The correct answer is WPA2. CEH wireless security material explains that WPA2 uses AES-based encryption together with CCMP, which provides confidentiality and message integrity protection. The scenario also mentions a structured four-message key negotiation process before protected traffic begins, which aligns with the well-known four-way handshake used in WPA and WPA2 environments. The deciding factor is the encryption and integrity combination: AES with CCMP is strongly associated with WPA2 in CEH guidance.
WEP is far weaker and based on RC4, while WPA originally relied on TKIP as its hallmark improvement over WEP. WPA3 introduces newer protections and a different exam emphasis, but the classic CEH mapping for four-way handshake plus AES/CCMP is WPA2. CEH references also note that WPA2 was designed to improve enterprise-grade wireless security and that CCMP addresses integrity concerns more effectively than earlier approaches. Because the packet capture shows AES-based counter mode encryption with integrated integrity checks after the handshake sequence, the observed standard is best identified as WPA2.

According to the CEH Network Scanning module, Idle Scanning (Zombie Scanning) is one of the most stealthy reconnaissance techniques. In this method, the attacker uses an idle third-party host (zombie) to probe the target indirectly.
Because all scan packets appear to originate from the zombie system, the true attacker remains hidden. CEH highlights that idle scans:
Are extremely stealthy
Generate minimal traffic from the attacker
Make attribution very difficult
Option B is correct.
Option A (FIN scan) is stealthy but still traceable.
Option C is noisy and easily detected.
Option D describes a Xmas scan, which is detectable.
CEH classifies idle scanning as one of the hardest scanning techniques to trace.

The scenario describes an authentication endpoint that allows a high volume of repeated login attempts with no additional friction, enabling automated scripts to rapidly try large password lists. This is typical of online password guessing and credential stuffing/brute-force style automation. The countermeasure being requested is explicitly one that "forces interaction steps designed to disrupt automation," which best matches CAPTCHA. CAPTCHA mechanisms introduce a challenge-response test intended to distinguish humans from automated bots, thereby reducing the effectiveness of scripted, high-rate credential attempts.
CAPTCHA is commonly deployed on login and registration pages (and sometimes on password reset flows) to slow down or block automated abuse. When triggered-often after a threshold of failed attempts or suspicious behavior-it forces the requester to complete an interactive step (image selection, puzzle, checkbox with behavioral analysis, etc.). This breaks fully automated attack loops and increases the attacker's cost, especially when combined with additional controls such as account lockout thresholds, IP reputation, device fingerprinting, and rate limiting.
Why the other options are less aligned to the "disrupt automation" requirement:
Strong hashing algorithms (A) protect stored passwords at rest (e.g., if a database is compromised). They do not directly stop online automated login attempts.
2FA/MFA (B) is excellent for reducing account takeover impact, but it does not inherently prevent high- volume credential submissions; it adds a second factor after correct credentials are provided. Also, the question's wording strongly points to a bot-disruption interaction step.
Forced periodic password changes (D) is not a primary control for stopping automated login attempts and can introduce usability issues; it does not directly add friction to repeated submissions.
Therefore, the most appropriate countermeasure described is C. Use CAPTCHA challenges on login and registration pages.

Social engineering attacks that target business processes are especially effective when they mimic legitimate workflows. CEH learning materials emphasize that attackers often exploit trust relationships and organizational procedures rather than attempting broad or generic phishing methods. In the context of HR operations, onboarding portals are highly trusted and frequently accessed by new employees who expect to enter personal information, submit documents, and receive initial network credentials. By creating a fake onboarding portal that closely resembles the organization's internal system, an attacker can collect credentials without triggering suspicion because the action being requested appears normal and expected. This method leverages procedural familiarity, brand consistency, and the implied authority of HR communications, making it far more effective than generic phishing emails or unsolicited social media messages. Phone calls, while sometimes useful, involve real-time interaction and increase the chance of detection. The fake portal, however, seamlessly integrates into existing processes, making it the most effective and lowest-profile approach for acquiring network credentials.

The correct answer is B. Distributed Reflection Denial-of-Service (DRDoS) because the scenario describes the two defining elements of DRDoS: reflection and amplification at scale using third-party systems. Maria
"forges requests" (i.e., spoofs the victim's IP address as the source) to "multiple open services across the internet." Those services then send their replies to the spoofed source-the victim-so the victim receives a large volume of unsolicited responses. This is reflection: the attacker does not attack the victim directly; instead, the attacker reflects traffic off other servers. The "multiplying the amount of traffic" indicates amplification: many protocols/services respond with packets significantly larger than the request, so the attacker's small outbound traffic results in a much larger inbound flood against the target.
The mention of "multiple open services" and being overwhelmed by a "flood of responses" is classic DRDoS behavior. From a defender's perspective, DRDoS attacks are difficult because the traffic often appears to come from legitimate servers, and the victim is receiving replies to requests it never sent. Mitigations include source address validation (BCP 38 anti-spoofing), rate limiting, filtering/ACLs for abused UDP services, and upstream scrubbing/CDN or DDoS protection.
Why the other options are less accurate: Smurf is a specific reflection/amplification attack using ICMP to a broadcast address (now largely mitigated by disabling directed broadcasts). Botnet describes the attacker's infrastructure (many compromised machines) but not the reflection/amplification mechanism; a botnet can be used to launch many types of DDoS attacks. NTP amplification is one specific DRDoS variant using misconfigured NTP servers (UDP/123). The question describes the broader technique across "multiple open services" rather than naming NTP specifically, so the best match is the general category DRDoS.
Therefore, Maria is demonstrating a Distributed Reflection Denial-of-Service (DRDoS) attack.