At Pinnacle Financial Services in Chicago, Illinois, ethical hacker Sarah Thompson is conducting a penetration...

The activity described is passive session hijacking because Sarah is only observing and capturing session-related information without altering, injecting, or disrupting the live client server communication. In CEH coverage of session hijacking, the key distinction is whether the attacker merely eavesdrops to obtain session identifiers or actively takes control of the session in real time. Passive hijacking focuses on sniffing traffic to collect authentication material such as session IDs, cookies, bearer tokens, or other credentials transmitted in cleartext or exposed through weak transport protections. The prompt explicitly says she “quietly collects session data” and does so “without interfering,” which is the hallmark of passive hijacking.

This is commonly feasible when applications use unencrypted HTTP, weak TLS configurations, or when tokens are exposed in ways that can be captured on the network. Once obtained, the attacker can replay or reuse the stolen token to impersonate the victim, which matches Sarah’s plan to later use the captured tokens to demonstrate risk in a controlled environment. CEH emphasizes that session tokens effectively become the user’s identity after authentication; if an attacker can steal them, they can often bypass login entirely.

Option B, active session hijacking, would involve manipulating the connection, injecting packets, desynchronizing the client, or taking over the session live. Option A, session fixation, involves forcing a victim to use a session ID chosen by the attacker, not sniffing. Option C, man-in-the-browser, requires malware within the browser to intercept or modify transactions, which is not described. Therefore, Passive Session Hijacking is correct.