CEH v13 states that DNS server hijacking occurs when attackers compromise the authoritative DNS infrastructure and alter DNS zone records to redirect all legitimate queries to malicious destinations. Unlike DNS cache poisoning, which affects specific resolvers temporarily, server hijacking manipulates the core DNS authority controlling the domain. This results in a complete redirect for all users, regardless of geographic location or device configuration. CEH emphasizes that such attacks can lead to large-scale credential theft, phishing, financial fraud, and session compromise because the attacker presents an identical clone site while retaining full control of DNS routing. DNS tunneling is used for covert data exfiltration and does not redirect traffic. DNS rebinding targets browser policies, not global DNS redirection. DNS amplification is a volumetric DDoS technique unrelated to zone manipulation. The scenario matches DNS server hijacking exactly.

The CEH Web Application Hacking module identifies Session Fixation as a powerful session management attack that can bypass advanced authentication controls, including MFA.
In session fixation, the attacker forces the victim to authenticate using a session ID already known to the attacker. Once authentication completes, the attacker hijacks the valid session without needing credentials.
Option A directly targets session management logic.
Option B exploits authorization logic, not session handling.
Option C is unrelated to session management.
Option D is mitigated by encrypted cookies and HTTPS.
CEH explicitly warns that applications must regenerate session IDs after authentication.

CEH identifies insecure data transfer as a critical IoT weakness. Outdated encryption protocols such as SSLv2 fail to protect confidentiality or integrity. Without strong encryption and authentication, attackers can intercept, decrypt, and manipulate video feeds.

The correct answer is Semi-Untethered Jailbreaking. CEH mobile platform material distinguishes jailbreak persistence based on what happens after a reboot. In this scenario, the iPhone restarts normally and remains usable for ordinary functions, but the jailbreak-specific capabilities are inactive until the user manually runs a jailbreak application on the device. No computer is needed for that reactivation. That is the defining behavior of semi-untethered jailbreaking. Tethered jailbreaking would require connection to a computer during reboot.
Untethered jailbreaking would remain fully active across restarts with no manual reactivation step. Semi- tethered wording is sometimes used in older materials to describe normal boot without an immediate computer dependency, but in CEH-style modern exam phrasing, the specific indicator that an on-device app must be launched to reapply the jailbreak points to semi-untethered. CEH mobile security guidance uses these distinctions to help analysts recognize persistence, forensic artifacts, and operational risk on compromised iOS devices. Because the system boots normally, loses jailbreak functionality after restart, and regains it only when the local jailbreak app is executed, the most accurate classification is Semi-Untethered Jailbreaking.

The technique described is decoy scanning. In CEH network scanning methodology, decoy scanning is used to make IDS and logging systems attribute scan traffic to multiple apparent sources instead of the attacker's true IP address. The attacker configures the scanner to generate additional probe packets that appear to originate from several spoofed decoy IP addresses, mixed with the real attacker's probes. This creates ambiguity for defenders because IDS alerts and firewall logs show many potential "scanners," complicating attribution and response actions such as blocking a single source.
A key detail in the prompt is that Lily "includes multiple spoofed IP addresses alongside her own" and still
"receives accurate results." That matches how decoy scanning works in tools like Nmap: the attacker's real IP must remain in the mix so that replies from the target return to the attacker, enabling accurate interpretation of port states. The decoys mainly exist to confuse monitoring and incident response teams by polluting the log trail.
Option C, IP spoofing, is too general and, by itself, typically prevents the attacker from receiving responses because return traffic goes to the spoofed address. Decoy scanning is a specific, structured use of spoofing combined with the real source to preserve results. Option A refers to stealth flag scans, which reduce handshake visibility but do not involve multiple spoofed sources. Option B, source routing, attempts to control packet paths and is not the described behavior. Therefore, the correct answer is Decoy Scanning.