access and tends to trigger logs. Psloggedon and pspasswd (Options B and D) involve active interaction and authentication attempts, which are far more detectable. nbtstat is the CEH-recommended tool for initial reconnaissance on Windows networks using NetBIOS and SMB, especially when quiet enumeration is required.

CEH v13 identifies ARP spoofing/poisoning as a primary MitM technique in local networks. In such attacks, a single IP address maps to multiple MAC addresses, indicating ARP table manipulation.

This anomaly allows attackers to intercept traffic between victims and gateways. Increased traffic or DNS activity may occur but are not definitive indicators. Thus, IP-to-MAC inconsistencies are the most reliable confirmation of MitM activity.