The correct answer is B. NetBIOS Enumeration because the ports and services described map directly to NetBIOS over TCP/IP (NBT) and the actions align with querying NetBIOS name table and session services.
In Windows networking (especially older systems), NetBIOS provides naming and session-layer services that can reveal valuable host and user information. Specifically, UDP 137 is used for the NetBIOS Name Service (NBNS), UDP 138 for NetBIOS Datagram Service, and TCP 139 for NetBIOS Session Service. Observing activity on UDP 137/138 and an open TCP 139 strongly indicates that NetBIOS services are reachable and can be interrogated.
The scenario states Jake "uses a utility to query the name table and session services," which is a hallmark of NetBIOS enumeration. NetBIOS name table queries can disclose machine names, domain/workgroup names, and sometimes logged-in usernames (depending on configuration and what names are registered). Session
/service enumeration can reveal information about active sessions and available resources. The fact that Jake obtains machine names, usernames, and shared folders without authentication is consistent with weakly configured legacy Windows networking where NetBIOS/SMB information disclosure is possible through null
/unauthenticated queries.
Why not the other options: NFS enumeration targets UNIX/Linux file sharing and is unrelated to ports 137-
139. SNMP enumeration uses UDP 161/162 and relies on SNMP communities, not NetBIOS naming/session queries. SMB enumeration is closely related and often overlaps operationally, but the question emphasizes
"query the name table and session services" and explicitly references the classic NetBIOS port set (137/138
/139), making NetBIOS enumeration the most precise classification for this behavior.
In practice, defenders mitigate this exposure by disabling NetBIOS where unnecessary, restricting these ports at network boundaries, enforcing SMB hardening, and limiting anonymous/null session information disclosure.

The correct answer is B. Blind Hijacking because the scenario describes injecting crafted TCP packets into an active client-server session to disrupt the legitimate client and take over the connection, without requiring the attacker to see (or fully rely on seeing) the server's responses. In CEH-aligned session hijacking classifications, blind hijacking is an active takeover technique at the TCP/session layer where the attacker forges packets (often with predicted or inferred TCP sequence numbers) to insert data into an existing session and potentially desynchronize the legitimate endpoints. By injecting traffic that causes instability (for example, triggering retransmissions, resets, or sequence/ack mismatch), the attacker can effectively push the victim out of sync or off the session while continuing to communicate with the server as if they were the client.
The key clue is that Sarah "injects crafted TCP packets" into an "active communication," and then the "victim' s connection becomes unstable," after which Sarah's system "maintain[s] communication with the server in place of the legitimate client." This aligns with blind hijacking concepts where the attacker does not simply observe (passive) but actively manipulates the TCP stream to seize control. The attacker's goal is forced takeover of a live session, which often involves sequence prediction and packet injection to become the effective participant while the real client experiences disruption.
Why the other options are incorrect: Passive session hijacking is eavesdropping/monitoring traffic to capture session identifiers without altering the session; it does not involve injecting packets or destabilizing a connection. Man-in-the-Browser is a client-side attack (typically via malware in the browser) that manipulates transactions within the browser context; it is not a TCP packet injection technique. Active session hijacking is a broad category and is true at a high level, but the question asks for the type-and the specific technique described (TCP injection causing takeover) maps most directly to blind hijacking in CEH-style terminology.
Therefore, Sarah is demonstrating blind session hijacking.

This scenario primarily simulates dumpster diving because the key action involves retrieving sensitive information from discarded materials and then using it to gain access. In CEH social engineering coverage, dumpster diving is a physical information-gathering technique where an attacker searches trash, recycling bins, unsecured disposal containers, or shredding waste to find documents and artifacts that can be exploited.
Common targets include access codes, employee directories, printed emails, shipping labels, invoices, internal memos, and partially shredded documents-exactly what Priya finds in the unsecured maintenance container.
The question even emphasizes "discarded packaging," "shipping labels," "shredded office material," and a
"crumpled document listing temporary access codes," which are classic dumpster-diving indicators.
The later use of recovered access codes to enter the break room is the impact of the dumpster-diving phase, but the primary social engineering technique tested is how improper disposal leads to compromise. Tailgating would involve following an authorized person through a secure door without proper authentication.
Eavesdropping refers to listening in on conversations or communications to capture sensitive information.
Shoulder surfing involves visually observing someone's screen or keyboard while they enter credentials or view confidential data. None of those describe the initial method of obtaining the access codes.
CEH-aligned mitigations include enforcing clean-desk and secure disposal policies, using locked disposal bins, shredding sensitive documents properly with secure destruction processes, training staff on handling printed data, and restricting access to loading docks and waste areas. Regular audits of disposal practices and physical security checks reduce the likelihood that attackers can harvest usable access details from trash.

This scenario is a classic session fixation attack. In session fixation, the attacker sets or "fixes" a known session identifier (session ID) for the victim before the victim authenticates. The attacker then persuades the victim to use that predetermined session-often by embedding the session ID into a URL, link, or cookie setting mechanism. Once the victim logs in, the application incorrectly continues using the same session ID (rather than issuing a new one upon authentication). As a result, the attacker can reuse that known session ID to access the victim's authenticated session context.
The described sequence matches session fixation exactly: James first crafts a session and obtains a session ID, then shares it with the victim via a link, the victim clicks and logs in, and "their activity is bound to the attacker's pre-assigned session." Later, James accesses the session and retrieves the victim's input- demonstrating that authentication was tied to an attacker-controlled session token.
Why the other options do not fit:
Session replay (B) involves capturing a valid session token (e.g., via sniffing, XSS, or leakage) and replaying it, but it does not require pre-setting the token before the victim logs in.
Session prediction (C) is about guessing or calculating valid session IDs due to weak randomness. Here the attacker does not guess; he deliberately provides a session ID he already controls.
"Session donation (A)" is not the standard classification for this well-known web session weakness in CEH- style taxonomy; the described behavior aligns with fixation.
Therefore, the correct answer is D. Session Fixation Attack.

CEH documentation explains that WPA-TKIP was a transitional security protocol and does not use AES encryption, relying instead on RC4-based mechanisms.
The lack of AES-based encryption makes WPA-TKIP vulnerable to injection and replay attacks.
Option C is correct.
Options A applies to WEP.
Option B affects authentication, not TKIP weakness.
Option D is not the primary TKIP flaw.
CEH recommends WPA2/WPA3 with AES.