Pearson 312-50v13 New Attempt

The correct answer is B. Pharming.

The scenario describes users being directed to a fraudulent website that closely resembles the legitimate portal and then being prompted to submit credentials. Among the available options, this best aligns with pharming because the key behavior is redirection or misdirection of users’ web traffic to a fake website designed to harvest credentials.

CEH-aligned social engineering material describes pharming as a phishing-related variant involving redirection of a user’s web traffic and refers to it as “phishing without a lure.” The same reference distinguishes spimming as spam over instant messaging and whaling as a phishing attack targeting high-level executives . CEH web attack material also explains that attackers may use fake websites that look legitimate to extract login details from victims .

Option A. Whaling is incorrect because whaling targets senior executives or high-value individuals.

Option C. Spear Phishing is incorrect because spear phishing is a targeted phishing message sent to a specific individual or small group, usually through email.

Option D. Spimming is incorrect because spimming involves spam messages sent over instant messaging platforms.

Option B. Pharming is the best answer because the attack directs users to a fake portal where credentials are harvested.

Therefore, the best answer is B. Pharming.

The correct answer is D, Split DNS. Split DNS, also called split-horizon DNS, uses separate DNS views or servers for internal and external name resolution. In this configuration, the DNS server in the DMZ provides public-facing records for external users, while the internal DNS server provides private records for internal hosts and services. This prevents sensitive internal hostnames, IP addresses, and infrastructure details from being exposed to the public. CEH networking topics describe DNS as the system that translates hostnames to IP addresses and vice versa, making DNS records valuable during footprinting and enumeration. CEH perimeter-security material also explains that a DMZ is a buffer area between the internal private network and the external public network, used for services that must be reachable externally. DNSSEC is used to protect DNS integrity cryptographically, DynDNS maps changing IP addresses to names, and “DNS Scheme” is not the standard term. Therefore, this configuration is Split DNS.

The command that best matches Bob’s goal is ntpq -p. In CEH-aligned coverage of network services and operational troubleshooting, NTP is highlighted as a critical dependency because inaccurate time can break authentication, distort logs, and cause incorrect transaction ordering. When investigating suspected time drift, the most useful first step is to view the active NTP associations and their quality metrics. The ntpq utility queries an NTP daemon and reports peer status and performance data. Specifically, ntpq -p displays a peer table that includes each configured or discovered time source along with fields such as delay, offset, and jitter. These values help determine whether the server is locked to a stable source or being influenced by a poor or rogue time server. Offset indicates how far the local clock differs from the peer, delay reflects network latency to the peer, and jitter shows the variability in timing measurements, all of which are directly mentioned in the question.

Option A, ntptrace, is used to trace the chain of NTP servers back to a reference clock and is useful for understanding hierarchy, but it does not provide the detailed delay, offset, and jitter peer metrics in the same way. Option C, ntpdc, is an older monitoring tool that can query NTP, but CEH references more commonly emphasize ntpq for peer statistics and associations. Option D is a generic ntpq invocation with interactive command support, but the -p option is the explicit mode that outputs the peer list with the required metrics.

The scenario describes a program that appears legitimate (a software update installer that “functions normally”) while secretly placing additional malicious components onto the system, which later execute to establish remote access. That is the defining behavior of a dropper. A dropper’s primary role is to deliver (drop) malware payloads onto a host—writing files to disk or unpacking embedded components—often while disguising itself as a benign application. The malicious components may then be executed immediately or staged for later activation to reduce suspicion and increase persistence.

This differs from a downloader, which typically contains minimal payload and focuses on contacting a remote server to fetch malware after initial execution. In this case, the description emphasizes that “additional malware components are silently placed on the system,” implying the payload is being installed/deposited locally by the initial program rather than primarily downloaded. An injector focuses on injecting code into another running process (process injection) to evade detection or run under another process context; it does not inherently describe the act of placing additional components as separate hidden files. A wrapper is a technique where a malicious program is bound or “wrapped” with a legitimate one so that both run; while wrappers can be used in trojanized installers, the question emphasizes the behind-the-scenes placement of additional components for later activation, which is the classic dropper behavior.

The key indicators are: (1) user executes an installer that appears normal, (2) hidden malware components are deposited without the user’s knowledge, and (3) those components later activate for remote access. That chain matches a dropper’s purpose: stealthy malware delivery and staging.

Therefore, the correct answer is D. Dropper.