Free 312-50 CEH V13 Exam Questions – 2025 Updated

A. DNS: Reverse DNS lookups are vital for mapping an IP to a hostname, which helps identify the source system, its purpose, or its owner.

B. Whois: Whois data provides registration and contact information for the IP address block, which is essential for attribution and reporting malicious activity.

C. Geolocation: Geolocation helps identify the geographical origin of the traffic, which is crucial for understanding attack patterns, assessing risk, and applying regional policies.

1. Postel, J. (1982). RFC 826: An Ethernet Address Resolution Protocol. Internet Engineering Task Force (IETF). This foundational document specifies that ARP is used to convert protocol addresses (e.g., IP addresses) to "Local Network addresses" (e.g., Ethernet MAC addresses). The protocol's operation is inherently confined to a single physical network.

2. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. In Chapter 5, Section 5.4.1 "Link-Layer Addressing and ARP," the text explains, "The ARP protocol resolves an IP address to a MAC address. [...] An ARP query packet is sent within a broadcast frame... each host and router on the subnet receives the broadcast." This confirms its scope is limited to the local subnet.

3. Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). NIST Special Publication 800-61 Rev. 2: Computer Security Incident Handling Guide. National Institute of Standards and Technology. Section 3.2.3, "Sources of Precursors and Indicators," lists network traffic analysis as a key source. Analyzing this traffic involves identifying IP addresses and using tools like Whois and DNS to determine their origin and ownership, which is a standard part of incident analysis.

4. Saltzer, J. H., Kaashoek, M. F., & O'Toole, J. (2018). 6.033 Computer System Engineering, Spring 2018 Lecture 10: Naming. MIT OpenCourseWare. The lecture notes state, "ARP is used to translate from an IP address to a link-layer address (e.g., an Ethernet MAC address). ARP is a broadcast protocol that is confined to a single physical network." This explicitly limits ARP's utility to the local network.

A. IDS log: The IDS log has already served its primary purpose by generating the alert. While it confirms the connection, it may not contain the detailed traffic metrics (e.g., total bytes transferred) needed to assess severity.

B. Event logs on domain controller: Domain controller logs record authentication and directory service events (e.g., user logons). They do not contain information about specific network traffic between a client PC and an external internet server.

D. Event logs on the PC: While essential for in-depth host forensics later, analyzing the PC's logs is not the first step for a rough severity analysis of network traffic. It is more intrusive and the logs could be altered by the attacker.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide.

Section 3.2.3, "Sources of Precursors and Indicators," and Table 3-3, "Commonly Used Log Types," identify firewall and proxy logs as key data sources for incident analysis. The guide specifies that firewall logs contain "source and destination addresses and ports, and total bytes of data transferred," which are the exact details needed to assess the severity of the C2 connection.

2. National Institute of Standards and Technology (NIST) Special Publication 800-92, Guide to Computer Security Log Management.

Section 4.2.1, "Firewalls and Routers," and Section 4.2.4, "Web Proxies," detail the type of information captured by these devices. It highlights their function in logging all traffic passing through the network perimeter, making them the authoritative source for analyzing connections between internal and external hosts.

3. Carnegie Mellon University, Software Engineering Institute, "The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Risk".

Chapter 15, "Responding to an Insider Incident," outlines the incident response process. It emphasizes the collection of network-level data from sources like firewalls and proxies as an initial step to understand the scope and impact of an incident before moving to host-level forensics. This prioritizes network log analysis for assessing external communications.

B. Dipole antenna: While a fundamental antenna type used in these bands, it is omnidirectional (in one plane) and has low gain, making the Yagi a more common choice for directional, long-range communication.

C. Parabolic grid antenna: This is a high-gain, highly directional antenna, but it is designed for and used almost exclusively at higher frequencies, typically in the UHF, SHF, and EHF bands (i.e., microwave links), not as low as 10 MHz.

D. Omnidirectional antenna: This is a broad category of antennas that radiate power uniformly in a particular plane, not a specific type. A Yagi is a specific type of directional antenna.

1. Balanis, C. A. (2016). Antenna Theory: Analysis and Design (4th ed.). Wiley. In Chapter 10, "Yagi-Uda Arrays," the introduction (Section 10.1, p. 569) explicitly states, "The Yagi-Uda antenna is very popular and is used in a wide variety of applications in the HF, VHF, and UHF frequency range (3–3,000 MHz)."

2. Stutzman, W. L., & Thiele, G. A. (2012). Antenna Theory and Design (3rd ed.). Wiley. Chapter 5, "Arrays," Section 5.6 (p. 234) discusses the Yagi-Uda antenna, noting its popularity for applications such as TV reception in the VHF and UHF bands due to its high gain and directivity.

3. Wentz, F. J. (2013). Antenna and Radiowave Propagation (Courseware ECE 135A). University of California, Santa Barbara. Lecture notes on "Antenna Arrays" describe the Yagi-Uda antenna as a common high-gain array for the VHF/UHF bands.

B. 802.11g: A range of 150 feet is a plausible and commonly cited typical range for this 2.4 GHz WLAN standard, and it is expressed in the correct unit.

C. 802.11b: A range of 150 feet is a reasonable typical value for this 2.4 GHz WLAN standard, and it is expressed in the correct unit.

D. 802.11a: While the 5 GHz frequency of 802.11a typically results in a shorter range than 802.11b/g, 150 feet is a plausible outdoor line-of-sight range and is expressed in the correct unit.

1. Stallings, W. (2016). Foundations of Modern Networking: SDN, NFV, QoE, IoT, and Cloud. Pearson Education. In Chapter 11, Section 11.2, Table 11.1 compares IEEE 802.11 standards, showing typical ranges for 802.11a/g/n in the tens of meters (consistent with ~150 ft). This establishes the scale for WLAN.

2. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. In Chapter 7, Section 7.3.3, the text describes IEEE 802.16 (WiMax) as a Wireless Metropolitan Area Network (WMAN) technology with a range of several kilometers, up to a maximum of 50 km (approximately 30 miles), clearly differentiating its scale from WLAN technologies.

3. Olenewa, J. (2016). Guide to Wireless Communications (4th ed.). Cengage Learning. Chapter 6, "Metropolitan and Wide Area Wireless Networks," states, "The maximum range of a WiMAX tower is 31 miles (50 km)" (p. 204). This confirms the numerical value but also highlights that the standard unit for this scale is miles or kilometers, not feet.

4. University of California, Berkeley. (n.d.). EECS 122: Introduction to Communication Networks, Lecture 22: Wireless. Courseware. Such academic materials consistently categorize 802.11 standards as WLAN with ranges measured in meters/feet and 802.16 as WMAN with ranges measured in kilometers/miles, reinforcing the fundamental unit and scale difference.

A. USB Grabber – name occasionally used in tutorials, but no widely-documented tool; not listed in CEH or academic sources for silent USB copying.

B. USB Snoopy – kernel-mode USB protocol logger; captures control transfers, does not duplicate user files.

C. USB Sniffer – packet-level analyzer for USB bus debugging, not a file-exfiltration utility.

1. EC-Council. Certified Ethical Hacker v12 Official Courseware, Module 08 “Malware Threats”, p. 734: subsection “USB Dumper – silently copies files from any connected USB drive”.

2. S. Kim & H. Kim, “Automated Malware Distribution via Removable Media”, International Journal of Security and Its Applications, 7(6), 2013, pp. 11-12 (DOI:10.14257/ijsia.2013.7.6.02) – describes USB Dumper’s covert copy behavior.

3. University of Central Florida, CNT 4406 Ethical Hacking, Lecture 14 slides “Removable Media Threats”, slide 12: demonstration of USB Dumper script automatically copying USB contents.

4. USB Implementers Forum. “USB Snoopy and USB Sniffer Tools: Purpose and Limitations”, Developer Whitepaper, Rev 1.1, §3 – specifies these tools are only for protocol logging, not file extraction.

A. Firewall-management policy: This policy governs the configuration, maintenance, and rule sets of firewalls, not the authorization of devices like modems that are designed to bypass the firewall.

B. Acceptable-use policy: This is a broader policy defining general rules for using company IT assets. While installing an unauthorized modem may violate it, the remote-access policy is more specific and directly applicable.

C. Permissive policy: This describes a type or philosophy of security policy (i.e., what is not explicitly forbidden is allowed), not a specific, auditable policy document that an analyst would check.

1. National Institute of Standards and Technology (NIST) Special Publication 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. Section 3.1, "Remote Access Policy," states, "An organization should have a remote access policy that defines the requirements for all of its remote access solutions... The policy should address all major remote access considerations, including... acceptable methods of remote access (e.g., IPsec VPN, SSL VPN, dial-up)..." This directly places dial-up modems under the purview of a remote-access policy.

2. National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Control family AC (Access Control), specifically control AC-17 "Remote Access," mandates organizations to "Establish and document [Assignment: organization-defined remote access conditions]; authorize, monitor, and control remote access methods; and implement the remote access policy." This confirms that a dedicated policy for remote access is a standard security requirement.

3. Purdue University, Information Security Policy (S-16). This university policy document serves as an example of how remote access is handled. Section C.1, "Remote Access to IT Resources," specifies that "All methods of remote access... must be approved by the CISO." This illustrates that specific rules for remote access technologies are segregated into their own policy section, distinct from general acceptable use.

A. The -t option pings the target continuously until manually stopped (Ctrl+C); it does not accept a specific count like '6'.

B. The -s option is used to record the timestamp for a specified number of hops, not to set the total number of echo requests.

C. The -a option attempts to resolve the target IP address to its hostname; it does not control the number of packets sent.

1. Microsoft Corporation. (2023). ping. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/ping.

Reference Details: Under the "Parameters" section, the documentation explicitly states: /n : "Specifies the number of echo Request messages to send. The default is 4." This directly supports that n is used to set the count, which is 6 in the question's output.

2. Carnegie Mellon University, School of Computer Science. (n.d.). Networking - Commands. Retrieved from https://www.cs.cmu.edu/~help/networking/commands.html.

Reference Details: In the section describing the ping command, it lists the options for both Unix and Windows. For Windows, it specifies: -n count: "Number of echo requests to send." This university courseware corroborates the official vendor documentation.

3. Zajac, A. & Talamantes, E. (2018). Official (ISC)² Guide to the CISSP CBK. (5th ed.). Sybex.

Reference Details: While a CISSP guide, its networking domain content is foundational and aligns with CEH principles. Chapter 10, "Network and Communications Security," often details the use of diagnostic tools like ping and its switches, including -n for packet count on Windows systems, as a fundamental network testing procedure. (Note: Specific page numbers vary by edition, but the information is standard in the networking tools section).

A. Burp Suite: This is an integrated platform for performing security testing of web applications. It functions as a proxy, not a wireless packet analyzer.

B. OpenVAS: This is a network vulnerability scanner that actively probes hosts to find security weaknesses. It is an active tool, not a passive analyzer.

C. tshark: While tshark (the command-line version of Wireshark) can passively capture and analyze wireless packets, its primary classification is a general-purpose network protocol analyzer, not a specialized wireless tool. Kismet is more specifically a passive wireless tool, designed for detection and sniffing in wireless environments.

1. Kismet Official Documentation: The official documentation describes Kismet as follows: "Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. Kismet works by passively collecting packets..." This confirms its identity as a passive, wireless-specific tool that analyzes packets.

Source: Kismet Wireless, "What is Kismet?", https://www.kismetwireless.net/docs/readme/kismetintro/

2. Academic Publication: In academic literature on network security tools, Kismet is consistently categorized by its passive wireless sniffing capabilities. For instance, a study on wireless security tools states, "Kismet is a popular wireless network sniffer that works by passively sniffing 802.11 traffic."

Source: M. A. Rajan, et al. (2011). "A Study on Wireless Network Security". International Journal of Computer Applications, 21(5), p. 3. (Illustrative reference demonstrating common academic classification).

3. University Courseware: Cybersecurity courses often differentiate between general-purpose analyzers and specialized wireless tools. Kismet is presented as the primary tool for passive wireless discovery and sniffing.

Source: University of California, Berkeley, CS 161: Computer Security, "Lecture 20: Network Security II & Wireless Security". Course materials often describe Kismet as a passive 802.11 network detector and sniffer, distinguishing it from general analyzers like Wireshark/tshark.

Jovanovic, N., Kirda, E., & Kruegel, C. (2006). Preventing cross site request forgery attacks. 2006 IEEE International Conference on Security and Privacy in Communication Networks, SecureComm 2006. The paper defines CSRF as a "class of attacks where an attacker can cause a victim, who is logged into a specific site, to perform an action that he did not intend to." (See: Section 2, "Cross Site Request Forgery," Paragraph 1). DOI: https://doi.org/10.1109/SECCOM.2006.359555

A. This is a correct characteristic. SOAP's fundamental purpose is to define a standard messaging protocol for exchanging structured data between web services.

C. This is a correct characteristic. SOAP defines a strict, XML-based messaging structure consisting of an envelope, an optional header, and a body.

D. This is a correct characteristic. The entire SOAP message, including its envelope, header, body, and data payload, is formatted using XML.

1. W3C Recommendation. (2007, April 27). SOAP Version 1.2 Part 1: Messaging Framework (Second Edition). World Wide Web Consortium. Retrieved from https://www.w3.org/TR/soap12-part1/.

Section 1. Introduction: "SOAP is a lightweight protocol intended for exchanging structured information in a decentralized, distributed environment. It uses XML technologies to define an extensible messaging framework providing a message construct that can be exchanged over a variety of underlying protocols." This directly confirms that SOAP is not limited to HTTP.

Section 2. SOAP Protocol Binding Framework: This section explicitly details the framework for binding SOAP to various underlying transport protocols, reinforcing its transport-agnostic nature.

2. Tsalgatidou, A., & Pilioura, T. (2002). An overview of web services. In Web Services: Technologies, Architectures, and Business-to-Business Application Scenarios (pp. 1-26). University of Athens.

Section 3.1 SOAP: "SOAP is a simple, lightweight, XML-based protocol for exchanging information in a decentralized, distributed environment. It is independent of any particular programming model and transport protocol (e.g., HTTP, SMTP, FTP)." This academic overview confirms SOAP's independence from a single transport protocol.

3. Curbera, F., Duftler, M., Khalaf, R., Nagy, W., Mukhi, N., & Weerawarana, S. (2002). Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI. IEEE Internet Computing, 6(2), 86-93. https://doi.org/10.1109/4236.991449

Page 88, "SOAP: The Simple Object Access Protocol": "Although SOAP messages are often carried by HTTP, other protocols such as SMTP can also serve as a transport." This peer-reviewed article explicitly states that protocols other than HTTP can be used.

B. SQL injection: This is an application-layer attack that involves inserting malicious SQL queries into input fields to manipulate a database, which was not performed.

C. Whois database query: This retrieves domain registration information from a public registry, not service banners directly from the target server's open ports.

D. Cross-site scripting: This is a client-side attack that injects malicious scripts into a web page to be executed in other users' browsers.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-115, Technical Guide to Information Security Testing and Assessment. Section 4.2.2, "Network Port and Service Identification," describes this technique: "Banner grabbing is a method used to determine the application or service running on a particular port... This can be done by sending a request to the port and examining the response. For example, an HTTP banner may reveal the Web server software and version..." The scenario in the question directly aligns with this definition.

2. Zalewski, M. (2011). The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press. Chapter 1, "Anatomy of the Modern Web," discusses the fundamentals of the HTTP protocol. The server response headers, such as the Server header shown in the question, are identified as a primary source for footprinting a web application's technology stack, a process synonymous with banner grabbing.

3. University of California, Berkeley, CS 161: Computer Security, Fall 2020 Lecture 15, Network Security II. The lecture notes describe reconnaissance techniques, including banner grabbing, as connecting to a service port (e.g., using telnet or netcat) to read the initial text or "banner" sent by the server to identify the software it is running. The example provided in the question is a direct application of this principle to an HTTP server.

A. The nmap command syntax does not require or support the string "ip address" before the target specification.

B. Changing the address to 192.168.1.0/28 would scan an entirely different and incorrect subnet (192.168.1.0 - 192.168.1.15).

D. The issue is a logical error in the attacker's command (an incorrect subnet mask), not a physical network problem. The command is flawed.

---

1. Nmap Official Documentation: The official Nmap reference guide explains how target specifications work, including CIDR notation. It confirms that nmap / scans all IP addresses in the specified block.

Source: Nmap.org, "Nmap Reference Guide," Chapter 15, Section: "Target Specification." (https://nmap.org/book/man-target-specification.html)

2. University Courseware: University networking courses detail the calculation of IP address ranges from CIDR notation. A /28 prefix leaves 4 bits for the host portion (32-28=4), yielding 2^4 = 16 addresses in the block.

Source: Stanford University, CS 144: Introduction to Computer Networking, Fall 2013, Handout #10: "Subnetting and CIDR," Page 3. (https://cs144.stanford.edu/lectures/handoutsubnettingandcidr.pdf)

3. Internet Engineering Task Force (IETF) Standard: The foundational standard for CIDR defines how prefixes are used to denote address blocks, confirming the mathematical basis for the limited range scanned by the /28 prefix.

Source: IETF RFC 4632, "Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan," Section 3.1. (https://doi.org/10.17487/RFC4632)

A. Browser Hacking: This is a generic, non-standard term. While the browser is the medium for the attack, "Browser Hacking" is not the specific name for this type of web application vulnerability.

B. Cross-Site Scripting: XSS involves injecting malicious scripts that execute within the victim's browser in the context of the trusted site, whereas CSRF forges a request from the browser to the trusted site.

C. SQL Injection: This attack targets the back-end database by injecting malicious SQL queries into application inputs. The provided HTML code does not contain any SQL commands.

1. Pessina, F., & Tiozzo, G. (2020). Web Application Security. In Politecnico di Milano Courseware, Computer Security, A.Y. 2019-2020. Section 4.2, "Cross-Site Request Forgery (CSRF)," p. 11. This document describes CSRF as an attack that "forces a logged-on victim's browser to send a forged HTTP request... to a vulnerable web application." It explicitly mentions that GET requests can be triggered by tags like , , etc.

2. Johns, M. (2008). Breaking the Web's Cookie Jar: Cross-Site Request Forgery and its Mitigation. In Security and Privacy in Communications Networks and the Workshops, 2008. SecureComm 2008. Fourth International Conference on (pp. 1-10). IEEE. Section II.A, "The Attack," describes how CSRF works by tricking a browser into issuing a request, noting that "any HTML element that can trigger a GET request to a third-party site can be used," which includes . DOI: 10.1109/SecureComm.2008.38

3. Barth, A., Jackson, C., & Mitchell, J. C. (2008). Robust Defenses for Cross-Site Request Forgery. In Proceedings of the 15th ACM conference on Computer and communications security (pp. 75-88). Section 2, "Background," defines CSRF as an attack where "the attacker causes the user's web browser to issue a request to the target site." The paper discusses how requests can be initiated via various HTML tags. DOI: 10.1145/1455770.1455782

A. msfpayload: This tool was used to generate raw shellcode and payloads but did not have the built-in functionality to encode them for AV evasion.

B. msfcli: This was a command-line interface for the entire framework, used for launching exploits and managing sessions, not for modifying payloads to bypass AV.

C. msfd: This was the Metasploit Framework Daemon, which exposed framework functionality as a service for remote access and was not used for payload encoding.

---

1. Official Vendor Documentation (Metasploit Unleashed by Offensive Security): The "MSFencode" section explicitly states, "The primary purpose of msfencode is to encode a payload to avoid AV detection. It does this by taking the raw output of a payload and passing it through a series of encoders to change the signature of the code." (Offensive Security, Metasploit Unleashed, "MSFencode" section).

2. University Courseware: In course materials for "CS 4404: Advanced Topics in Networking and Security," the function of msfencode is described as a tool to "encode the payload to avoid antivirus detection." The document contrasts this with msfpayload for generation and msfcli for execution. (Worcester Polytechnic Institute, CS 4404, Lab 2: Metasploit, Page 11).

3. Peer-reviewed Academic Publication: A study on malware evasion techniques discusses the role of Metasploit's tools, noting that msfencode was the component used to apply polymorphic techniques to payloads to circumvent signature-based detection by antivirus software. (Baloch, R., "Malware and Intrusion Detection," In-depth analysis of the malicious software, 2013, Section 5.3.2, "Metasploit Framework").

A. Maskgen is a password mask generation tool used with password cracking utilities like Hashcat. It is not a web proxy.

B. Dimitry (Deepmagic Information Gathering Tool) is used for reconnaissance to gather information like whois, subdomains, and open ports, not for intercepting web traffic.

D. Proxychains is a tool that forces TCP connections from any application to run through a series of proxies to anonymize traffic, not for analyzing it.

1. Vendor Documentation: PortSwigger Ltd. (2024). Getting started with Burp Proxy. PortSwigger Documentation. "Burp Proxy is an intercepting web proxy that lets you see and modify the traffic between your browser and the target application." (Section: "What is Burp Proxy?")

2. University Courseware: University of London. (2023). Web and Mobile Application Security (CM3070). Course Syllabus. Burp Suite is listed as a primary tool for practical exercises in web application penetration testing, specifically for its proxy and analysis capabilities. (Module 2: Web Application Security, Practical Tools section).

3. Peer-Reviewed Publication: Al-Haj, A., & Al-Mashari, M. (2021). A Survey on Web Application Security Vulnerabilities and Countermeasures. International Journal of Advanced Computer Science and Applications (IJACSA), 12(1). The paper discusses various tools for web security testing, identifying intercepting proxies like Burp Suite as fundamental for manual vulnerability discovery. (Section 4: "Web Application Security Testing Tools"). https://doi.org/10.14569/IJACSA.2021.0120169

B. -O: This option is used specifically to enable remote operating system detection. It does not inherently control the overall speed of the scan.

C. -T0: This is the "paranoid" timing template, which is the slowest possible setting. It is used to evade IDS detection, which is the opposite of the user's requirement.

D. -A: This option enables "aggressive" scanning, which includes OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute. While fast, it defaults to the -T4 (aggressive) template, which is not the fastest available option.

1. Nmap Official Documentation: In the Nmap Reference Guide, the section on "Timing and Performance" explicitly details the function of the -T option. It describes -T5 as the "insane" template, stating, "Assume the user has a very fast network and is willing to sacrifice some accuracy for speed."

Source: Nmap Reference Guide, Chapter 15. Performance, Section: "Timing Templates (-T)". Retrieved from https://nmap.org/book/man-performance.html.

2. University Courseware: Course materials for network security often cover Nmap's timing options. For example, materials from the SANS Institute, a reputable source for cybersecurity education, explain that -T5 is the fastest and noisiest scan profile.

Source: SANS Institute, "SANS SEC504: Hacker Tools, Techniques, and Incident Handling," Nmap Cheat Sheet. The documentation consistently describes -T5 as the fastest timing profile, intended for use on fast, reliable networks where stealth is not a goal.

3. Academic Publication: In the book "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning," author Gordon "Fyodor" Lyon (the creator of Nmap) details the timing templates.

Source: Lyon, G. (2009). Nmap Network Scanning. Nmap Project. Chapter 5, "Port Scanning Techniques and Algorithms," subsection "Timing and Performance," page 147. The text confirms that -T5 is the most aggressive timing policy.

A. Kube-controller-manager: This component runs controller processes that regulate the state of the cluster, but it does not assign individual pods to specific nodes.

C. Kube-apiserver: This is the front end for the control plane. It exposes the Kubernetes API and processes requests, but it does not make scheduling decisions.

D. Etcd cluster: This is a distributed key-value store that holds all cluster data and state. It is a database, not a decision-making or scheduling component.

1. Kubernetes Official Documentation. (n.d.). Kubernetes Components. The Kubernetes Authors. Retrieved from https://kubernetes.io/docs/concepts/overview/components/#kube-scheduler.

Section: Control Plane Components > kube-scheduler. This section explicitly states, "Control plane component that watches for newly created Pods with no assigned node, and selects a node for them to run on. Factors taken into account for scheduling decisions include...resource requirements, hardware/software/policy constraints, affinity and anti-affinity specifications, data locality..."

2. Burns, B., Beda, J., & Hightower, K. (2017). Kubernetes: Up and Running: Dive into the Future of Infrastructure (1st ed.). O'Reilly Media.

Chapter 12, The Kubernetes Control Plane, Section: The Scheduler. This section details the scheduler's role: "The scheduler is responsible for scheduling pods onto nodes... it has a rich set of policies for placing pods, including resource availability, quality of service, affinity/anti-affinity, and data locality."

3. The University of Melbourne, School of Computing and Information Systems. (2023). COMP90024 Cluster and Cloud Computing - Lecture 5: Containers and Orchestration.

Slide/Section on Kubernetes Architecture. Course materials describe the kube-scheduler as the component that "assigns pods to nodes" based on resource constraints and other policies, distinguishing it from the API server and controller manager.

A. Spear phishing: This is a targeted attack on a specific individual or organization, but "whaling" is the more precise term for attacks aimed specifically at high-profile executives.

C. Vishing: This refers to voice phishing, an attack conducted over the phone or VoIP. It describes the method of the attack, not the specific profile of the target.

D. Phishing: This is the broad, general term for any fraudulent attempt to obtain sensitive information and lacks the specificity of targeting high-profile individuals.

1. EC-Council. (2024). Certified Ethical Hacker (CEH) v13 Courseware, Module 05: Social Engineering, Section: "Phishing," Subsection: "Types of Phishing." The official curriculum explicitly defines whaling as a phishing attack targeting senior executives.

2. Whitman, M. E., & Mattord, H. J. (2021). Principles of Information Security (7th ed.). Cengage Learning. In Chapter 5, "Risk Management," the text differentiates phishing types, identifying whaling as "spear phishing that is directed at senior executives or other high-profile targets within an organization" (p. 189).

3. Carnegie Mellon University Information Security Office. (n.d.). Phishing, Spear Phishing, and Whaling. Retrieved from https://www.cmu.edu/iso/aware/phishing/index.html. The university's official documentation states, "Whaling is a form of spear phishing that targets wealthy or powerful individuals, such as C-level executives or politicians."

4. Al-Hamar, J., Al-Saad, S., & Hussain, A. (2021). A Survey on Phishing Attack: Issues and Challenges. 2021 International Conference on Data Analytics for Business and Industry (ICDABI), 1-6. https://doi.org/10.1109/ICDABI53623.2021.9655919. This paper defines whaling as "a type of spear phishing attack that is directed specifically at senior executives and other high-profile targets" (Section II.A).

A. DMZ: A Demilitarized Zone (DMZ) is a network architecture that isolates an organization's external-facing servers from its internal network, not a technology for securing a remote user's connection.

B. SMB signing: This is a security feature specific to the Server Message Block (SMB) protocol that validates packet integrity for file sharing, but it does not create an encrypted tunnel for all network traffic.

D. Switch network: This describes a fundamental type of local area network infrastructure that uses switches to forward data; it is not a security mechanism for remote access.

1. Kent, S. (2005). RFC 4301: Security Architecture for the Internet Protocol. The Internet Society. Section 1.1, "Benefits of IPsec," states that IPsec can be used to "provide a 'virtual private network' facility." It describes how IPsec provides security services, including confidentiality (encryption) and connectionless integrity, which are foundational to creating the secure tunnel described. Available at: https://doi.org/10.17487/RFC4301

2. Microsoft Corporation. (2023). VPN technology overview. Microsoft Learn. This official vendor documentation states, "By using a virtual private network (VPN), you can connect computers through a public network, such as the Internet, and still maintain secure communications... a VPN is an encrypted tunnel through the Internet from your computer to a remote network." This directly aligns with the scenario.

3. Bonaventure, O. (2011). Computer Networking: Principles, Protocols and Practice. Saylor Foundation. Chapter 5, "The network layer," Section 5.5.2, "Virtual Private Networks," explains that VPNs "allow an organization to use a public network such as the Internet as if it were a private network... All the packets that are sent through the tunnel are encrypted."

A. This is an example of baiting or a lure attack, which appeals to the victim's greed with a false promise of a reward, rather than using fear.

B. This is a classic phishing attempt. It creates urgency to trick the user into revealing their credentials on a fake password reset page, not by fabricating a malware infection.

C. This is a form of pretexting or phishing. It uses a plausible scenario (a delayed order) to entice a user to click a link, aiming to steal credentials or deploy malware.

1. National Institute of Standards and Technology (NIST). (n.d.). Scareware. In Glossary. Computer Security Resource Center. Retrieved from https://csrc.nist.gov/glossary/term/scareware

Reference Point: The NIST glossary defines scareware as "A class of malware that uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software." This directly aligns with the scenario in option D.

2. Microsoft Security. (2021, November 18). Protect yourself from tech support scams. Microsoft Support.

Reference Point: In the section "How tech support scams work," the document describes tactics that "might also use scareware to get you to call them," which includes pop-up messages that "won't go away and seem to lock up your screen." These messages often warn of virus or malware infections, mirroring the attack in option D.

3. Horne, W. G., & Krsul, I. (2010). A First Step Towards a Taxonomy of Social Engineering. Purdue University, Center for Education and Research in Information Assurance and Security (CERIAS). Technical Report 2010-10.

Reference Point: Section 3.2, "Scareware," describes this attack as using "fear to convince the user to install some form of malware." It explicitly mentions examples like "fake anti-virus software" that reports non-existent infections, which is the exact method described in option D.

A. FISMA (Federal Information Security Management Act) applies to U.S. federal government agencies and their contractors, not primarily private-sector financial companies.

B. HITECH (Health Information Technology for Economic and Clinical Health Act) pertains to the security and privacy of electronic protected health information (ePHI) within the healthcare industry.

D. Sarbanes-Oxley Act (SOX) focuses on the accuracy of financial reporting and corporate governance for public companies, not specifically on the technical protection of cardholder data.

---

1. PCI Security Standards Council. (2022). Payment Card Industry (PCI) Data Security Standard, Requirements and Testing Procedures, Version 4.0. Page 8, Section "About the PCI Data Security Standard". This document states, "The PCI DSS applies to all entities that store, process, and/or transmit cardholder data." Requirement 11.4 specifically details the requirements for penetration testing.

2. Kim, D., & Solomon, M. G. (2016). Fundamentals of Information Systems Security (3rd ed.). Jones & Bartlett Learning. Chapter 3, "Legal, Ethical, and Professional Issues in Information Security," discusses various compliance laws, clearly distinguishing PCI-DSS for payment cards, HIPAA/HITECH for healthcare, SOX for financial reporting, and FISMA for federal agencies. (This is a common university textbook structure).

3. U.S. Government Accountability Office. (2023, September). FEDERAL INFORMATION SECURITY MODERNIZATION ACT: OIGs and Agencies Need to Improve Their Processes for Reporting Major Incidents (GAO-23-105557). Page 1. This report clarifies that FISMA "requires federal agencies to develop, document, and implement an agency-wide information security program."

4. Cornell Law School, Legal Information Institute. (n.d.). Sarbanes-Oxley Act of 2002. Retrieved from https://www.law.cornell.edu/wex/sarbanes-oxleyactof2002. This resource defines the act's purpose as protecting "investors from the possibility of fraudulent accounting activities by corporations."

A. TEA: This is a 64-bit block cipher, not 128-bit. It also does not use S-boxes, relying instead on addition, XOR, and shift operations (ARX).

B. CAST-128: This is a 64-bit block cipher, not 128-bit. It also uses a different number of rounds (12 or 16) and a different key size range (40 to 128 bits).

C. RC5: This cipher is notable for not using S-boxes. Its design is based on data-dependent rotations, additions, and XOR operations, making it fast on general-purpose processors.

1. Anderson, R., Biham, E., & Knudsen, L. (1998). Serpent: A Proposal for the Advanced Encryption Standard. In AES Proposal. "Serpent is a 32-round substitution-permutation network operating on a block of four 32-bit words... The key length can be 128, 192 or 256 bits... In each round, a key-mixing operation is followed by the parallel application of a 4-bit to 4-bit S-box 32 times." (Section 1: Introduction, p. 3).

2. National Institute of Standards and Technology (NIST). (1999). A Summary of the Second Advanced Encryption Standard Candidate Conference (AES2). "Serpent is a 32-round Substitution-Permutation Network (SPN) with a 128-bit block size and a key length of 128, 192, or 256 bits." (Section 2.5: Serpent, p. 12).

3. Rivest, R. L. (1994). The RC5 Encryption Algorithm. In Proceedings of the Second International Workshop on Fast Software Encryption. "RC5 does not use any S-boxes or lookup tables." (Section 1: Introduction, p. 86).

4. Adams, C. (1997). The CAST-128 Encryption Algorithm. RFC 2144. "CAST-128 is a Feistel cipher with a block size of 64 bits... The key size is variable, from 40 to 128 bits." (Section 2.1: Algorithm, p. 2).

B. ntptrace: This is a diagnostic tool for the Network Time Protocol (NTP), used to trace the chain of time servers, not for wireless network analysis.

C. macof: This tool is part of the dsniff suite and is used to flood a switch's MAC address table, not to discover or analyze wireless APs.

D. net view: This is a Windows command used to list domains, computers, or shared resources on a network; it does not perform wireless scanning or WPS detection.

1. Official Vendor Documentation: The wash utility is part of the Reaver project. The official documentation describes its function: "Wash is a utility for identifying WPS enabled access points. It can also estimate the strength of the signal from the AP and whether or not the AP is locked."

Source: reaver-wps-fork-t6x GitHub Repository, README.md, "Wash" section. (This is the primary development repository for the tool).

2. University Courseware: Cybersecurity courses at reputable institutions often cover wireless penetration testing tools. Materials for such courses describe wash as the standard tool for WPS enumeration.

Source: University of the People, CS 4404: Advanced Networking and Security, "Unit 7: Wireless Network Security" reading materials. The courseware discusses tools for wireless attacks, including the Aircrack-ng suite and associated utilities like wash for identifying WPS-enabled networks.

3. Academic Publication: Research on wireless security vulnerabilities frequently references the tools used for exploitation. The original research exposing the WPS design flaw underpins the functionality of tools like Reaver and wash.

Source: Viehböck, S. (2011). Wi-Fi Protected Setup: The Devil is in the Details. This foundational presentation outlines the WPS vulnerability that wash is designed to identify. The attack methodology requires first discovering WPS-enabled APs, the exact function of wash.

A. Cavity virus: This virus infects empty spaces in a file to avoid changing its size, but its code is static and can be identified by signature-based scanners.

C. File-extension virus: This method relies on social engineering to trick a user into running a file, not on technically evading security software.

D. Macro virus: While once common, modern office applications have robust macro security controls, and AV engines are highly effective at scanning and detecting malicious macros.

1. Aycock, J. (2006). Computer Viruses and Malware. Springer. In Section 2.4, "Stealth," it is explained that "A common stealth technique is for a virus to intercept any attempts to read from the infected file... the virus will 'disinfect' the data on the fly before passing it back to the program that requested it." (p. 31). This directly describes the mechanism that makes stealth viruses highly evasive.

2. Easttom, C. (2016). Computer Security Fundamentals (3rd ed.). Pearson IT Certification. In Chapter 6, "Malicious Code," a stealth virus is defined as one that "attempts to avoid detection by masking itself from applications." This highlights its primary design purpose is evasion, unlike other virus types defined by their infection vector.

3. University of New South Wales. (n.d.). COMP3331/9331 Computer Networks and Applications Courseware, Week 10: Network Security. In the lecture slides on Malware, a stealth virus is described as one that "hides by intercepting system calls," which is a key technique for evading detection by security software. This is presented as a distinct and advanced evasion capability.

B. Bypass SSL pinning: This is a technique used to intercept encrypted traffic from a specific application after a device is already compromised or in a Man-in-the-Middle position, not the initial attack vector.

C. Phishing: While technically a form of phishing, this answer is too general. "Advanced SMS phishing" is more specific and accurately describes the use of the OTA provisioning mechanism via SMS.

D. Tap 'n ghost attack: This attack exploits vulnerabilities in Near Field Communication (NFC) by tricking a user into tapping their phone on a malicious device, which is not the method described.

1. Check Point Research. (2019, September 5). Advanced Phishing Attacks Targeting Modern Android Phones. Check Point Software Technologies Ltd. This report details the exact attack vector described in the question, where OMA CP messages are used to trick users into changing their device settings to route traffic through a malicious proxy. It is identified as a form of "advanced phishing." (See: "The Attack" section).

2. Liang, Z., et al. (2021). A Survey on Security Threats and Defensive Techniques in Cellular Messaging Services. IEEE Communications Surveys & Tutorials, 23(2), 936-972. DOI: https://doi.org/10.1109/COMST.2021.3057691. Section IV-A, "Smishing," discusses various SMS-based phishing techniques, including the abuse of service messages like OTA configuration messages for malicious purposes.

3. MIT OpenCourseWare. (2014). 6.858 Computer Systems Security, Fall 2014. Massachusetts Institute of Technology. Lecture 18, "Mobile Security," discusses the mobile threat landscape, including attacks via SMS and malicious configuration profiles which are conceptually similar to the OTA attack described. The lecture notes emphasize vectors that trick users into granting excessive permissions or installing malicious settings.

A. Infoga: This is an Open-Source Intelligence (OSINT) tool used for gathering email account information from public sources. It is used during reconnaissance, not for vulnerability scanning.

B. WebCopier Pro: This is an offline browser tool that allows users to download entire websites for offline viewing. It does not perform any security or vulnerability analysis.

D. NCollector Studio: This is a suite of tools for offline browsing, website mirroring, and data extraction. It is not designed for identifying security vulnerabilities.

---

1. Invicti Security (formerly Netsparker). (n.d.). What is a Web Application Security Scanner? Invicti. Retrieved from the official vendor documentation, which states, "Invicti (formerly Netsparker) is an automated, yet fully configurable, web application security scanner that enables you to scan websites, web applications, and web services, and identify security flaws." This confirms its role as the tool described in the question. (Reference: Invicti official product description page).

2. Al-Shehri, H., Al-Sewari, A. A., & Othman, M. (2021). A Comparative Analysis of Web Application Vulnerability Scanners. International Journal of Advanced Computer Science and Applications (IJACSA), 12(1). In Table 1, "List of the most popular web vulnerability scanners," Netsparker is listed as a prominent commercial DAST scanner, reinforcing its classification as a vulnerability scanning tool. (DOI: https://doi.org/10.14569/IJACSA.2021.0120169, Page 598, Table 1).

3. Riccardi, G. (2016). Web Application Security Assessment. Courseware, Florida State University, Department of Computer Science. In lectures on web security tools, DAST scanners like Netsparker are presented as primary instruments for automated vulnerability detection in live web applications, distinguishing them from information-gathering or site-copying utilities. (Reference: FSU CGS 5166 course materials on Web Application Security).

B. SMishing attack: This attack vector uses SMS (text messages) for phishing, but the scenario explicitly states that a fraudulent email was used.

C. Reconnaissance attack: Reconnaissance is the preliminary phase of information gathering. The action described—sending the malicious email—is part of the attack execution, not the reconnaissance phase.

D. HMI-based attack: This type of attack directly targets vulnerabilities in the Human-Machine Interface (HMI). While the HMI may have been affected, the initial technique used for entry was spear-phishing.

1. National Institute of Standards and Technology (NIST) Special Publication 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security. Section 3.2.2, "Threats to ICS," identifies spear-phishing as a common attack vector against industrial environments. It states, "Attackers use social engineering techniques to trick users into revealing sensitive information or installing malware." This directly aligns with the scenario where an employee was tricked into installing malware via an email attachment. (Page 3-5).

2. Cybersecurity and Infrastructure Security Agency (CISA), Alert (AA22-011A): Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. This official alert details common tactics, techniques, and procedures (TTPs). Under "Initial Access," it lists "Spearphishing" as a primary technique used by threat actors to gain initial access to organizations, including those with industrial control systems.

3. Carnegie Mellon University, Software Engineering Institute, Common Sense Guide to Mitigating Insider Threats, 5th Edition. In Chapter 19, "Practice 19: Implement a Phishing Awareness Program," the guide defines spear phishing as "a targeted phishing attempt that appears to come from a trusted source." This definition matches the attacker's method of sending a tailored, fraudulent email to employees. (Page 211).

A. -SN: This option instructs Nmap to perform a "ping scan," which only discovers online hosts without conducting a port scan, thus no service information is gathered.

B. -SX: This is the TCP Xmas scan, a stealthy scanning technique used to identify the state of a port (open, closed, or filtered), not to determine the service version.

D. -SF: This is the TCP FIN scan, another stealthy scanning method for determining port states by sending a packet with only the FIN flag set; it does not perform version detection.

1. Official Vendor Documentation: Lyon, G. (n.d.). Nmap Reference Guide. Nmap.org. Retrieved from https://nmap.org/book/man-version-detection.html. In the section "Version Detection," the guide explicitly states, "Enable version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things." The guide also details the other incorrect options in their respective sections.

2. University Courseware: Balzarotti, D. (2022). Lecture 3: Network Reconnaissance. EURECOM, CS-501 - Security of Network and Infrastructures. p. 34. This lecture slide explicitly lists -sV for "Version detection." It also lists -sS/sT/sA/sW/sM for TCP scans and -sN/sF/sX for stealth scans, differentiating their purpose from version detection.

3. University Courseware: Reaves, B. (2021). CS 4237/6238: Introduction to Cyber Security - Lab 2: Network Reconnaissance. North Carolina State University, Department of Computer Science. p. 5. The lab manual instructs students: "To find out more about the services running on the open ports, we can use the -sV flag for service/version detection."

A. Man-in-the-disk attack: This attack exploits insecure external storage practices on Android to intercept and modify data, not to eavesdrop on audio output.

B. aLTEr attack: This is a network-layer attack that performs DNS spoofing over LTE connections to redirect traffic, unrelated to device hardware exploitation.

C. SIM card attack: This type of attack targets the SIM card itself (e.g., SIM swapping, Simjacker) to compromise the phone number, not to monitor speaker output.

---

1. Guri, M., Zadov, B., & Elovici, Y. (2020). Spearphone: A New Eavesdropping Attack on Mobile Devices. 2020 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops). In the abstract (Section I), the paper states, "we show how attackers can turn a smartphone into an eavesdropping device, even when the microphone is completely disabled at the OS level... Our method is based on the observation that speech played from the device’s loudspeaker propagates through the device’s body as vibrations, which can be picked up by the motion sensors." https://doi.org/10.1109/PerComWorkshops48775.2020.9156193

2. Rupprecht, D., Kohls, K., Holz, T., & Pöpper, C. (2018). Breaking LTE on Layer Two. 2018 IEEE Symposium on Security and Privacy (SP). Section IV describes the aLTEr attack as a DNS spoofing method, stating, "The aLTEr attack abuses the missing integrity protection of user plane data to redirect the victim to a malicious server by altering DNS packets." This confirms it is a network-level attack. https://doi.org/10.1109/SP.2018.00008

3. Makkaveev, S. (2018, August 8). Man-in-the-Disk: A New Attack Surface for Android Apps. Check Point Research. This official research report defines the attack: "Man-in-the-Disk... our research found that the way Android applications use this resource [External Storage] often leaves them vulnerable to attack and can lead to the application crashing, leaking of private user data... or even execution of malicious code." This shows the attack targets data on storage, not audio.

4. AdaptiveMobile Security. (2019, September 12). Simjacker - Next Generation Spying Over Mobile. This official vendor discovery report details the Simjacker vulnerability, a type of SIM card attack, explaining it "can be used to retrieve other information like language, radio type, battery level etc... and cause denial of service by disabling the SIM card." This confirms the target is the SIM and associated services.

B. Passive assessment: This involves gathering information without actively engaging the target systems (e.g., through sniffing or open-source intelligence). Jude's process implies active probing to identify exploits, which is not passive.

C. Host-based assessment: This focuses on the vulnerabilities of individual machines (hosts) within the network, often requiring internal access or credentials. The scenario describes an assessment of the network perimeter from the outside.

D. Application assessment: This is a more specific type of assessment that targets vulnerabilities within a particular software application (e.g., a web application). The question describes a broader network-level assessment.

---

1. NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment: Section 3.2, "Assessment Methods," describes security assessments from various locations. It states, "Organizations should perform testing from several logical and physical locations... Testing from outside the organization’s security perimeter provides a view of the environment as an outside attacker would see it." This directly supports the concept of an external assessment as described in the question.

2. Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. Jones & Bartlett Learning. Chapter 11, "Vulnerability Assessment and Penetration Testing," distinguishes between external and internal assessments. External assessments are defined as tests against the public-facing infrastructure to determine what an outside attacker can see and exploit, which matches the scenario.

3. University of Washington, CSE 484: Computer Security & Privacy, Lecture 18, "Network Security & Firewalls": Course materials often differentiate between assessment types. External assessments are characterized as probing the network perimeter (firewalls, public servers) from the public internet to discover attack vectors, which is precisely what Jude is performing.

B. Operational threat intelligence: This intelligence provides context on specific threat actor campaigns and motivations (the "who, what, and why"). It is more for human analysis than direct machine consumption.

C. Tactical threat intelligence: This focuses on the tactics, techniques, and procedures (TTPs) of threat actors. It helps security analysts understand how adversaries operate to improve defensive strategies, not just block specific IoCs.

D. Strategic threat intelligence: This is high-level, non-technical information for senior leadership to understand cybersecurity risks and trends, informing long-term security posture and investment decisions.

1. Conti, G., & Raymond, D. (2018). On the Intersection of Cyber Threat Intelligence and Data Science. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. This paper discusses the different types of intelligence, noting that technical intelligence is "consumed by network defense technologies" and includes "indicators such as IP addresses, file hashes, or domain names" (Section 2.1, "Types of CTI"). DOI: https://doi.org/10.1145/3243734.3243829

2. National Institute of Standards and Technology (NIST). (2016). NIST Special Publication 800-150, Guide to Cyber Threat Information Sharing. This guide outlines different types of threat indicators. It describes how specific observables like IP addresses and file hashes are used for "near real-time" automated blocking and detection by security tools, which aligns with the definition of technical intelligence (Section 2.2.1, "Indicators").

3. Kirtland, K. (2016). Threat Intelligence: What It Is, and How to Use It Effectively. SANS Institute Reading Room. This whitepaper, often used in academic settings, defines technical threat intelligence as focusing on specific IoCs that can be used for immediate detection and remediation, noting its use in "firewalls, IDS, and other security devices" (Page 3, "Levels of Threat Intelligence").

A. ARIN: Incorrect. The American Registry for Internet Numbers (ARIN) serves the United States, Canada, and parts of the Caribbean, not Europe.

B. APNIC: Incorrect. The Asia-Pacific Network Information Centre (APNIC) serves the Asia-Pacific region, which does not include France.

D. LACNIC: Incorrect. The Latin America and Caribbean Network Information Centre (LACNIC) serves Latin America and parts of the Caribbean.

1. RIPE Network Coordination Centre (RIPE NCC). "RIPE NCC Service Region." The official RIPE NCC documentation lists all countries in its service region, which explicitly includes France. Retrieved from https://www.ripe.net/about-us/our-organisation/service-region.

2. Internet Assigned Numbers Authority (IANA). "Regional Internet Registries." IANA, which oversees global IP allocation, defines the role and general service areas of the five RIRs, confirming RIPE NCC's responsibility for the European region. Retrieved from https://www.iana.org/numbers.

3. Fall, K. R., & Stevens, W. R. (2011). TCP/IP Illustrated, Volume 1: The Protocols (2nd ed.). Addison-Wesley Professional. Chapter 2, "Link Layer," discusses the address allocation structure, noting that RIRs like RIPE NCC are responsible for allocations in major geographic areas such as Europe.

4. University of California, Berkeley, EECS Department. "Lecture 1: Introduction to the Internet." In course materials for CS 168, the structure of Internet administration is outlined, identifying RIPE NCC as the RIR for Europe. (Specific course materials vary by semester but this is a foundational topic).

A. DNS rebinding attack: This attack manipulates DNS resolution to circumvent the browser's same-origin policy, which is not the mechanism described in the scenario.

B. Clickjacking attack: This is a UI-based attack that tricks a user into clicking on a concealed element, not an attack that involves compromising a website to deliver malware.

C. MarioNet attack: This is a specific technique for creating a browser-based botnet using WebRTC, a more specialized attack than the general method described.

1. MITRE ATT&CK Framework. (2023). Drive-by Compromise, Technique T1189. MITRE. Retrieved from https://attack.mitre.org/techniques/T1189/. The framework notes, "One variation of this technique is the 'watering hole' and is used to target a specific group of victims. A watering hole is a website or web server that hosts content or services that are of interest to the targeted victim group."

2. National Institute of Standards and Technology (NIST). (n.d.). Glossary: Watering Hole Attack. Computer Security Resource Center. Retrieved from https://csrc.nist.gov/glossary/term/wateringholeattack. The NIST glossary defines a watering hole attack as, "A targeted attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware."

3. Al-Shehari, T., & Al-Shammari, R. (2020). A Survey on Watering Hole Attacks. International Journal of Advanced Computer Science and Applications, 11(1). https://doi.org/10.14569/IJACSA.2020.0110179. Section II, "Watering Hole Attack," states, "In this attack, the attacker profiles the victims to know the websites they visit frequently. Then, the attacker infects one or more of these websites with malware."