When standard protections such as HTTPS, HTTP-only flags, and session regeneration are properly implemented, CEH teaches that predictable session identifiers become one of the few remaining avenues for session hijacking. Session token prediction involves analyzing entropy, randomness, or generation patterns within session IDs to mathematically infer future or valid tokens. If the application uses weak randomization algorithms, insufficient entropy sources, or predictable sequences, attackers may generate a valid session ID without direct interception. Techniques such as MitM interception or CSRF manipulation do not bypass strong transport-layer protections and cookie restrictions. Session fixation fails because the application regenerates the session ID upon login, invalidating pre-set identifiers. Therefore, the advanced and CEH-aligned method to hijack a protected session is predicting session IDs through side-channel or pattern analysis.

The issue described is verbose error messages, where an application reveals excessive technical details when handling invalid input. The scenario states that the platform returns “detailed system information, including database query strings and directory paths” instead of a generic error. Exposing internal paths and query strings is a common symptom of verbose error handling: stack traces, SQL statements, file system locations, framework versions, and configuration hints can appear in responses when exception handling is misconfigured or when debug settings are enabled in production.

These details are valuable to attackers because they reduce guesswork. Directory paths can reveal the operating system, deployment layout, and sensitive file locations; database query strings can reveal table/column names and query structure, enabling more effective SQL injection payloads or targeted data extraction. Verbose errors can also leak usernames, internal hostnames, API endpoints, and even secrets if mishandled. Even if the initial invalid request does not compromise the system, the leaked information can significantly improve the attacker’s ability to craft subsequent attacks with higher precision.

Why the other options are less accurate:

Improper error handling (A) is a broader category and could include verbose errors, but the question’s best match is the specific symptom: detailed internal information disclosure.

Directory traversal (B) involves manipulating path input to access unauthorized files; here, the application is revealing paths due to errors, not being coerced into reading arbitrary files.

CORS misconfiguration (D) relates to cross-origin browser access controls and is unrelated to leaking stack traces or database queries.

Therefore, the correct answer is C. Verbose Error Messages.

Insufficient logging and monitoring is the most direct threat highlighted by the scenario. In CEH-aligned cloud security concepts, visibility is foundational: without adequate telemetry, security teams cannot detect, investigate, or respond to malicious activity in time. The question explicitly states attackers “remained undetected” because the organization lacked mechanisms to track function-level activity and capture anomalous events. In a serverless architecture, this visibility gap can be especially damaging because there are no traditional servers for defenders to log into, and many security signals must be collected from cloud-native sources such as function invocation logs, API gateway logs, identity events, and centralized monitoring pipelines.

While privilege escalation is a common cloud threat, the question’s root cause is not described as excessive permissions or role abuse; it is the lack of detection capability. Loss of governance refers to weak policies, mismanaged accounts, and lack of control over cloud resources, which may contribute indirectly but is not the immediate failure described. Side-channel attacks are specialized and do not match the evidence of missed alerts and absent operational telemetry.

CEH guidance emphasizes implementing centralized logging, continuous monitoring, alerting, and anomaly detection as core controls. For serverless, this includes capturing detailed function execution logs, tracing, identity and access events, and integrating them into a SIEM/SOAR workflow. Effective monitoring enables rapid detection of abnormal invocation patterns, suspicious API calls, unusual data access, and persistence attempts—reducing dwell time and preventing small compromises from becoming major outages.

The correct answer is WPA2. CEH wireless security material explains that WPA2 uses AES-based encryption together with CCMP, which provides confidentiality and message integrity protection. The scenario also mentions a structured four-message key negotiation process before protected traffic begins, which aligns with the well-known four-way handshake used in WPA and WPA2 environments. The deciding factor is the encryption and integrity combination: AES with CCMP is strongly associated with WPA2 in CEH guidance. WEP is far weaker and based on RC4, while WPA originally relied on TKIP as its hallmark improvement over WEP. WPA3 introduces newer protections and a different exam emphasis, but the classic CEH mapping for four-way handshake plus AES/CCMP is WPA2. CEH references also note that WPA2 was designed to improve enterprise-grade wireless security and that CCMP addresses integrity concerns more effectively than earlier approaches. Because the packet capture shows AES-based counter mode encryption with integrated integrity checks after the handshake sequence, the observed standard is best identified as WPA2.

According to the Certified Ethical Hacker (CEH) attack methodology, once reconnaissance, footprinting, and website mirroring have been completed, the attacker proceeds cautiously to exploitation while maintaining stealth. CEH documentation emphasizes that low-noise, application-layer attacks are preferable when the objective is to minimize detection.

Option B, attempting SQL Injection, aligns directly with CEH’s Web Application Hacking module. SQL Injection is a server-side attack that can often be executed through normal-looking HTTP requests, making it less likely to trigger intrusion detection systems (IDS) or security alerts. CEH materials highlight SQL injection as a common and effective technique for extracting sensitive data such as usernames, passwords, and business-critical information without disrupting server operations.

Option A is incorrect because immediately modifying server configuration files after session hijacking significantly increases the risk of detection. CEH guidelines stress post-exploitation restraint, especially during red team operations.

Option C is not ideal at this stage because automated vulnerability scanners generate substantial traffic and are highly detectable. CEH explicitly notes that vulnerability scanning is noisy and often logged.

Option D is the least stealthy option. Brute-force attacks generate numerous failed authentication attempts, triggering security alerts and account lockouts. CEH classifies brute-force attacks as high-risk and easily detectable.

Therefore, SQL Injection represents the most effective and stealthy next step in accordance with CEH’s structured attack lifecycle.

CEH covers classical cryptanalytic attacks, including linear cryptanalysis, which uses statistical correlations between plaintext and ciphertext to infer bits of the secret key. If a cipher leaks structural patterns across many data samples, linear approximations can be computed to break the cipher.

NFS Enumeration is the correct choice because the scenario is centered on TCP port 2049 and the use of a standard utility to list exported remote file systems. In CEH-aligned reconnaissance and enumeration, port 2049 is the primary service port for Network File System NFS. When a tester identifies 2049 as open on a Linux or UNIX-like host, a common next step is to enumerate NFS exports to learn which directories are shared and what access rules apply. The “standard utility” described is consistent with tools such as showmount, which queries the target to retrieve a list of exported file systems and, in some cases, the clients allowed to mount them. This directly supports the stated objective of “requesting a list of remote file systems shared across the network” to map accessible resources.

The distractor checks mentioned in the scenario reinforce why the answer is NFS. Telnet enumeration would relate to TCP 23 and interactive plaintext terminal access, not file-share exports. NTP enumeration aligns to UDP 123 and focuses on time synchronization information and server behavior, not shared directories. SNMP enumeration typically involves UDP 161 and extracts device and system details via community strings and management information bases. NetBIOS enumeration is associated with Windows networking services such as UDP 137 and TCP 139, which are unrelated to NFS on 2049.

Therefore, the active enumeration method demonstrated is NFS enumeration through export listing on TCP port 2049.

The correct answer is B. Rogue AP because the scenario describes an unauthorized access point that has been physically connected to the internal wired network and is providing network access on the corporate VLAN without approval or inventory records. In CEH-aligned wireless security concepts, a rogue access point is any AP that is installed on an organization’s network without authorization, creating an unmanaged entry point that bypasses standard security controls. The key indicators here are: it is “previously unknown,” “neither provisioned by IT nor listed in the asset inventory,” and it is “physically connected to the hospital’s internal switch.”

The fact that the device is issuing IP addresses suggests it may be running a DHCP service or bridging into the internal network in a way that places clients directly onto the corporate VLAN. This can allow attackers to gain internal access from nearby wireless range and can also cause network instability if its DHCP responses conflict with the legitimate DHCP infrastructure. Additionally, the device “relaying internal traffic and providing remote connectivity back to an external host” points to an attacker using it as a covert foothold—effectively an unauthorized wireless bridge into the internal network and a channel for command-and-control or remote access.

Why not the other options: a misconfigured AP implies a legitimate AP deployed by IT but configured insecurely (weak encryption, default credentials, poor segmentation). A honeypot AP is typically deployed deliberately (often by defenders) to attract attackers for detection and research, not stealthy backhaul to an external host. An evil twin AP is a spoofed wireless AP that impersonates a legitimate SSID to lure victims; it does not necessarily require being physically plugged into the internal switch, and the defining trait is impersonation of a real AP/SSID. The defining trait here is unauthorized installation on the wired network, which is most directly a rogue access point.

CEH methodology emphasizes validating and researching identified vulnerabilities to determine exploitability, patch status, and business impact. Even medium-risk findings require investigation to assess their real severity.

The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata. CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

The activity described is passive wireless packet capture in monitor mode—specifically collecting management frames (such as beacon frames and probe responses) and observing client/AP interactions (including authentication-related frames) while not injecting or transmitting anything. In the Aircrack-ng suite, the tool designed for exactly this reconnaissance-and-capture purpose is Airodump-ng.

Airodump-ng is the component that listens on the air interface once the card is placed into monitor mode, then captures 802.11 frames and displays useful reconnaissance data such as BSSID, channel, encryption type, signal strength, and associated clients (stations). Critically, it can write captured traffic to files (e.g., .cap) for offline analysis—which matches the scenario’s “record into a capture file for later offline analysis.” This is a common CEH workflow: reconnaissance → capture → analyze, keeping the initial step non-intrusive.

By contrast:

Aireplay-ng (A) is primarily used for active attacks / packet injection (e.g., deauthentication, replay) and would typically involve transmitting frames.

Aircrack-ng (B) is used mainly for key cracking (WEP/WPA/WPA2 handshakes) after capture, not for passive collection itself.

Airbase-ng (C) focuses on creating a rogue AP / MITM-style setups, which is also an active transmission role.

So, for silent monitoring + capturing beacons/probes/auth frames to a file, the best match is D. Airodump-ng.

CEH’s approach to suspected compromise aligns with an incident-handling mindset: containment first, then analysis and remediation. In IoT and OT-adjacent environments (smart city infrastructure, SCADA-like components, embedded controllers), CEH emphasizes that suspicious external communications and unexplained open ports may indicate compromise, misconfiguration, exposed management services, or implanted malware/backdoors. Because IoT endpoints often have limited logging and are difficult to reimage safely, the safest next step is to isolate the suspected device to prevent further data exfiltration, command-and-control activity, or lateral movement to other city systems.

Option A best matches CEH guidance: isolate the device and investigate its firmware, services, and configuration, including checking for unauthorized binaries, altered firmware images, insecure default services, and hardcoded credentials. This also preserves evidence and reduces the blast radius.

Option C (blocking the external IP) can be helpful, but it’s a partial control: attackers can rotate infrastructure, and the device could still be compromised internally. Option B (full network pen test) is too broad and delays containment when a specific high-risk indicator is already present. Option D (attempting a reverse connection) crosses into active exploitation behavior and is not an appropriate “next step” in a defensive investigation; CEH methodology stresses authorized, controlled testing and prioritizes risk reduction over interacting with suspicious external hosts.

Thus, CEH-aligned best practice is immediate isolation and firmware-level investigation.

The scenario describes an on-device, app-based rooting approach that does not rely on a PC connection, USB debugging, or a bootloader unlock workflow. In CEH mobile platform coverage, this aligns with “one-click” rooting tools that package exploits to elevate privileges directly from user space to root on the device. These tools typically target known vulnerabilities in the Android OS, vendor kernels, or system services to obtain root privileges and then install a management component to maintain elevated access.

KingoRoot is commonly cited in ethical hacking training contexts as a popular one-click rooting solution that can run as an Android application and attempt to root a device without a computer, depending on the device model, Android version, and patch level. This directly matches the prompt: Sofia installs a mobile application, it “exploits a system vulnerability,” and it achieves root “without requiring a PC.” The constraints given, USB debugging disabled and OEM unlock restrictions, make PC-assisted ADB workflows or bootloader-based rooting less feasible, which further supports an exploit-driven, on-device rooting tool.

Magisk Manager is primarily a root management and systemless modification framework and typically assumes the device is already rooted or that the user can patch the boot image and flash it, often requiring bootloader unlock steps that OEM restrictions would block. “One Click Root” is a generic label rather than a specific tool in many CEH-style question banks. RootMaster is another one-click tool, but KingoRoot is the most widely recognized and frequently referenced for direct APK-based rooting in this context.

The described technique is HTTP tunneling because Ethan is encapsulating his traffic inside standard web requests on port 80 to blend with normal browsing activity and bypass perimeter defenses that only perform basic port/protocol filtering. HTTP tunneling leverages the fact that many organizations allow outbound (and sometimes inbound) HTTP/HTTPS traffic through firewalls for business needs. If a firewall is not doing deep inspection (such as application-layer proxying, WAF inspection, or strict egress controls), encapsulated traffic can traverse allowed ports while carrying non-HTTP payloads inside the HTTP structure.

The scenario’s core clues are: (1) “encapsulates his traffic inside standard web requests,” (2) uses port 80, and (3) success depends on the firewall “not performing deep application inspection.” These are exactly the conditions where HTTP tunneling is effective: the traffic appears as ordinary HTTP sessions, so the firewall treats it as permitted web traffic even though the content is being used as a carrier for another protocol or command channel.

Why the other options don’t fit:

DNS tunneling (D) also encapsulates traffic, but it uses DNS queries/responses (typically UDP/TCP 53), not HTTP requests on port 80.

Tiny fragments (C) is an evasion method that breaks packets into very small fragments to confuse filtering/IDS reassembly; the scenario is about encapsulation in web requests, not fragmentation.

Source routing (B) attempts to influence packet path using IP options; it is not described here and is commonly blocked/ignored in modern networks.

Therefore, the firewall evasion technique is A. HTTP Tunneling.

CEH v13 explains that the Deep Web contains content not indexed by search engines, including exposed databases, misconfigured portals, leaked credentials, and internal documents.

This makes it a critical area to assess unintended data exposure. The Deep Web is not primarily for attacker profiling or insider detection.

Thus, Option D is correct.