The tool described matches Fern WiFi Cracker because CEH wireless assessment workflows commonly reference GUI-based auditing utilities that combine packet capture, wireless injection support, and key recovery attempts in one interface. The scenario specifically mentions three core capabilities: capturing wireless packets, sending de-authentication frames to trigger client reconnects, and attempting to recover the encryption key. Those steps align with the typical WPA cracking methodology discussed in CEH learning paths: capture the WPA handshake when a client connects, optionally force a reconnection by sending de- authentication frames, then perform an offline attack against the captured handshake using a wordlist or brute- force approach. Fern WiFi Cracker is known for presenting these functions through a graphical interface, making it a common example of an "all-in-one" Wi-Fi auditing tool.
The other options are defensive monitoring and prevention platforms, not offensive auditing tools used to actively deauthenticate clients or attempt key recovery. RFProtect, Cisco Adaptive Wireless IPS, and WatchGuard Wi-Fi Cloud WIPS are Wireless Intrusion Prevention and Monitoring solutions designed to detect rogue access points, identify attacks such as deauthentication floods, enforce wireless security policies, and generate alerts for security teams. They are used to stop or respond to attacks rather than conduct packet capture plus key-recovery attempts as part of an assessment.
Because the question emphasizes a single graphical interface that captures traffic, injects deauth frames, and attempts key recovery, the correct match among the choices is Fern WiFi Cracker.

TCP port 102 is strongly associated with Siemens S7 communications, commonly referred to as S7comm, which is used by Siemens SIMATIC S7 PLC families and related engineering and HMI components in OT environments. In CEH coverage of ICS and SCADA reconnaissance, identifying industrial protocols by their well-known ports is a standard first step because it quickly narrows down device type, vendor ecosystem, and likely attack surface. When Ethan targets TCP 102 and the scan reveals PLC models used in the automation process, that aligns directly with enumerating Siemens SIMATIC S7 PLCs, since S7comm typically operates over ISO-on-TCP on port 102.
The other options do not match the port-protocol pairing described. Modbus TCP most commonly uses TCP port 502, so "scanning Modbus devices" would be associated with 502 rather than 102. "Capturing Modbus TCP traffic using Wireshark" is passive sniffing and also would focus on Modbus traffic patterns on 502, not an active Nmap sweep on 102. Omron PLCs may use different protocols and ports depending on model and configuration, but TCP 102 is the canonical indicator for Siemens S7 in most defensive and offensive playbooks taught for OT discovery.
From a defensive perspective, CEH-aligned best practices emphasize segmenting OT networks, restricting access to engineering ports like 102, monitoring for scanning behavior, and enforcing allowlisted communications between SCADA, HMIs, and PLCs to reduce the risk of unauthorized enumeration and follow-on manipulation.

This is best explained by credentialed scanning because the scanner is given administrator-level credentials, and the SIEM confirms successful logins occurred during the scan. Credentialed scans authenticate to the target systems (via SMB/WMI/WinRM for Windows, SSH for Linux/Unix, APIs for certain platforms) and then perform deeper inspection from an "inside" perspective. That allows the scanner to enumerate details that are not reliably visible from unauthenticated network probing-such as installed patch levels, local security policy settings, registry permissions, configuration files, running services with their exact versions, and misconfigurations that require local access to verify.
The scenario's outcomes strongly match this: the scan takes significantly longer, which is common because authenticated checks involve logging in and performing many local queries; the results include weak registry permissions, outdated patches, and insecure configuration files, all of which typically require authenticated access to assess comprehensively. In addition, credentialed scanning reduces false positives and improves accuracy, because it can confirm vulnerability conditions directly rather than inferring from banners or open ports.
Why the other options are less accurate:
Non-credentialed scanning (D) is performed from an external perspective without logins; it would not normally retrieve detailed registry/config file permission findings, and SIEM logs would not show successful authentication events caused by the scanner.
External scanning (A) describes the scan's network location (outside the organization) rather than the authentication mode. You can do external credentialed scans, but the defining feature here is authenticated logins and deep host checks.
Internal scanning (C) also refers to where the scan originates. While the scan might be internal, the question's key differentiator is that admin credentials were used to log in and gather detailed local information.
Therefore, the scan type is B. Credentialed Scanning.

The most direct technique demonstrated is D. Compromising secrets, because the attackers abused exposed API keys to authenticate to the cloud provider and execute unauthorized cloud commands. In CEH-aligned cloud attack paths, "secrets" commonly include API keys, access tokens, secret keys, passwords, certificates, and service account credentials. When these secrets are exposed (for example, hard-coded in source code, leaked in public repositories, stored insecurely in endpoints, or logged accidentally), an attacker can use them to gain the same privileges as the legitimate account or service identity.
Once valid API keys are obtained, attackers typically perform actions consistent with the compromised identity's permissions: spinning up compute, modifying IAM policies, accessing storage, disabling logging, creating new credentials, and pivoting across services. The incident description mentions both resource abuse and lateral movement. Resource abuse is a frequent consequence of stolen cloud credentials because attackers can provision infrastructure on the victim's account (often for botnets, staging, or other activities). Lateral movement inside the cloud environment can happen when the compromised keys grant access to additional services or when the attacker uses the initial foothold to discover and access other roles, instances, or secrets (for example, by querying metadata services, reading configuration stores, or enumerating IAM privileges).
Why the other options are less accurate: Cryptojacking specifically refers to illicit cryptocurrency mining using hijacked resources; while "resource abuse" could include mining, the key distinguishing factor in the question is the use of exposed API keys to issue commands, which is fundamentally credential/secret compromise. Enumerating S3 buckets is a reconnaissance activity focused on object storage discovery and misconfigurations, not the central mechanism here. A wrapping attack relates to specific cloud/identity token wrapping scenarios and is not indicated by exposed API keys.
Therefore, the incident most clearly demonstrates compromising secrets (exposed API keys).

CEH v13 defines passive reconnaissance as information gathering without interacting directly with the target or alerting them. The goal is to remain undetected while collecting intelligence from publicly available sources.
Directly interacting with a threat actor on forums-even under a pseudonym-constitutes active engagement
. CEH v13 warns that such interaction risks exposure, attribution, and legal complications. It can alert the adversary, cause them to alter behavior, or even retaliate.
WHOIS lookups, DNS queries, archived web content, and anonymous browsing are all passive techniques endorsed in CEH v13. These methods do not notify the target and leave minimal trace.
Thus, Option A should be avoided to maintain a low profile.