Ace Your 312-50v13 CEH v13 Exam

CEH clearly distinguishes between active and passive reconnaissance. Passive methods involve gathering publicly available data without directly interacting with the target’s infrastructure, thus avoiding detection. Tools such as Netcraft, DNSdumpster, VirusTotal, Certificate Transparency logs, and search engine indexing are recommended by CEH for discovering subdomains through public metadata, cached DNS records, WHOIS data, SSL certificate entries, and third-party enumeration databases. These platforms provide insights into externally accessible assets without sending packets or queries to the target organization. Brute-force enumeration is active and violates the rules of engagement. Attempting credential guessing or requesting internal DNS data are unauthorized and clearly active reconnaissance activities. Passive OSINT-based subdomain enumeration is a core CEH technique used to uncover hidden infrastructure safely and legally. It is especially crucial in red team operations where stealth is a priority.

CSRF occurs when a vulnerable application processes unauthorized state-changing requests because it does not verify whether the request was intentionally initiated by the authenticated user. CEH v13 explains that exploitation involves tricking a logged-in user into unknowingly executing a crafted HTTP request—usually via a malicious webpage, hidden form submission, embedded image tag, or JavaScript trigger. When the victim visits the attacker-controlled page, the browser automatically includes the user’s active session cookies, allowing the server to treat the forged request as legitimate. This technique is central to CSRF attacks and is highlighted in the CEH curriculum as the correct exploitation path. Directory traversal, SQL injection, and brute-force attacks target different vulnerabilities and do not exploit missing request authenticity validation. The key requirement for CSRF exploitation is user interaction via a malicious external resource, making option B the correct CEH-aligned method.

A bootkit is the rootkit type that best matches the described behavior because it compromises the system boot process and executes before the operating system fully loads, often before many security controls, drivers, and monitoring services start. CEH materials describe bootkits as a highly persistent class of malware that targets components such as the Master Boot Record, Volume Boot Record, or bootloader. By gaining execution at boot time, a bootkit can load malicious code very early, then hook or tamper with OS loading routines, kernel initialization, or security mechanisms. This early execution is exactly what the scenario emphasizes: the payload runs “before any system-level drivers or services are active,” enabling covert control while evading traditional user-mode detection.

This also explains why administrators see suspicious network activity but forensics do not easily find malicious user-level artifacts. Bootkits can hide by manipulating what the OS and security tools can see after startup, including concealing files, processes, registry keys, or even redirecting reads so scanners receive “clean” data. Because the malicious component is anchored in the boot chain, it can survive reboots and remain present even if many OS-level indicators are cleaned.

A kernel-mode rootkit operates within the OS kernel but typically loads after the OS begins booting and drivers initialize. A hypervisor rootkit relies on virtualization to sit beneath the OS at runtime, but the scenario specifically highlights boot-time execution prior to drivers and services. Firmware rootkits persist in BIOS/UEFI or device firmware, which is possible, but the most direct match to “boot process compromise below the OS” in CEH terminology is a bootkit.

The correct answer is A. Creepy because the task is specifically about extracting and analyzing geolocation information (geotags) from publicly shared media and mapping that data to real-world locations to infer employee movement patterns. In CEH-aligned reconnaissance/OSINT workflows, geolocation intelligence is a common element of footprinting because it can reveal sensitive operational details such as office locations, travel routines, meeting venues, home addresses, and patterns of presence/absence. Tools designed for geolocation OSINT help testers identify whether staff are unintentionally exposing location metadata through social media posts, uploaded photos, or other public sources.

Creepy is purpose-built for geolocation reconnaissance: it collects location metadata associated with content and presents results in a way that supports mapping and timeline-style analysis, helping analysts correlate people, posts, and coordinates. This directly supports the goal of evaluating whether employees are disclosing sensitive information about office routines by publishing geotagged images. When used in an authorized assessment, such tooling helps demonstrate risk in a measurable way—for example, showing clusters of posts around a specific building, repeated visits at predictable times, or regular travel routes that could support surveillance, targeted social engineering, or physical intrusion planning.

Why the other options are less suitable: Social Searcher is primarily used for monitoring and searching social media content by keywords, usernames, hashtags, and mentions; it is useful for broad OSINT collection but is not specifically focused on geotag extraction and movement mapping. Sherlock is designed to find a username across many platforms, helping link identities, but it does not specialize in geolocation mapping. Maltego is a powerful link-analysis platform that can correlate entities (people, domains, emails, social profiles) and can support OSINT investigations, but for the narrow requirement of extracting and mapping geotagged location data from media, Creepy is the most direct and purpose-specific tool.

Therefore, the best tool for this geotagged image movement analysis task is Creepy.