A null user is a special connection made to a Windows system without providing a username or password. In older versions of Windows (NT, 2000, XP), null sessions could be used to anonymously connect to IPC$ share and enumerate:
Users
Groups
Shares
Policies
From CEH v13 Courseware:
Module 4: Enumeration # Null Sessions
CEH v13 Study Guide states:
"Null users are unauthenticated sessions used to access certain system resources without credentials. These are commonly used in enumeration attacks." Reference:CEH v13 Study Guide - Module 4: Null Sessions and SMB EnumerationMicrosoft KB Article Q143474 - Restricting Anonymous Access

In CEH v13 Module 12: Hacking Web Applications, Burp Suite is introduced as a powerful proxy-based tool used for intercepting, modifying, and analyzing HTTP/S traffic between a client and a web application.
Key Features of Burp Suite:
Captures all HTTP requests and responses.
Allows for manual testing of input parameters, headers, and cookies.
Includes tools such as Intruder, Repeater, Scanner, and Decoder.
Helps detect vulnerabilities such as XSS, SQLi, CSRF, and insecure session handling.
Option Review:
A). Maskgen: Used for generating masks, not a web proxy.
B). Dimitry: A footprinting tool, not used for request/response testing.
C). Burpsuite: Correct. Designed for web application vulnerability analysis.
D). Proxychains: Used to chain proxies for anonymity, not for HTTP traffic analysis.
Reference:
Module 12 - Web Application Testing Tools
CEH iLabs: Using Burp Suite for Manual Vulnerability Discovery

Ransomware encrypts user data and extorts payment for restoration. CEH covers ransomware as a major threat in system hacking, highlighting encryption-based extortion as its defining behavior.

The most effective attack method for the penetration tester to exploit these vulnerabilities and attempt unauthorized access would be to execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials. A Brute Force attack is a hacking method that uses trial and error to crack passwords, login credentials, or encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations' systems and networks1. In this scenario, the tester can take advantage of the fact that the application does not lock out users after multiple failed login attempts, which means the tester can try as many combinations as possible without being blocked.
The tester can also use the detailed error messages that disclose whether the username or password entered is incorrect, which can help narrow down the search space and reduce the number of guesses needed. For example, if the tester enters a wrong username and a wrong password, and the application responds with
"Invalid username", the tester can eliminate that username from the list of candidates and focus on finding the correct one. Similarly, if the tester enters a correct username and a wrong password, and the application responds with "Invalid password", the tester can confirm that username and focus on finding the correct password. By using automated tools or scripts, the tester can perform a Brute Force attack faster and more efficiently.
The other options are not as effective or feasible as option A for the following reasons:
B). The tester could exploit a potential SQL Injection vulnerability to manipulate the application's database:
This option is not feasible because there is no indication that the application is vulnerable to SQL Injection, which is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database2. The application uses form-based authentication, which does not necessarily involve SQL queries, and the error messages do not reveal any SQL syntax or structure. Moreover, even if the application was vulnerable to SQL Injection, the tester would need to craft a malicious SQL query that can bypass the authentication mechanism and grant access to the application, which may not be possible or easy depending on the database design and configuration.
C). The tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session cookies, potentially bypassing the clickjacking protection: This option is not effective because there is no evidence that the application is vulnerable to XSS, which is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application by injecting malicious scripts3. The application uses HTTP headers to prevent clickjacking attacks, which are a type of attack that tricks a user into clicking on a hidden or disguised element on a web page4. However, this does not imply that the application is vulnerable to XSS, which requires a different type of injection point and payload. Moreover, even if the application was vulnerable to XSS, the tester would need to find a way to deliver the malicious script to a legitimate user who is already authenticated, and then capture the stolen session cookies from the user's browser, which may not be feasible or easy depending on the application's design and security measures.
D). The tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP headers for a Clickjacking attack: This option is not feasible because a MitM attack is a type of attack that requires the attacker to insert themselves between two parties who believe that they are directly communicating with each other, and then relay or alter the communications between them5. In this scenario, the tester would need to intercept the HTTP traffic between the user and the application, and then modify the HTTP headers to remove or weaken the clickjacking protection. However, this would require the tester to have access to the network infrastructure or the user's device, which may not be possible or easy depending on the network security and encryption. Moreover, even if the tester could perform a MitM attack, the tester would still need to trick the user into clicking on a malicious element on a web page, which may not be possible or easy depending on the user's awareness and behavior.
References:
1: What is a Brute Force Attack? | Definition, Types & How It Works - Fortinet
2: What is SQL Injection? Tutorial & Examples | Web Security Academy
3: Cross Site Scripting (XSS) | OWASP Foundation
4: What is Clickjacking? | Definition, Types & Examples - Fortinet
5: Man-in-the-middle attack - Wikipedia

Operational Technology and ICS environments often suffer from misconfigurations such as unchanged factory-default passwords. CEH identifies exploiting default credentials as a direct and effective method because ICS devices frequently lack strong authentication controls. Using these built-in credentials grants immediate unauthorized access to supervisory controls, enabling adversaries to manipulate configurations, disrupt processes, or escalate attacks across critical systems.