Thomas is most likely using Follow TCP Stream. This Wireshark feature reconstructs the bidirectional application data carried over a TCP connection by reassembling packets in sequence into a readable conversation view. When traffic is unencrypted HTTP, the reassembled stream can reveal full request
/response content, including URLs, headers, form parameters, and-critically in this scenario-usernames and passwords transmitted in clear text (for example, within POST body parameters).
The scenario's language is a direct match: "reconstruct entire conversations between browsers and the server" and "reassembles packet data into a readable stream." That is exactly what Follow TCP Stream does: it groups packets that belong to the same TCP session and displays the payload as contiguous data, making it far easier than manually inspecting individual packets. This is commonly used during assessments and investigations to understand what data was exchanged, validate whether sensitive data is exposed, and confirm whether protections like TLS are properly applied.
Why the other options are not correct:
Filtering by IP Address (A) helps narrow the packet list to specific hosts but does not reconstruct conversations.
Display Filtering by Protocol (B) can isolate HTTP packets but still leaves the analyst to interpret individual packets without full reassembly.
Monitoring the Specific Ports (C) similarly narrows traffic (e.g., TCP/80 for HTTP) but does not present a reassembled readable session.
Because the goal is quick, readable reconstruction of HTTP login sessions over TCP, the correct answer is D.
Follow TCP Stream.

CEH v13 defines a white hat hacker as a security professional with explicit authorization to perform penetration testing, vulnerability assessments, and exploitation attempts within legal and contractual boundaries. Their objective is to strengthen security, not compromise it. White hats follow structured methodologies, document findings, and provide remediation recommendations. A black hat (Option A) acts maliciously and without permission. A grey hat (Option B) operates without authorization but without harmful intent, which is not compliant with corporate penetration testing procedures. Script kiddies (Option C) rely on pre-built tools without deep knowledge and are not employed for legitimate engagements.
Therefore, the individual described is a white hat, operating under legal and ethical guidelines with organizational consent.

The correct answer is A. Passive attack because the activity described involves monitoring and capturing information without altering data, system resources, or communications. In CEH-aligned information security concepts, passive attacks are defined by the attacker's goal of eavesdropping-observing traffic to collect intelligence such as usernames/passwords, session identifiers, network patterns, or sensitive content-while making minimal changes that would trigger detection. The scenario explicitly states that the actor is "silently capturing clear-text credentials" and "analyzing unencrypted traffic," and that "no modifications have been made to the data." These are signature indicators of passive attacks such as packet sniffing and traffic analysis.
On an internal Wi-Fi network, passive attacks are particularly effective when encryption is weak or absent, or when users access services that transmit credentials in clear text. An attacker can capture packets and reconstruct sensitive information, especially where legacy protocols or misconfigurations exist. Because passive attackers do not need to inject or modify packets, they often avoid generating anomalies such as retransmissions, spoofed responses, or unexpected routing changes-helping them remain undetected, consistent with the prompt.
Why the other options do not fit: Distribution attack is not the standard classification for this behavior and does not specifically describe silent observation of traffic. Close-in attack refers to attacks that depend on physical proximity (e.g., shoulder surfing, physical tapping, local interception near the target). While Wi-Fi sniffing can require proximity, the defining characteristic in the question is the non-invasive observation with no data modification-i.e., passive attack. Insider attack relates to the attacker's identity/role (a trusted internal person), which is not established here; the scenario only describes behavior, not who the actor is.
Therefore, the described credential capture and traffic analysis without modification most clearly indicates a passive attack.

CEH materials describe RDDoS (Ransom DDoS) attacks as threat-driven extortion campaigns where attackers demand payment and demonstrate capability by launching a short-lived DDoS burst. The purpose is to intimidate the victim into paying before a larger, sustained attack begins. The attack described uses HTTP floods with incomplete POST requests-an application-layer DDoS technique that consumes server resources by forcing the target to hold open connections. This kind of demonstration followed by an extortion email aligns precisely with RDDoS behavior. DRDoS attacks involve reflection/amplification through third-party servers, which is not occurring here. Pulse wave attacks use timed bursts and do not involve extortion, while recursive GET floods do not match the incomplete POST behavior. Therefore, the correct classification is RDDoS.

This scenario describes Living-off-the-Land (LotL) malware techniques, where attackers modify or abuse legitimate system binaries and services to evade detection. CEH v13 identifies this as a highly stealthy persistence mechanism commonly used in advanced persistent threats (APTs).
The most effective countermeasure is file integrity monitoring (FIM), specifically by tracking cryptographic hashes of critical system executables. CEH v13 emphasizes that monitoring file hashes enables early detection of unauthorized modifications to binaries such as PowerShell, cmd.exe, or Windows services.
Backups (Option A) aid recovery but do not prevent or detect compromise. Antivirus updates (Option C) often fail against modified legitimate tools. Firewall hardening (Option D) reduces attack surface but does not detect tampering of trusted binaries.
CEH v13 explicitly recommends hash-based integrity verification as a core defense against stealthy persistence mechanisms. Therefore, option B is correct.