NFS Enumeration is the correct choice because the scenario is centered on TCP port 2049 and the use of a standard utility to list exported remote file systems. In CEH-aligned reconnaissance and enumeration, port
2049 is the primary service port for Network File System NFS. When a tester identifies 2049 as open on a Linux or UNIX-like host, a common next step is to enumerate NFS exports to learn which directories are shared and what access rules apply. The "standard utility" described is consistent with tools such as showmount, which queries the target to retrieve a list of exported file systems and, in some cases, the clients allowed to mount them. This directly supports the stated objective of "requesting a list of remote file systems shared across the network" to map accessible resources.
The distractor checks mentioned in the scenario reinforce why the answer is NFS. Telnet enumeration would relate to TCP 23 and interactive plaintext terminal access, not file-share exports. NTP enumeration aligns to UDP 123 and focuses on time synchronization information and server behavior, not shared directories. SNMP enumeration typically involves UDP 161 and extracts device and system details via community strings and management information bases. NetBIOS enumeration is associated with Windows networking services such as UDP 137 and TCP 139, which are unrelated to NFS on 2049.
Therefore, the active enumeration method demonstrated is NFS enumeration through export listing on TCP port 2049.

CSRF occurs when a vulnerable application processes unauthorized state-changing requests because it does not verify whether the request was intentionally initiated by the authenticated user. CEH v13 explains that exploitation involves tricking a logged-in user into unknowingly executing a crafted HTTP request-usually via a malicious webpage, hidden form submission, embedded image tag, or JavaScript trigger. When the victim visits the attacker-controlled page, the browser automatically includes the user's active session cookies, allowing the server to treat the forged request as legitimate. This technique is central to CSRF attacks and is highlighted in the CEH curriculum as the correct exploitation path. Directory traversal, SQL injection, and brute-force attacks target different vulnerabilities and do not exploit missing request authenticity validation. The key requirement for CSRF exploitation is user interaction via a malicious external resource, making option B the correct CEH-aligned method.

This attack is a classic example of Piggybacked SQL Injection, covered in CEH v13 Web Application Hacking. Piggybacked queries allow attackers to append additional malicious SQL commands to an existing query using a delimiter such as a semicolon.
The payload executes the original query followed by a destructive command (DROP TABLE). UNION-based injections retrieve data, Boolean-based injections infer logic, and error-based injections rely on error messages-not destructive execution.
CEH v13 explicitly describes piggybacked queries as capable of data destruction and privilege escalation, making Option A correct.

The correct answer is A. Measured service because the scenario describes a core cloud characteristic where resource usage is metered, monitored, controlled, and reported, enabling pay-as-you-go billing and supporting accountability and auditability. In CEH cloud computing coverage (aligned with standard cloud definitions), measured service refers to the cloud provider's ability to automatically track and quantify consumption of resources such as CPU/compute time, storage capacity, memory, and network bandwidth. This metering is fundamental to cloud economics: customers pay based on actual usage rather than fixed, up-front infrastructure costs.
In the Black Friday context, demand is bursty and unpredictable. Measured service allows the organization to scale resources up during peak shopping hours and scale down afterward, while billing remains tied to what was truly consumed. This is especially important for cost control in e-commerce environments where overprovisioning for peak loads on-premises would be expensive and inefficient. Additionally, because the provider records usage in detail, the organization can perform chargeback/showback internally, validate invoices, and maintain evidence for audits and compliance reviews-all of which depend on accurate, granular measurement.
Why the other options are not the best fit: Broad network access describes availability over networks and access via standard mechanisms (not usage tracking). On-demand self-service refers to users provisioning resources automatically without human interaction from the provider (not billing metering). Resource pooling refers to multi-tenant pooling of provider resources dynamically assigned and reassigned according to demand (again, not the billing/audit measurement function).
Therefore, the feature of detailed tracking of compute hours, storage usage, and bandwidth consumption that supports pay-per-use and auditing is best explained by measured service.

CEH reconnaissance and enumeration modules explain that LDAP services often support anonymous binding by default unless explicitly disabled. Anonymous bind allows unauthenticated users to query certain directory attributes, which can lead to disclosure of usernames, organizational hierarchy, and email addresses-critical information for password attacks, phishing campaigns, and privilege escalation planning. In the scenario described, the tester obtained directory data without providing any credentials, demonstrating that anonymous bind permissions were enabled. LDAPS requires TLS encryption and authentication, which contradicts the observed access. Kerberos authentication mandates valid credentials. LDAP via RADIUS is used for authentication integration, not for information disclosure. Since the query was successful with no authentication and no access controls triggered, this aligns exactly with CEH's description of anonymous LDAP binding.