Pearson 312-50v13 New Attempt

Passive reconnaissance involves gathering information without directly interacting with the target. WHOIS, search engines, and social media are all passive techniques highlighted in CEH v13 Reconnaissance.

Nmap scanning, however, actively probes target systems and generates traffic that can be logged and detected. This makes it an active reconnaissance technique.

Therefore, Option D is least useful in a passive phase.

The described activity is most consistent with a Remote Access Trojan (RAT). A RAT is designed to provide an attacker with remote, covert, and persistent control over a compromised system. The scenario explicitly states that after the attachment is opened, the attacker gains “full access to the workstation” and then monitors emails, keystrokes, and local files over an extended period without alerting the user. That combination—remote control plus long-term stealthy monitoring—fits a RAT’s typical capabilities, which often include keylogging, file browsing/exfiltration, screen capture, command execution, and maintaining persistence.

Although spyware can also monitor keystrokes and user activity, spyware is typically described as focusing on surveillance and data collection rather than providing broad interactive remote administration. The scenario emphasizes “full access” and ongoing control, which is more characteristic of a RAT than spyware alone. In many real-world cases, RATs include spyware-like features; however, when the question asks which malware type best matches full remote control and stealth monitoring, RAT is the strongest match.

Why the other options are less suitable:

Botnet (B) refers to a network of infected systems (bots) controlled as a group, often for DDoS, spam, or distributed operations. The scenario focuses on a single workstation being remotely controlled and monitored.

Adware (C) focuses on delivering advertisements and tracking for marketing purposes; it does not align with covert full access and credential monitoring.

Spyware (D) overlaps on surveillance, but it does not inherently imply comprehensive remote administration and control the way a RAT does.

Therefore, the most likely malware type is A. Remote Access Trojan (RAT).

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

When standard protections such as HTTPS, HTTP-only flags, and session regeneration are properly implemented, CEH teaches that predictable session identifiers become one of the few remaining avenues for session hijacking. Session token prediction involves analyzing entropy, randomness, or generation patterns within session IDs to mathematically infer future or valid tokens. If the application uses weak randomization algorithms, insufficient entropy sources, or predictable sequences, attackers may generate a valid session ID without direct interception. Techniques such as MitM interception or CSRF manipulation do not bypass strong transport-layer protections and cookie restrictions. Session fixation fails because the application regenerates the session ID upon login, invalidating pre-set identifiers. Therefore, the advanced and CEH-aligned method to hijack a protected session is predicting session IDs through side-channel or pattern analysis.