This scenario strongly suggests a race condition attack in the application's token validation logic, as described in CEH v13 Web Application Hacking. A race condition occurs when an application processes multiple requests simultaneously and fails to properly synchronize validation checks.
The presence of multiple failed attempts using expired tokens followed by successful access within a short time window indicates the attacker exploited a timing flaw. During this window, the system may have inconsistently validated token expiration, allowing an expired token to be accepted.
Option A is unlikely because the logs specifically reference expired tokens. Option B is incorrect because replaying expired tokens should fail unless a validation flaw exists. Option C is highly improbable due to token entropy.
CEH v13 highlights race conditions as advanced logic flaws that are difficult to detect and often missed during standard testing. They are commonly exploited in authentication, payment processing, and session management systems.
Therefore, Option D is the correct and CEH-aligned answer.

Untethered jailbreaking is the only option that matches all key characteristics described: the device can reboot normally without needing a computer, and the jailbreak remains active after the restart with kernel-level modifications still in effect. In CEH-aligned mobile security concepts, the main difference among jailbreak types is what happens after a reboot.
A tethered jailbreak requires a computer to boot the device at all. If the phone restarts without being connected to a computer, it will not complete the boot process. That contradicts the scenario, which explicitly says the device can fully restart without requiring a computer. A semi-tethered jailbreak allows the phone to reboot without a computer, but it boots into a non-jailbroken state, meaning elevated privileges and kernel patching are not active until re-enabled through a tool. A semi-untethered jailbreak is similar in that it can boot normally without a computer, but the jailbreak does not persist automatically; it typically requires re- activating the jailbreak after each reboot to regain kernel patching and privileged access.
The scenario states the restart occurs while still "maintaining a patched kernel" and continuing access to protected filesystem data, which indicates persistence across reboot. That persistence is the defining feature of an untethered jailbreak. From a defensive and assessment perspective, this is considered higher risk because it provides continuous post-reboot privileged access, increasing the window for data access, tampering, and persistence mechanisms compared with reboot-reset jailbreak states.

The technique described is RST hijacking because the attacker sends spoofed TCP packets with the RST (reset) flag to forcibly terminate established TCP sessions. In TCP, an RST packet is used to immediately abort a connection. If an attacker can craft packets that appear to belong to an existing session (matching the 4- tuple and using plausible sequence/acknowledgment values), the receiving endpoint may accept the reset and tear down the connection. This creates disruption-sessions drop, users are disconnected, and applications experience errors-without the attacker needing to fully take over the session or inject meaningful application data.
The scenario matches this exactly: "spoofed TCP packets carrying the reset flag," followed by "active sessions...abruptly terminated." That is the hallmark outcome of RST-based session disruption. It is often used as a demonstration of how fragile sessions can be when attackers can spoof traffic within a path (or on the same network segment) and when defensive controls do not validate or protect sessions adequately.
Why the other options are incorrect:
UDP hijacking (A) doesn't apply because UDP is connectionless and has no RST flag or session teardown mechanism like TCP.
Blind hijacking (C) refers to injecting traffic without seeing responses (guessing sequence numbers), but the specific mechanism asked here is the reset-flag termination; "blind" could be a property of how it's done, not the named technique.
TCP/IP hijacking (D) is a broader category that includes multiple methods of taking over or manipulating TCP sessions. The question is specifically about using RST packets to kill sessions, which is most precisely called RST hijacking.
Therefore, the correct answer is B. RST Hijacking.

This scenario describes Linear Cryptanalysis, a technique detailed in CEH v13 Cryptography. Linear cryptanalysis involves finding linear approximations that relate plaintext bits, ciphertext bits, and key bits using XOR operations. By analyzing a large number of known plaintext-ciphertext pairs, attackers can identify statistical biases that reveal information about the secret key.
CEH v13 explains that linear cryptanalysis differs from differential cryptanalysis in its approach. While differential cryptanalysis studies how differences in plaintext affect differences in ciphertext, linear cryptanalysis focuses on linear relationships and probability distributions.
The mention of XOR combinations and statistical analysis of plaintext-ciphertext pairs directly aligns with linear cryptanalysis. Brute-force attacks attempt all keys without analysis. Differential cryptanalysis focuses on input differences, not linear equations. Side-channel attacks exploit physical characteristics such as power consumption or timing.
Modern block ciphers like AES are designed to resist linear cryptanalysis by ensuring that linear approximations occur with probabilities close to random. CEH v13 highlights linear cryptanalysis as a foundational attack method used to evaluate cipher strength.
Therefore, Option C is correct.

Passive reconnaissance focuses on collecting information without directly touching or interacting with the target's systems. CEH materials stress that any action that sends network traffic to the target-such as scanning, probing, fingerprinting, or enumeration-creates logs and increases the risk of detection. Email headers, however, are considered an excellent source of passive intelligence because they reveal internal IP structures, routing paths, mail server hostnames, internal domain formats, and technology stacks without requiring interaction with the target environment. Since these headers are already in the possession of the ethical hacker through legitimate communication records, examining them does not generate traffic or trigger monitoring systems. SSL certificates and WHOIS data provide valuable external information, but they rarely disclose internal addressing schemes. Active scanning tools, such as Nmap, would immediately violate the requirement to avoid detection. Therefore, analyzing previously received email headers is the most effective and covert method for extracting internal network details during the reconnaissance phase.