CEH v13 explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit using obfuscation is far more likely to evade detection.
Metasploit payloads and rootkits are commonly flagged, and SMS phishing relies on user interaction.
Therefore, custom obfuscated exploit code is the most stealthy and effective method.

The correct answer is B. Testing String because the scenario describes a classic SQL injection detection approach where the tester submits special characters and malformed input strings-most notably single quotes ( ' )-to observe how the application processes them and whether it produces database error feedback. In SQL injection discovery, inserting a single quote (or multiple quotes) into a parameter commonly breaks the intended SQL syntax if the input is concatenated into a query without proper validation/escaping or parameterization. When this happens, the backend database often returns error messages that may disclose critical information such as the DBMS type (e.g., MySQL, Microsoft SQL Server, Oracle), query fragments, and sometimes references to table/column names. That is exactly what you observed: "system feedback that unexpectedly reveals the database type and internal query structure." This method is specifically called "testing strings" in CEH-style SQL injection identification: using quote characters, delimiters, comment markers, and other metacharacters to see whether the application is vulnerable and whether errors or abnormal behavior occur. The goal is not to fully exploit the injection immediately, but to confirm whether input is being interpreted as part of an SQL statement and to collect clues that help the tester model the backend query and proceed with safe, authorized validation steps.
Why the other options are less accurate: Function testing is a broader web-testing concept and is not the specific SQLi detection tactic shown. Dynamic testing generally refers to testing an application while it is running to observe behavior, but it does not name this specific SQLi discovery technique. Fuzz testing involves sending large volumes of random or semi-random unexpected inputs to trigger crashes or errors; while multiple quotes could be part of fuzzing, the described method is the targeted, well-known SQLi testing string approach used to elicit informative SQL errors.
Therefore, the method being employed is Testing String.

According to CEH v13 Network Scanning Techniques, a FIN scan is a stealth scanning method that sends TCP packets with only the FIN flag set. Its behavior relies on RFC 793, which specifies that closed ports must respond with a TCP RST, while open ports should silently drop the packet.
However, modern firewalls, IDS/IPS systems, and hardened TCP/IP stacks often filter or silently drop FIN packets regardless of port state. Therefore, when a FIN scan results in no response from a large number of ports, it does not conclusively indicate that the ports are open. Instead, CEH v13 stresses that this behavior commonly points to packet filtering by firewalls or security controls.
Option A is incorrect because a lack of response does not definitively mean ports are closed. Option B is an overreaction; stealth scan anomalies alone do not indicate a breach. Option C is unlikely because congestion would impact multiple protocols, not selectively suppress FIN responses.
CEH v13 recommends that when FIN scans produce ambiguous results, analysts should correlate findings using additional scan types (such as SYN scans) and investigate firewall rules and filtering behavior. Thus, option D is the most accurate interpretation and aligns with CEH guidance.

CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.

The weakness described is a classic online password-guessing condition: the application permits unlimited authentication attempts without any throttling, lockout, or challenge mechanism. In CEH guidance, this exposure enables brute-force attacks and automated credential stuffing, where attackers rapidly test many passwords or reused credential pairs until successful. A practical and commonly recommended control at the web application layer is adding CAPTCHA challenges to the login workflow, especially after a small number of failed attempts or when anomalous behavior is detected. CAPTCHA increases the cost of automation by forcing human interaction, directly disrupting high-speed scripted guessing against the admin portal.
While implementing MFA is an excellent additional safeguard and is strongly encouraged for privileged access, the question asks for the best countermeasure to address the specific issue of unlimited rapid attempts.
CAPTCHA is a direct mitigation for automated login abuse, and CEH commonly pairs it with rate limiting, progressive delays, and account lockout policies. Periodic password changes do not prevent an attacker from guessing a password today, and CEH materials note that forced rotation can even reduce security if it drives predictable password patterns. Strong password hashing such as bcrypt, scrypt, or Argon2 is critical for protecting stored passwords if a database is compromised, but it does not stop online guessing against the login form itself. Therefore, the most fitting countermeasure for the identified vulnerability is using CAPTCHA challenges on login and registration pages, ideally combined with throttling and lockout for stronger defense in depth