The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.
Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.
FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

The CEH Web Application Attacks module explains tautology-based SQL injection as an attack where input alters a conditional statement to always evaluate as TRUE (e.g., ' OR '1'='1').
Submitting a single quote often breaks query logic and allows attackers to manipulate authentication conditions.
Option D is correct.
Option A extracts data.
Option B relies on error messages.
Option C uses timing delays.
CEH identifies tautology attacks as one of the earliest and most common SQL injection techniques.

WPA with TKIP suffers from vulnerabilities inherited from WEP, particularly the use of weak Initialization Vectors (IVs). CEH v13 explains that these weaknesses allow attackers to perform packet injection and partial decryption attacks.
Although WPA improved upon WEP, TKIP was designed as a temporary solution and still relies on predictable IV behavior. This makes Option C correct.
Lack of AES (Option A) explains why WPA is weaker than WPA2 but does not directly describe the exploit mechanism. Weak passwords (Option D) affect authentication, not packet injection. GTK predictability (Option B) is relevant but not the primary cause here.
CEH v13 explicitly states that IV reuse and predictability in TKIP enable practical attacks. Therefore, Option C is correct.

CEH v13 describes Cross-Site Request Forgery (CSRF) as a technique that forces authenticated users to unknowingly execute actions within a web application without their intent. Unlike session hijacking methods that require stealing or replaying session cookies, CSRF exploits the trust relationship that the server has with a user's browser. Even with HTTPS, secure cookies, and MFA, once a user is authenticated, the browser automatically sends session cookies with each request. If the attacker convinces the victim to load a maliciously crafted webpage or URL, the browser sends a forged request to the target application, executing actions under the user's authenticated session. CEH notes that secure cookies and MFA do not stop CSRF because no credentials are stolen-only forced actions occur. This technique is sophisticated because it leaves minimal traces, avoids direct cookie manipulation, bypasses robust authentication mechanisms, and leverages design weaknesses rather than technical misconfigurations. Protection typically requires anti-CSRF tokens and proper origin validation.

This scenario demonstrates a classic case of Session Fixation, a session hijacking technique explicitly covered under the CEH v13 Web Application Hacking module. Session fixation occurs when an attacker sets or predicts a valid session identifier and forces a victim to authenticate using that same session ID.
In the given question, two critical vulnerabilities are highlighted:
* The session ID is embedded in the URL
* The application does not regenerate the session ID after login
According to CEH v13, secure applications must regenerate session identifiers after successful authentication to prevent fixation attacks. If this does not occur, an attacker can craft a URL containing a known session ID and trick the victim into clicking it. Once the victim logs in, the attacker reuses the same session ID to gain unauthorized access.
CEH documentation states that session fixation is particularly effective when:
* Session IDs are passed via URL parameters
* Sessions persist across authentication
* Secure cookie attributes are not enforced
Other options are incorrect because:
* XSS-based cookie theft requires client-side script injection.
* DNS cache poisoning is unrelated to session management.
* CSRF exploits user trust but does not directly hijack sessions.
Thus, Session Fixation by pre-setting the token in a URL is the most effective attack in this case.