The payload that would have the most significant impact in the case of a successful SQL injection attack is OR 'a'='a; DROP TABLE members; --. This payload combines the manipulation of the WHERE clause with a destructive action, causing data loss. This payload works as follows:
The OR 'a'='a part of the payload is a logical expression that is always true, regardless of the input or the condition of the SQL statement. This part of the payload allows the attacker to bypass any authentication or authorization checks that may be implemented in the SQL statement, such as a login form or a search query.
The ; part of the payload is a statement terminator that marks the end of the current SQL statement and allows the attacker to inject another SQL statement after it. This part of the payload enables the attacker to execute multiple SQL statements in a single query, which is also known as stacked queries or batched queries.
The DROP TABLE members part of the payload is a destructive SQL statement that deletes the entire table named members from the database. This part of the payload causes data loss and may compromise the functionality and integrity of the application that relies on the table. The table name may vary depending on the target database, but the attacker can use other techniques, such as error-based or union-based SQL injection, to discover the table names before executing the drop statement.
The - part of the payload is a comment symbol that tells the SQL engine to ignore the rest of the query. This part of the payload helps the attacker to avoid any syntax errors or unwanted results that may arise from the original query.
The other options are not as impactful as option C for the following reasons:
A). 'OR 'T="1: This payload manipulates the WHERE clause of an SQL statement, allowing the attacker to view unauthorized data. This payload is a common and basic SQL injection technique that injects a logical expression that is always true, such as 'OR 'T="1 or 'OR 1=1, to bypass the authentication or authorization checks of the SQL statement. This payload can allow the attacker to view data that they are not supposed to, such as user credentials, personal information, or financial records. However, this payload does not cause any data loss or modification, and it does not affect the functionality or integrity of the application.
B). 'OR username LIKE '%: This payload uses the LIKE operator to search for a specific pattern in a column.
This payload is a variation of the previous payload that injects a logical expression that is always true, such as
'OR username LIKE '% or 'OR 1 LIKE '%, to bypass the authentication or authorization checks of the SQL statement. The LIKE operator is used to compare a value with a pattern that may contain wildcard characters, such as % or _, which match any string or character. This payload can allow the attacker to view data that matches the pattern, such as usernames that start with a certain letter or contain a certain substring. However, this payload does not cause any data loss or modification, and it does not affect the functionality or integrity of the application.
D). UNION SELECT NULL, NULL, NULL - : This payload manipulates the UNION SQL operator, enabling the attacker to retrieve data from different database tables. This payload is an advanced SQL injection technique that injects the UNION SQL operator to combine the results of two or more SELECT statements into a single result set, which is then returned as part of the HTTP response. The UNION operator can be used to join the results from different tables that have the same number and type of columns. The NULL values are used to match the column types and avoid any errors. This payload can allow the attacker to retrieve data from tables that are not intended to be accessed by the application, such as system tables, configuration tables, or backup tables. However, this payload does not cause any data loss or modification, and it does not affect the functionality or integrity of the application.
References:
1: SQL Injection - OWASP Foundation
2: SQL Injection Payloads: How SQLi exploits work - Bright Security
3: SQL Injection - HackTricks

A Stealth or Tunneling Virus is designed specifically to evade detection by antivirus software and system monitoring tools. These viruses work by intercepting and modifying the operating system's service call interrupts (such as INT 13h and INT 21h in DOS systems), which are used to access files or system services.
By hooking into these interrupts, the virus can return clean or forged data to antivirus scanners, thus hiding its malicious presence from detection tools.
Tunneling viruses may also operate at a lower level to evade even more advanced antivirus detection methods, making them particularly dangerous and hard to detect.
Reference - CEH v13 Official Study Guide:
Module 6: Malware Threats
Section: Types of Viruses
Quote:
"Tunneling viruses attempt to avoid detection by antivirus programs by installing themselves in the interrupt handler chain. These viruses intercept operating system calls to conceal their activities." Incorrect Options Explained:
A). Macro viruses target applications like Microsoft Word/Excel and use embedded macros, but do not alter service call interrupts.
C). Cavity viruses insert code into empty spaces in files without changing the file size but do not modify interrupts.
D). Polymorphic viruses mutate their code to avoid signature-based detection but do not typically interfere with system interrupts directly.

Comprehensive and Detailed Explanation:
The Snort rule syntax:
alert tcp any any # 192.168.1.0/24 111
This means: Alert on TCP traffic from any IP and any port, going to any host in the 192.168.1.0/24 subnet on destination port 111.
The content "|00 01 86 a5|" identifies a mountd access signature pattern.
Port 111 is used by SunRPC (commonly associated with mountd in UNIX environments).
From CEH v13 Courseware:
Module 13: IDS, Firewalls and Honeypots # Understanding Snort Rules
Reference:Snort User Manual - Rule Syntax and Interpretation

Passive reconnaissance is emphasized throughout CEH as an essential method for gathering intelligence without alerting monitoring systems. When the tester cannot interact with the live site, they must rely entirely on third-party archives or cached content stored by search engines or internet archival services. Google's cache function provides previously stored versions of web pages exactly for this purpose. CEH explains that attackers frequently use cached content to retrieve outdated login portals, administrative pages, exposed directories, or other sensitive elements that may no longer appear on the live web server. Unlike operators such as intext or intitle, which query live indexed metadata, the cache operator retrieves historical snapshots without accessing the target website. The link operator identifies backlinks but does not provide historical page content. Only the cache operator directly supports viewing previous versions of pages passively, aligning perfectly with the requirement to avoid detection while gathering intelligence on legacy web content.

18 U.S.C. §1030, also known as the Computer Fraud and Abuse Act (CFAA), is a broad federal statute that criminalizes unauthorized access to computers and related fraudulent activities-including phishing and email scams.
From CEH v13 Official Courseware:
* Module 1: Introduction to Ethical Hacking
* Topic: U.S. Laws Related to Cybercrime
CEH v13 Study Guide states:
"Email-based frauds such as phishing, spoofing, and other social engineering attacks fall under the Computer Fraud and Abuse Act (18 U.S.C. §1030), which criminalizes unauthorized access and fraudulent behavior in computing systems." Incorrect Options:
* B: Relates to credit cards and access devices.
* C: Covers interference with government communication systems.
* D: Covers illegal wiretapping and eavesdropping.
Reference:United States Code - Title 18, Section 1030 (Computer Fraud and Abuse Act)