The activity described is passive session hijacking because Sarah is only observing and capturing session- related information without altering, injecting, or disrupting the live client server communication. In CEH coverage of session hijacking, the key distinction is whether the attacker merely eavesdrops to obtain session identifiers or actively takes control of the session in real time. Passive hijacking focuses on sniffing traffic to collect authentication material such as session IDs, cookies, bearer tokens, or other credentials transmitted in cleartext or exposed through weak transport protections. The prompt explicitly says she "quietly collects session data" and does so "without interfering," which is the hallmark of passive hijacking.
This is commonly feasible when applications use unencrypted HTTP, weak TLS configurations, or when tokens are exposed in ways that can be captured on the network. Once obtained, the attacker can replay or reuse the stolen token to impersonate the victim, which matches Sarah's plan to later use the captured tokens to demonstrate risk in a controlled environment. CEH emphasizes that session tokens effectively become the user's identity after authentication; if an attacker can steal them, they can often bypass login entirely.
Option B, active session hijacking, would involve manipulating the connection, injecting packets, desynchronizing the client, or taking over the session live. Option A, session fixation, involves forcing a victim to use a session ID chosen by the attacker, not sniffing. Option C, man-in-the-browser, requires malware within the browser to intercept or modify transactions, which is not described. Therefore, Passive Session Hijacking is correct.

The described action is classic web server footprinting through banner grabbing. In CEH reconnaissance methodology, banner grabbing is used to identify a target's service details by eliciting and analyzing standard protocol responses. When Sofia sends a simple HTTP request such as GET / HTTP/1.0, the server often responds with HTTP headers that may include fields like Server and sometimes X-Powered-By, which can reveal the web server product and version, and occasionally information that hints at the underlying operating system or framework. This disclosure is valuable to attackers because it enables targeted exploitation: once the exact server and version are known, an attacker can correlate that information with known vulnerabilities, misconfigurations, and exploit code.
This is not information gathering from robots.txt, which is a web file used to suggest crawler behavior and sometimes reveals hidden paths but does not inherently expose server software versions. It is also not directory brute forcing, which involves systematically guessing directories and files to find hidden endpoints.
Vulnerability scanning is broader and typically involves automated checks to detect vulnerabilities; while banner information can be an input to scanning, the technique shown here is specifically identification through response headers.
CEH-aligned mitigation includes disabling or minimizing server signature information, removing unnecessary headers, keeping server software patched, and using secure configurations and reverse proxies to reduce information leakage during reconnaissance.

In CEH v13 Information Security and Ethical Hacking Overview, a penetration tester is defined as a trusted, authorized security professional hired to simulate real-world attacks in order to identify and exploit vulnerabilities with explicit permission.
The primary objectives of a penetration tester are:
Identify weaknesses in systems, networks, and applications
Demonstrate real-world impact of vulnerabilities
Help organizations improve their security posture
Unlike malicious hackers (Option A) or malware authors (Options B and D), penetration testers operate under strict legal and ethical guidelines, following scopes of engagement and reporting findings responsibly.
CEH v13 emphasizes that penetration testing is proactive defense, not crime. Therefore, Option C accurately defines the role.

Outdated server software often contains memory corruption flaws. CEH notes that buffer overflow exploits are a primary method for compromising vulnerable server binaries, allowing remote code execution. This approach targets the underlying service rather than application-layer input validation issues.

CSRF occurs when a vulnerable application processes unauthorized state-changing requests because it does not verify whether the request was intentionally initiated by the authenticated user. CEH v13 explains that exploitation involves tricking a logged-in user into unknowingly executing a crafted HTTP request-usually via a malicious webpage, hidden form submission, embedded image tag, or JavaScript trigger. When the victim visits the attacker-controlled page, the browser automatically includes the user's active session cookies, allowing the server to treat the forged request as legitimate. This technique is central to CSRF attacks and is highlighted in the CEH curriculum as the correct exploitation path. Directory traversal, SQL injection, and brute-force attacks target different vulnerabilities and do not exploit missing request authenticity validation. The key requirement for CSRF exploitation is user interaction via a malicious external resource, making option B the correct CEH-aligned method.