In CEH v13 Reconnaissance and Enumeration, NetBIOS name suffixes are used to identify the role of systems within a Windows network. The <1B> NetBIOS suffix is particularly significant because it uniquely identifies the Domain Master Browser, which in modern Windows environments corresponds to the Primary Domain Controller (PDC).
When an nbtscan is performed, multiple systems may respond with NetBIOS names, but only one system per domain will register the <1B> suffix. This is because the PDC is responsible for maintaining the master browse list and coordinating authentication services across the domain.
Option C is correct because the <1B> entry is explicitly defined in CEH documentation as belonging to the domain controller.
Option A is incorrect because the local system does not advertise <1B>.
Option B is incorrect because DHCP servers use different identifiers and do not register <1B>.
Option D is incorrect because NetBIOS must be enabled for <1B> to appear at all.
CEH v13 highlights identifying <1B> during enumeration as a high-value discovery, since domain controllers are prime targets during privilege escalation and lateral movement phases.

The Certified Ethical Hacker (CEH) Cloud Computing module emphasizes that serverless environments rely heavily on granular permission models. Attacks involving compromised APIs often succeed because functions are granted excessive privileges.
Option D is correct because enforcing function-level permissions and the principle of least privilege directly limits what a compromised function can execute. CEH documentation states this is the primary defense against serverless abuse.
Option A is beneficial but reactive.
Option B focuses on SaaS governance rather than FaaS execution control.
Option C provides visibility but does not directly prevent privilege misuse.
CEH highlights identity and access management (IAM) as critical in serverless security.

ARP spoofing-based session hijacking is identified in CEH v13 Web Application and Network Attacks as one of the most stealthy and difficult-to-detect session compromise techniques, especially within internal or VPN-connected networks.
In ARP spoofing, attackers poison ARP caches to position themselves as a man-in-the-middle (MitM). Once in place, they can silently intercept, modify, or replay session data-even when encryption is used-by redirecting traffic transparently between endpoints.
Option A (sidejacking) is mitigated by HTTPS. Option C (session guessing) is noisy and detectable. Option D (cookie poisoning) relies on weak validation and is easier to detect via integrity checks.
CEH v13 highlights ARP spoofing as particularly dangerous because:
* It exploits trusted local network behavior
* It does not require breaking encryption directly
* It is often invisible to users and applications
Therefore, Option B is the most challenging to detect and mitigate and is the correct answer.

Operational Technology and ICS environments often suffer from misconfigurations such as unchanged factory-default passwords. CEH identifies exploiting default credentials as a direct and effective method because ICS devices frequently lack strong authentication controls. Using these built-in credentials grants immediate unauthorized access to supervisory controls, enabling adversaries to manipulate configurations, disrupt processes, or escalate attacks across critical systems.

A FIN scan is a classic "stealth" TCP scan technique discussed in CEH network scanning methodology.
Unlike a TCP Connect scan, which completes the full three-way handshake and is highly visible in logs, a FIN scan sends a TCP packet with only the FIN flag set to a target port. The scan then interprets the target's response to infer whether the port is open or closed, without establishing a normal TCP session. This matches the scenario's requirement to "infer port states without completing a full connection" and to keep visibility low.
The logic relies on expected TCP behavior defined for many TCP/IP stacks. For a closed port, the target typically responds with an RST packet, indicating there is no service listening. For an open port, many systems do not respond at all to an unexpected FIN packet (because it does not correspond to an existing connection). That "no response" behavior becomes the signal the tester uses to suspect the port may be open or filtered. CEH emphasizes that because FIN scans do not perform a handshake, they can be less likely to trigger certain basic connection-based logging, and they generate fewer obvious connection events than TCP Connect scans.
Option D, NULL scan, is also a stealth method, but it uses a packet with no flags set. The question specifically highlights leveraging TCP flags and is commonly mapped in CEH-style questions to FIN scanning as the representative "TCP flag stealth scan." Option B is too generic, and option A is the most detectable. Therefore, FIN scan best aligns with the described stealth reconnaissance strategy.