TCP port 389 is the default port for LDAP (Lightweight Directory Access Protocol). The tester's actions- performing an anonymous bind and querying directory contents with structured search filters to extract usernames and organizational information-are definitive indicators of LDAP enumeration. LDAP is commonly used for centralized directory services (including environments integrated with Active Directory via LDAP interfaces). If misconfigured to allow anonymous binds or overly permissive searches, an attacker can retrieve valuable identity and structure data.
The scenario describes obtaining usernames, departmental details, and organizational units (OUs). Those are typical LDAP directory attributes and containers. Enumerating them can directly support follow-on attack paths: building targeted password-spraying lists, crafting spear-phishing that references accurate internal roles, identifying privileged groups, and mapping the organization's structure to prioritize high-value targets.
Even without direct credential compromise, directory disclosure increases attacker effectiveness.
Why the other options are incorrect:
SMTP enumeration (A) focuses on email systems (e.g., VRFY/EXPN/RCPT TO behaviors) and typically uses TCP/25 or related mail ports, not 389.
DNS enumeration (B) involves querying DNS records (A/AAAA, MX, NS, TXT, zone transfers) and does not involve directory binds or LDAP filters.
NTP enumeration (D) relates to time services (UDP/123) and provides timing/monlist-style information, not user/OU directory attributes.
Because the service is on TCP/389 and the technique involves binds and directory searches, the correct classification is C. LDAP Enumeration.

Local File Inclusion vulnerabilities arise when a web application incorporates user-supplied input into file- handling functions without proper sanitization. CEH courseware emphasizes that attackers can leverage directory traversal sequences (such as ../../) to escape the intended directory structure and access sensitive local files. An LFI payload commonly targets system files like /etc/passwd on Linux to extract user information or escalate the attack further.

This question focuses on API Security, Webhooks abuse, and Webshell mitigation, all of which are addressed in the CEH v13 Web Application Hacking and Security Operations modules. The most appropriate corrective action is Option D, as it directly addresses the root causes and persistence mechanisms of the compromise.
According to CEH v13, attackers frequently exploit improper input validation in APIs and insecure webhook implementations to inject malicious payloads or gain remote command execution. Webhooks, when not properly validated, can accept malicious requests that trigger backend processes, making them a common vector for API abuse.
Input validation on all API endpoints is critical to prevent injection attacks, including command injection and SQL injection. CEH v13 explicitly emphasizes validating request parameters, headers, and payload structures to prevent malicious manipulation.
Reviewing webhook payloads ensures that only trusted sources can trigger automated actions, preventing attackers from abusing webhook functionality. This includes validating signatures, enforcing authentication, and restricting allowed payload formats.
Finally, regular scanning for webshells is essential because webshells provide persistent backdoor access.
CEH v13 identifies webshell detection as a key defensive measure during incident response and post- exploitation containment.
Other options are incomplete:
A WAF alone cannot detect all webshells.
IP blocking is ineffective against spoofed or cloud-based attacks.
MFA and server hardening are valuable but do not directly address webhook abuse or existing webshells.
Therefore, Option D provides the most comprehensive, CEH v13-aligned mitigation strategy.

Ransomware encrypts user data and extorts payment for restoration. CEH covers ransomware as a major threat in system hacking, highlighting encryption-based extortion as its defining behavior.

CEH teaches that certain advanced intrusion evasion techniques rely on understanding how firewalls differentiate between new connections and established traffic. Most perimeter firewalls scrutinize SYN packets and initial HTTP requests but allow ACK packets from established sessions to pass with minimal filtering. ACK tunneling leverages this behavior by embedding malicious payloads inside ACK packets, which appear to be part of a legitimate, pre-established session. Because ACK packets are often considered " safe, " they bypass deep inspection engines, intrusion detection systems, and application-layer gateways. This method allows attackers to move data or commands covertly between compromised internal systems and external hosts. CEH references such evasion strategies when discussing bypassing stateful firewalls and making malicious traffic appear legitimate. Port knocking and SYN scans would initiate new connections- precisely what the firewall is heavily inspecting. ICMP flooding is noisy and easily detected. ACK tunneling is specifically designed for stealth and is aligned with red team tradecraft for avoiding packet-level inspection mechanisms.