312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

CEH defines spyware as malware designed to covertly observe user behavior and transmit sensitive information to attackers without the victim’s knowledge. Spyware commonly records keystrokes, browser activity, form submissions, application usage, and other personally identifiable information. CEH highlights that spyware often operates silently and may disguise itself as legitimate software, making detection difficult. Unlike rootkits—which hide processes and files—or worms that self-replicate, spyware focuses exclusively on monitoring and data exfiltration. It is frequently installed through phishing, drive-by downloads, browser vulnerabilities, or malicious installers. Spyware can serve as a stepping stone for further system compromise by providing attackers with credentials for privilege escalation, lateral movement, or financial theft. CEH emphasizes the need for endpoint hardening, updated anti-malware engines, and behavioral analysis tools to detect such stealthy monitoring programs.

The correct answer is A. Service Version Discovery because the objective is to identify the software release/version running on internet-facing services by analyzing network responses and application output—without authenticating or establishing full sessions. In CEH-aligned reconnaissance methodology, service/version discovery (often called version detection or banner grabbing) focuses on determining what service is running (e.g., HTTP server, SSH daemon, SMTP server) and which version/build it is (e.g., Apache/Nginx version, OpenSSH version, application framework release). This information directly supports “prioritizing patch baselines” because patch urgency depends heavily on exact product versions: knowing the version helps map exposure to known vulnerabilities and identify outdated builds.

The prompt’s wording “analyze network-level responses and capture application output” is consistent with techniques such as banner grabbing, protocol negotiation, and response fingerprinting. Many services disclose identifying strings in headers, greetings, error pages, TLS certificates, or protocol handshakes. Even when banners are minimized, subtle differences in responses can still indicate versions or at least narrow the product family. This is typically done externally and does not require credentials, matching the constraint “without logging in or establishing full sessions.”

Why the other options are less accurate: Port scanning identifies which ports are open and which services may be present, but it does not necessarily determine precise software releases. OS discovery (OS fingerprinting) aims to infer the operating system and sometimes kernel family from packet characteristics; it is helpful but the task emphasizes “software release” and “application output,” which aligns more with service version detection than OS detection. Vulnerability scanning goes further by testing for known weaknesses and misconfigurations; while it may include version detection, the question asks for the technique that best fits the stated objective—determining the underlying service/software release from network/application responses—making service version discovery the most direct match.

Therefore, the technique is Service Version Discovery.

CEH IoT security modules describe insecure network services as vulnerabilities arising when IoT devices communicate over unencrypted channels, use unauthenticated update mechanisms, or expose services that fail to validate data integrity. When operational commands and firmware updates are transmitted over HTTP without cryptographic safeguards, attackers can intercept, replay, or modify the data stream. Firmware integrity verification is a critical component of secure device lifecycle management. Without it, adversaries can perform firmware injection, allowing them remote control, persistent compromise, or sabotage of device functionality. This aligns directly with insecure network services, which CEH defines as improperly protected communication mechanisms and service interactions within IoT ecosystems. Insecure ecosystem interfaces generally relate to cloud APIs and web dashboards, insecure default settings involve weak credentials or factory configurations, and insufficient privacy protection relates to data confidentiality rather than command manipulation. The described scenario most clearly fits insecure network services.

Wireshark is the primary packet-sniffing tool covered in CEH v13 Network Sniffing. It captures and analyzes live traffic, allowing analysts to view plaintext HTTP packets.

Nessus is a vulnerability scanner, Nmap is for scanning, Netcat is a networking utility. None provide protocol-level inspection like Wireshark.

Thus, Option D is correct.

This question describes a classic example of Tautology-Based SQL Injection, a subcategory of SQL Injection attacks which fall under Web Application Hacking in the CEH curriculum.

In a tautology-based SQL injection, the attacker injects a SQL fragment that always evaluates to true, thus bypassing the authentication mechanism. The string ' C ' ll-T; — is a malformed variant, possibly meant to represent ' OR ' 1 ' = ' 1 ' ; --, which is one of the most basic and widely recognized tautology-based injection payloads. When injected into a vulnerable SQL query, this kind of input manipulates the WHERE clause of the query so that it always evaluates to true, regardless of the original conditions.

Here’s how it works:

If the SQL query is:

SELECT * FROM users WHERE username = ' $username ' AND password = ' $password ' ;

And the attacker inputs:

' OR ' 1 ' = ' 1 ' ; --

The query becomes:

SELECT * FROM users WHERE username = ' ' OR ' 1 ' = ' 1 ' ; -- ' AND password = ' ' ;

This results in the execution of:

SELECT * FROM users WHERE ' 1 ' = ' 1 ' ;

Which always evaluates to true, thereby bypassing authentication and allowing unauthorized access.

This method does not rely on error messages (Error-Based), timing delays (Time-Based Blind), or UNION statements (Union-Based). Its goal is to exploit logic within the query structure itself using boolean-based manipulation.

According to EC-Council ' s CEH v13 Module: Web Application Hacking, understanding tautology-based injection is critical because it ' s one of the most common ways attackers bypass login forms on poorly secured web applications.

The correct answer is B. Known-plaintext attack because the scenario explicitly provides paired samples of plaintext and ciphertext for the same underlying data. In a known-plaintext attack, the analyst possesses one or more examples where the original message (plaintext) is known and the corresponding encrypted output (ciphertext) is also available. These pairs can be used to analyze the cipher’s behavior, validate hypotheses about modes/parameters, and—depending on the algorithm, implementation weaknesses, and key management—attempt to recover the encryption key or decrypt other ciphertexts encrypted under the same key.

Here, Evelyn has “original template records (standard headers and form fields)” and their “encrypted counterparts” in the stolen backup set. Medical record formats commonly contain predictable structures (fixed headers, repeated field names, standardized forms), which increases the likelihood of having accurate known plaintext segments. With enough known plaintext/ciphertext pairs, an attacker may identify patterns caused by weak encryption choices, reused keys, reused IVs/nonces, insecure modes (e.g., ECB revealing structure), or flawed custom crypto. Even when strong algorithms are used, known-plaintext material can still be valuable for confirming the encryption scheme and detecting implementation errors.

Why the other options are not correct: Ciphertext-only assumes the attacker has only encrypted data and no plaintext examples—contradicted by the templates. Chosen-plaintext requires the ability to submit arbitrary plaintexts to an encryption oracle and receive ciphertexts, which the scenario does not indicate. Chosen-ciphertext requires the ability to submit ciphertexts to a decryption oracle and observe outputs, also not described.

Because Evelyn has real, matching plaintext-ciphertext pairs from the same dataset, the most appropriate cryptanalytic approach is a known-plaintext attack.

The correct answer is B. Testing String because the scenario describes a classic SQL injection detection approach where the tester submits special characters and malformed input strings—most notably single quotes ( ' )—to observe how the application processes them and whether it produces database error feedback. In SQL injection discovery, inserting a single quote (or multiple quotes) into a parameter commonly breaks the intended SQL syntax if the input is concatenated into a query without proper validation/escaping or parameterization. When this happens, the backend database often returns error messages that may disclose critical information such as the DBMS type (e.g., MySQL, Microsoft SQL Server, Oracle), query fragments, and sometimes references to table/column names. That is exactly what you observed: “system feedback that unexpectedly reveals the database type and internal query structure.”

This method is specifically called “testing strings” in CEH-style SQL injection identification: using quote characters, delimiters, comment markers, and other metacharacters to see whether the application is vulnerable and whether errors or abnormal behavior occur. The goal is not to fully exploit the injection immediately, but to confirm whether input is being interpreted as part of an SQL statement and to collect clues that help the tester model the backend query and proceed with safe, authorized validation steps.

Why the other options are less accurate: Function testing is a broader web-testing concept and is not the specific SQLi detection tactic shown. Dynamic testing generally refers to testing an application while it is running to observe behavior, but it does not name this specific SQLi discovery technique. Fuzz testing involves sending large volumes of random or semi-random unexpected inputs to trigger crashes or errors; while multiple quotes could be part of fuzzing, the described method is the targeted, well-known SQLi testing string approach used to elicit informative SQL errors.

Therefore, the method being employed is Testing String.

The CEH IDS/IPS Evasion module describes packet fragmentation as a common evasion technique used to bypass signature-based detection.

Option B is correct.

Other options represent different attack categories.

CEH highlights reassembly normalization as a countermeasure.

The most accurate classification is Design Flaws. CEH web application guidance explains that some vulnerabilities exist not because of a coding typo or a missing patch, but because the underlying workflow, trust model, or business process is architected insecurely. In this scenario, the application relies on sequential client-driven steps for identity verification, yet the server does not independently enforce that each stage is truly completed before granting access. That means the weakness lies in the way the authentication flow was designed, specifically in trusting the client-side sequence more than it should. Poor patch management would relate to unpatched software components. Misconfigurations or weak configurations usually involve deployment or server settings. Application flaws is broader, but the question asks for the best classification, and the bypass of a security workflow due to inadequate stage enforcement is best understood as a design-level weakness. CEH references often connect such issues with business logic flaws, where attackers tamper with parameters or transaction flow to violate expected process integrity. Because the core problem is the insecure design of the multi-step validation sequence, Design Flaws is the best answer.

The capability described is Kubernetes self-healing, a core behavior emphasized in CEH cloud and container security coverage when discussing resilience, availability, and fault tolerance in containerized environments. Self-healing means Kubernetes continuously monitors the desired state of workloads and automatically acts when the current state deviates due to failures. If a node crashes, a container exits unexpectedly, or a pod becomes unhealthy, Kubernetes responds by restarting containers, recreating pods, and rescheduling workloads onto healthy nodes to maintain service continuity. This directly matches the scenario where containers are “automatically replaced and rescheduled” from failed nodes to keep payment services highly available.

While several Kubernetes components participate in achieving this outcome, the feature name most aligned with the described behavior is self-healing. Kubernetes uses controllers and the scheduler to implement it: deployments and replica sets ensure the correct number of pod replicas exist; liveness and readiness probes detect unhealthy containers; and when nodes become NotReady, pods are evicted and recreated elsewhere. This is exactly how Kubernetes supports uninterrupted operations for critical applications such as payment processing platforms.

Option B, kube-controller-manager, is a control-plane component that runs multiple controllers, and it contributes to enforcing desired state, but the question asks for the feature capability rather than the specific internal process that provides it. Option C, container orchestration, is broader and includes deployment, scaling, and management, but it is less precise than self-healing for the specific behavior of automatic replacement and rescheduling after failures. Option A is unrelated to availability behavior.

Rachel is using the Ping method for sniffer detection. The distinguishing behavior in the scenario is that she sends ICMP echo requests (pings) crafted so that the Layer 2 MAC address is incorrect/mismatched, while the Layer 3 IP destination is correct. Under normal circumstances, a host’s network interface card (NIC) should drop frames not addressed to its MAC address. However, when a NIC is set to promiscuous mode (as sniffers often require), it can accept frames regardless of destination MAC and pass them up the stack. If the operating system then processes the encapsulated IP packet and responds (e.g., sends an ICMP echo reply), that response suggests the host is accepting frames it normally would ignore—an indicator consistent with promiscuous mode sniffing.

This technique is used as a heuristic: by intentionally violating normal Ethernet delivery rules and observing whether the target still responds, you can infer that the interface may be capturing traffic not explicitly addressed to it. It’s not perfect—modern drivers, switches, VLAN configurations, and host firewall behavior can affect results—but the scenario’s “mismatched MAC but correct IP” plus “the suspected machine responds” is the classic signature of the ping-based promiscuous-mode test.

Why the other options are less suitable:

ARP method (B) typically involves ARP-based tricks (non-broadcast ARP requests or crafted ARP traffic) to test how the target responds; the scenario explicitly describes ICMP behavior.

DNS method (C) relates to DNS queries/resolution behavior and does not match the ICMP/MAC mismatch test.

Nmap sniffer-detect (NSE) (D) is a specific scripted approach, but the question asks for the underlying technique being used; the described action matches the Ping method.

Therefore, the correct answer is A. Ping Method.

The Certified Ethical Hacker (CEH) Malware Threats module explains that modern malware increasingly uses fileless techniques and living-off-the-land strategies, communicating over legitimate protocols like HTTP and DNS to evade detection.

Because this traffic blends with normal activity, port-based blocking and signature-based antivirus are often ineffective. CEH highlights behavioral analytics and network traffic analysis as the most reliable detection mechanisms for identifying anomalies such as:

Unusual outbound DNS queries

Abnormal HTTP beaconing patterns

Suspicious process behavior

Option C is correct because it focuses on detecting behavioral anomalies, which CEH identifies as essential for combating advanced malware and command-and-control (C2) channels.

Option D may disrupt business operations and does not address DNS-based C2.

Option A is outdated.

Option B cannot detect unknown or fileless malware.

CEH strongly recommends anomaly detection and behavioral monitoring for advanced threats.

The observed characteristics point most strongly to WPA2 because the scenario explicitly identifies CCMP-like headers and AES-based encryption, along with replay protection using a packet number (PN) and the familiar four-way handshake. WPA2 (based on IEEE 802.11i) replaced older approaches that relied on RC4 and TKIP, introducing AES-CCMP as the standard data confidentiality and integrity mechanism for Wi-Fi protected networks. CCMP uses AES in a mode designed for wireless frames and includes a per-packet number to prevent replay attacks.

The mention that these features were “introduced to replace older TKIP/RC4 approaches” is a major clue. Original WPA was designed as a transitional upgrade over WEP and commonly used TKIP with RC4, whereas WPA2 standardized the stronger AES-CCMP mechanism. The four-way handshake is used to derive and install fresh session keys (pairwise transient keys) between the client and access point, and the packet number increases with each encrypted frame to provide replay protection and maintain encryption correctness.

Why the other options don’t fit as well:

WEP (D) uses RC4 with weak IV handling and lacks the robust key management and handshake properties described.

WPA (B) typically centers on TKIP/RC4 rather than AES-CCMP as the defining feature set, especially in CEH-style distinctions.

WPA3 (C) introduces improvements such as SAE (Simultaneous Authentication of Equals) replacing the legacy PSK handshake method in WPA2-Personal, and enhanced protections (e.g., stronger password-based authentication). While WPA3 can still use AES-based encryption, the scenario’s emphasis is on CCMP/AES replacing TKIP/RC4—most directly the WPA2 shift.

Therefore, the access point is most likely using A. WPA2.

Padding oracle attacks exploit systems that reveal differences in error responses when incorrectly padded ciphertext is submitted. CEH explains that these variations allow attackers to iteratively determine valid padding bytes and ultimately decrypt or modify encrypted data without knowledge of the key.

CEH v13 explains that reflected XSS occurs when malicious input supplied by an attacker is immediately returned in the HTTP response without sanitization. This type of XSS is typically exploited through a crafted URL containing embedded JavaScript payloads. When a victim clicks the link, the vulnerable server reflects the injected script back to the browser, executing it within the user’s session context. CEH emphasizes that reflected XSS relies on social engineering to deliver the payload, often via links sent through email, messaging platforms, or compromised pages. The goal may include stealing session cookies, redirecting users, or manipulating page content. Brute-forcing credentials (Option A) has no relation to XSS. SQL injection (Option C) targets backend databases, not client-side script execution. Directory traversal (Option D) concerns file path manipulation, not dynamic script injection. Therefore, embedding a malicious script in a URL is the correct method to exploit reflected XSS.

The Certified Ethical Hacker (CEH) Social Engineering module defines tailgating as a physical social engineering attack where an unauthorized person follows an authorized individual into a restricted area.

Option C precisely matches CEH’s definition.

Option A is pretexting.

Option B is baiting.

Option D is phishing.

CEH stresses physical security awareness as critical as cyber defenses.

IoT devices often suffer from weak or missing encryption protocols, creating opportunities for attackers to intercept sensitive information. CEH courseware highlights that when device-to-app communication occurs in plaintext, a man-in-the-middle attack becomes one of the most effective exploitation methods. By positioning themselves between the device and the mobile application, the attacker can observe all transmitted data, including configuration updates, authentication tokens, and personal information. Tools such as Wireshark, mitmproxy, and specialized IoT interception frameworks allow testers to capture packets, decode protocols, and reconstruct application logic. The CEH curriculum stresses the importance of evaluating IoT device communication channels, because many rely on unsecured HTTP or proprietary plaintext protocols. Brute-force attempts, SQL injection, or dictionary attacks do not directly target the device–app communication pathway and would not exploit the fundamental weakness present here: lack of encryption. A MitM attack directly takes advantage of this flaw and provides comprehensive visibility into all transmitted data, making it the most effective and CEH-aligned method of exploitation.

CEH defines passive reconnaissance as collecting information without directly engaging the target.

Option A is incorrect for passive reconnaissance because Nmap scanning actively probes systems, generating detectable traffic.

Options B, C, and D rely on publicly available information and are standard passive techniques.

CEH classifies Nmap scanning as active footprinting.

CEH v13 classifies this malware as fileless malware, which resides in memory and abuses legitimate system tools (Living-off-the-Land techniques). Traditional antivirus solutions are often ineffective.

CEH v13 recommends:

Script control (PowerShell Constrained Language Mode)

Application whitelisting

Monitoring parent-child process relationships

These measures directly target the malware’s execution method. Reboots and folder cleanup do not address in-memory persistence.

Insufficient logging and monitoring is the most direct threat highlighted by the scenario. In CEH-aligned cloud security concepts, visibility is foundational: without adequate telemetry, security teams cannot detect, investigate, or respond to malicious activity in time. The question explicitly states attackers “remained undetected” because the organization lacked mechanisms to track function-level activity and capture anomalous events. In a serverless architecture, this visibility gap can be especially damaging because there are no traditional servers for defenders to log into, and many security signals must be collected from cloud-native sources such as function invocation logs, API gateway logs, identity events, and centralized monitoring pipelines.

While privilege escalation is a common cloud threat, the question’s root cause is not described as excessive permissions or role abuse; it is the lack of detection capability. Loss of governance refers to weak policies, mismanaged accounts, and lack of control over cloud resources, which may contribute indirectly but is not the immediate failure described. Side-channel attacks are specialized and do not match the evidence of missed alerts and absent operational telemetry.

CEH guidance emphasizes implementing centralized logging, continuous monitoring, alerting, and anomaly detection as core controls. For serverless, this includes capturing detailed function execution logs, tracing, identity and access events, and integrating them into a SIEM/SOAR workflow. Effective monitoring enables rapid detection of abnormal invocation patterns, suspicious API calls, unusual data access, and persistence attempts—reducing dwell time and preventing small compromises from becoming major outages.

CEH explains that MAC flooding overwhelms a switch’s CAM table, causing it to fail open. When the table fills, the switch broadcasts frames out all ports, behaving like a hub. This exposes unicast traffic to attackers operating in promiscuous mode.

Fingerprinting the running service is the most appropriate technique because the strongest indicator in the scenario is inconsistent protocol behavior and error responses that do not match a legitimate production database service. In CEH reconnaissance guidance, honeypots and decoy systems often emulate common services but may implement only partial protocol stacks or simplified responses. This can lead to anomalies such as incorrect banner strings, malformed or generic error messages, unsupported command handling, unusual protocol negotiation, or responses that do not align with the claimed software version. By fingerprinting, Mia compares observed behavior against expected behavior for the genuine service, including version-specific quirks, command sets, response codes, and timing patterns for particular requests.

In practice, service fingerprinting involves interacting with the service using legitimate and edge-case requests, validating banners and headers, and correlating results with known signatures from real implementations. If the server claims to be a specific database or application service but reacts in ways that real deployments would not, it suggests emulation, instrumentation, or deception typical of honeypots designed to log attacker activity.

Analyzing response time can help, because some honeypots respond too quickly or with uniform timing, but timing alone is less definitive than protocol inconsistencies. MAC address analysis is not reliable for identifying honeypots and is often not visible beyond the local segment. Analyzing system configuration and metadata usually requires deeper access than reconnaissance and is not the primary method when the clue is protocol-level mismatch. Therefore, fingerprinting the running service best fits the observed symptoms.

QUBB ESTION NO: 25 [Mobile Platform and IoT Hacking]

Javier Ruiz from CyberFortress Solutions is tasked with auditing the mobile security practices of Apex Financial Services, a financial firm in Houston, Texas. During a covert penetration test, Javier targets employees ' personal smartphones used to access corporate financial systems. He exploits a vulnerability by installing a malicious app that bypasses access controls, granting him unauthorized entry to sensitive financial data because the devices lack a specific security measure to restrict app access. Based on this vulnerability, which BYOD security guideline is most likely missing in Apex Financial Services ' policy?

A. Review permissions requested by apps before installing them

B. Set passwords for apps to restrict others from accessing them

C. Enforce automatic device locking or implement biometric authentication

D. Use encryption mechanisms to store data

Answer: A

The most likely missing BYOD guideline is reviewing application permissions before installation. In CEH mobile security guidance, a major risk in BYOD environments is the introduction of untrusted or malicious applications that abuse the mobile permission model to access corporate data, intercept authentication tokens, read storage, capture keystrokes via accessibility services, or communicate externally. When users install apps without scrutinizing requested permissions, they may unknowingly grant excessive privileges that enable data theft or access-control bypass, especially if the app leverages OS weaknesses or misconfigurations.

The scenario states Javier “installs a malicious app that bypasses access controls” and gains access to sensitive financial data because devices “lack a specific security measure to restrict app access.” This maps directly to a policy gap around controlling and validating apps and their permission requests. CEH emphasizes that organizations should reduce attack surface by limiting app privileges, avoiding sideloading from untrusted sources, and enforcing least privilege through user awareness and enterprise controls such as MDM application allowlisting and permission governance. Reviewing permissions is the user-facing guideline that prevents employees from granting dangerous access (for example, SMS, storage, contacts, accessibility, device admin, or VPN configuration permissions) that can enable credential theft or unauthorized data access.

Option B adds an extra layer for local access but does not stop a malicious app with granted permissions from accessing corporate data. Option C helps if a device is physically stolen, but it does not prevent malicious apps already running under the user context. Option D protects data at rest, yet a malicious app can still exfiltrate data once it is decrypted and accessed by the user session. Therefore, permission review is the most directly relevant missing BYOD guideline.

CEH cloud security modules highlight that Azure Managed Identities allow workloads such as functions, VMs, and automation tasks to authenticate to Azure resources without storing secrets. If an attacker obtains the token associated with a managed identity, they can impersonate that identity and access any Azure resources it is permitted to use. In this scenario, the captured access token is used to authenticate via Azure PowerShell and retrieve storage account keys, demonstrating unauthorized privilege usage by hijacking the managed identity. This aligns directly with managed identity abuse, where attackers leverage identity tokens instead of user credentials. NSG rule gathering and AzureGraph enumeration are reconnaissance activities, and Stormspotter is used for visualizing attack paths, not abusing identities. Therefore, this scenario clearly illustrates exploitation of managed identities.

According to the Certified Ethical Hacker (CEH) attack methodology, once reconnaissance, footprinting, and website mirroring have been completed, the attacker proceeds cautiously to exploitation while maintaining stealth. CEH documentation emphasizes that low-noise, application-layer attacks are preferable when the objective is to minimize detection.

Option B, attempting SQL Injection, aligns directly with CEH’s Web Application Hacking module. SQL Injection is a server-side attack that can often be executed through normal-looking HTTP requests, making it less likely to trigger intrusion detection systems (IDS) or security alerts. CEH materials highlight SQL injection as a common and effective technique for extracting sensitive data such as usernames, passwords, and business-critical information without disrupting server operations.

Option A is incorrect because immediately modifying server configuration files after session hijacking significantly increases the risk of detection. CEH guidelines stress post-exploitation restraint, especially during red team operations.

Option C is not ideal at this stage because automated vulnerability scanners generate substantial traffic and are highly detectable. CEH explicitly notes that vulnerability scanning is noisy and often logged.

Option D is the least stealthy option. Brute-force attacks generate numerous failed authentication attempts, triggering security alerts and account lockouts. CEH classifies brute-force attacks as high-risk and easily detectable.

Therefore, SQL Injection represents the most effective and stealthy next step in accordance with CEH’s structured attack lifecycle.

The scenario describes an on-device, app-based rooting approach that does not rely on a PC connection, USB debugging, or a bootloader unlock workflow. In CEH mobile platform coverage, this aligns with “one-click” rooting tools that package exploits to elevate privileges directly from user space to root on the device. These tools typically target known vulnerabilities in the Android OS, vendor kernels, or system services to obtain root privileges and then install a management component to maintain elevated access.

KingoRoot is commonly cited in ethical hacking training contexts as a popular one-click rooting solution that can run as an Android application and attempt to root a device without a computer, depending on the device model, Android version, and patch level. This directly matches the prompt: Sofia installs a mobile application, it “exploits a system vulnerability,” and it achieves root “without requiring a PC.” The constraints given, USB debugging disabled and OEM unlock restrictions, make PC-assisted ADB workflows or bootloader-based rooting less feasible, which further supports an exploit-driven, on-device rooting tool.

Magisk Manager is primarily a root management and systemless modification framework and typically assumes the device is already rooted or that the user can patch the boot image and flash it, often requiring bootloader unlock steps that OEM restrictions would block. “One Click Root” is a generic label rather than a specific tool in many CEH-style question banks. RootMaster is another one-click tool, but KingoRoot is the most widely recognized and frequently referenced for direct APK-based rooting in this context.

The CEH Enumeration module explains that SMTP supports commands such as VRFY, EXPN, and RCPT TO, which can be abused to enumerate valid email users if not properly restricted.

In this scenario, the smtp-enum-users Nmap script successfully uses EXPN and RCPT, indicating that the server responds differently to valid and invalid usernames.

Option C is correct because unrestricted SMTP user verification allows attackers to harvest usernames for further attacks such as phishing or brute force.

Option A involves authentication, not enumeration.

Option B affects confidentiality, not user discovery.

Option D is unrelated to SMTP enumeration.

CEH strongly recommends disabling or restricting these SMTP commands.

CEH v13 states that vulnerabilities with a CVSS score ≥ 9.0 are critical and require immediate containment. When remote code execution is possible, the system may already be compromised.

The recommended response is to isolate the affected system, preventing lateral movement, then perform a forensic audit before applying patches. Immediate patching without isolation may alert attackers or destroy evidence.

Thus, option D aligns with CEH incident response best practices.

This scenario demonstrates a classic case of Session Fixation, a session hijacking technique explicitly covered under the CEH v13 Web Application Hacking module. Session fixation occurs when an attacker sets or predicts a valid session identifier and forces a victim to authenticate using that same session ID.

In the given question, two critical vulnerabilities are highlighted:

The session ID is embedded in the URL

The application does not regenerate the session ID after login

According to CEH v13, secure applications must regenerate session identifiers after successful authentication to prevent fixation attacks. If this does not occur, an attacker can craft a URL containing a known session ID and trick the victim into clicking it. Once the victim logs in, the attacker reuses the same session ID to gain unauthorized access.

CEH documentation states that session fixation is particularly effective when:

Session IDs are passed via URL parameters

Sessions persist across authentication

Secure cookie attributes are not enforced

Other options are incorrect because:

XSS-based cookie theft requires client-side script injection.

DNS cache poisoning is unrelated to session management.

CSRF exploits user trust but does not directly hijack sessions.

Thus, Session Fixation by pre-setting the token in a URL is the most effective attack in this case.

CEH materials explain that modern web applications deploy multiple layers of security—HTTPS, secure cookies, HttpOnly flags, and strict session regeneration—to defend against standard hijacking methods such as token theft through XSS or fixation. When these protections are properly implemented, attackers must compromise the underlying trust relationship between the client and server to successfully intercept or manipulate session tokens. One of the most advanced techniques described in CEH is compromising a trusted certificate authority or injecting a forged certificate into the victim’s trust store. This enables the attacker to perform a transparent MITM attack despite HTTPS protections. Because the victim’s browser trusts the forged certificate, encrypted traffic—including session tokens—is exposed to the attacker without generating browser warnings or IDS alerts. Timing side-channel attacks are not considered session hijacking methods; XSS is mitigated by secure flags; and session fixation is ineffective when session regeneration occurs. Therefore, compromising a trusted certificate authority to enable an undetectable MITM attack is the most viable method.