Covert channel communication is one of the most sophisticated evasion techniques described in CEH v13 Evasion Techniques. By embedding malicious data within unused or rarely inspected protocol fields (such as IP headers), attackers can bypass firewalls, IDS, and IPS systems entirely.
Unlike polymorphic malware (Option C), which can still be detected using behavior analysis, covert channels blend seamlessly into legitimate traffic. Packet fragmentation (Option D) is well-known and often mitigated.
Honeypot spoofing (Option B) is rare and defensive in nature.
CEH v13 emphasizes that covert channels are difficult because:
* They do not violate protocol specifications
* They evade signature-based and stateful inspection
* They appear as normal traffic
Detecting covert channels often requires deep protocol analysis and statistical traffic inspection, making them extremely challenging to mitigate.
Thus, Option A is the correct answer.

According to the Certified Ethical Hacker (CEH) attack methodology, once reconnaissance, footprinting, and website mirroring have been completed, the attacker proceeds cautiously to exploitation while maintaining stealth. CEH documentation emphasizes that low-noise, application-layer attacks are preferable when the objective is to minimize detection.
Option B, attempting SQL Injection, aligns directly with CEH's Web Application Hacking module. SQL Injection is a server-side attack that can often be executed through normal-looking HTTP requests, making it less likely to trigger intrusion detection systems (IDS) or security alerts. CEH materials highlight SQL injection as a common and effective technique for extracting sensitive data such as usernames, passwords, and business-critical information without disrupting server operations.
Option A is incorrect because immediately modifying server configuration files after session hijacking significantly increases the risk of detection. CEH guidelines stress post-exploitation restraint, especially during red team operations.
Option C is not ideal at this stage because automated vulnerability scanners generate substantial traffic and are highly detectable. CEH explicitly notes that vulnerability scanning is noisy and often logged.
Option D is the least stealthy option. Brute-force attacks generate numerous failed authentication attempts, triggering security alerts and account lockouts. CEH classifies brute-force attacks as high-risk and easily detectable.
Therefore, SQL Injection represents the most effective and stealthy next step in accordance with CEH's structured attack lifecycle.

The correct answer is Information warfare. CEH introductory security coverage explains that information warfare involves coordinated use of information systems, influence operations, disruption, deception, and attacks on digital infrastructure to affect perception, decision-making, and institutional stability. The question includes manipulation of digital media, disruption of communications, and degradation of critical systems, all aimed at weakening a target without traditional military confrontation. That broad strategic combination goes beyond cyber espionage, which focuses on covert intelligence collection, and beyond hacktivism, which is typically ideologically motivated digital protest or disruption. Cyberterrorism can involve fear and critical infrastructure attacks, but the scenario is framed more comprehensively around coordinated influence and infrastructure effects as part of a broader conflict model. CEH materials use information warfare to describe conflict conducted through control, corruption, disruption, or weaponization of information and information systems. Because the activities target both perception and operational capability at a national scale, the most accurate classification is Information Warfare.

According to CEH v13 Web Application and Server Security, regular patching and updates are the most effective way to reduce server attack surfaces. Vulnerabilities in web servers, proxies, and supporting services are frequently exploited if patches are delayed.
While architectural choices and directory placement influence organization, they do not mitigate known vulnerabilities. Changing IP addresses does not prevent exploitation, and moving directories does not address underlying software flaws.
CEH v13 consistently emphasizes patch management as a primary defensive control. Therefore, Option C is correct.

The correct answer is Nikto. CEH web server security coverage identifies Nikto as a specialized open-source web server vulnerability scanner designed to assess HTTP and HTTPS services for dangerous files, insecure default content, outdated server versions, and version-specific problems. The scenario mentions examination of server headers, detection of installed web server software, checks for outdated components, identification of dangerous files and misconfigurations, SSL support, and exportable reporting. Those characteristics align closely with Nikto's typical use in CEH-style web server assessments. OpenVAS, Nessus, and Qualys VM are broad vulnerability management platforms with much wider enterprise coverage, but the question describes a focused HTTP-server scanner rather than a full-spectrum infrastructure scanner. CEH materials frequently present Nikto in the context of web server enumeration and vulnerability discovery after the tester has identified the target web platform. It is especially useful for quickly checking internet-facing servers for known risky files, weak configurations, and outdated software. Because the assessment is centered on the specific exposure of web servers and matches the recognized feature set of Nikto, option D is the best answer.