Download Latest 312-50v13 Questions

The technique described is RST hijacking because the attacker sends spoofed TCP packets with the RST (reset) flag to forcibly terminate established TCP sessions. In TCP, an RST packet is used to immediately abort a connection. If an attacker can craft packets that appear to belong to an existing session (matching the 4-tuple and using plausible sequence/acknowledgment values), the receiving endpoint may accept the reset and tear down the connection. This creates disruption—sessions drop, users are disconnected, and applications experience errors—without the attacker needing to fully take over the session or inject meaningful application data.

The scenario matches this exactly: “spoofed TCP packets carrying the reset flag,” followed by “active sessions…abruptly terminated.” That is the hallmark outcome of RST-based session disruption. It is often used as a demonstration of how fragile sessions can be when attackers can spoof traffic within a path (or on the same network segment) and when defensive controls do not validate or protect sessions adequately.

Why the other options are incorrect:

UDP hijacking (A) doesn’t apply because UDP is connectionless and has no RST flag or session teardown mechanism like TCP.

Blind hijacking (C) refers to injecting traffic without seeing responses (guessing sequence numbers), but the specific mechanism asked here is the reset-flag termination; “blind” could be a property of how it’s done, not the named technique.

TCP/IP hijacking (D) is a broader category that includes multiple methods of taking over or manipulating TCP sessions. The question is specifically about using RST packets to kill sessions, which is most precisely called RST hijacking.

Therefore, the correct answer is B. RST Hijacking.

The issue described is excessive or inappropriate application permission granting in a BYOD environment. Employees install apps that request access to sensitive device resources—contacts, camera, messaging—despite those permissions not being necessary for the app’s stated purpose. This creates a risk of data harvesting and corporate information leakage if a malicious or overly intrusive app is installed. The most direct guideline to prevent this behavior is to review the permissions requested by apps before installing them.

Mobile operating systems rely heavily on permission models to control access to sensitive data and device capabilities. When users approve broad permissions without scrutiny, they effectively authorize the app to collect and transmit sensitive information. Enforcing a culture and policy of checking permissions (and denying or uninstalling apps that request unnecessary access) directly addresses the root cause in the scenario: user consent enabling excessive privilege at the app level. In a corporate BYOD program, this guideline is often paired with mobile security controls such as enterprise app stores, allowlists/denylists, MDM/MAM policies, and user awareness training, but the question asks for the most direct preventive guideline.

Why the other options are less direct:

Encryption at rest (A) helps protect stored data if the device is lost or compromised, but it does not stop an authorized app from accessing data via granted permissions.

Automatic locking/biometrics (B) reduces unauthorized physical access, but it does not constrain what a permitted app can access while the device is in use.

App passwords (D) can help restrict casual access to an app, but they do not solve the problem of an app legitimately being granted invasive permissions.

Therefore, the best answer is C. Review permissions requested by apps before installing them.

In CEH’s web application and mobile security modules, improper session management is defined as a failure to enforce session expiration, token invalidation, or secure session lifecycle controls. When an application does not invalidate a session token after logout, attackers can exploit this by performing a replay attack: reusing previously captured session identifiers to impersonate the user and gain unauthorized access. CEH teaches that replaying a live token is the simplest and most direct exploitation method because it does not require guessing or stealing new tokens—the attacker simply reuses a valid one that should have been invalidated. CSRF relies on exploiting a user’s active session and is not required when the attacker already possesses a reusable token. Brute-forcing session tokens is computationally expensive and unnecessary. SQL injection is unrelated to session lifecycle flaws unless token storage is directly exposed. Therefore, a replay attack is the correct exploitation method.

The correct answer is D. Detect.

The activity described is the continuous review of enterprise operational data to identify irregular patterns that may indicate malicious activity. This is a detection function.

CEH-aligned IDS material explains that intrusion detection systems monitor packets and attempt to discover whether an attacker is trying to break into a system or cause a denial-of-service condition. It also describes anomaly detection as measuring a baseline of activity, such as CPU utilization, disk activity, user logins, and file activity, so that abnormal behavior can be identified .

Option A. Predict is incorrect because prediction focuses on anticipating risks and likely threats before they occur.

Option B. Protect is incorrect because protection focuses on safeguards and controls that reduce the likelihood or impact of attacks.

Option C. Respond is incorrect because response occurs after an event or incident is detected.

Option D. Detect is correct because the team is monitoring data to identify suspicious or abnormal behavior.

Therefore, the best answer is D. Detect.