During a red team assessment at a banking client in Chicago, ethical hacker David gains...

The correct answer is B. ARP Spoofing because the described outcome—silently redirecting traffic between two hosts through the attacker’s machine on a LAN without changing switch configurations—is the classic effect of ARP poisoning (also called ARP spoofing). In CEH-aligned network sniffing and man-in-the-middle (MITM) techniques, ARP spoofing works by sending forged ARP replies onto the local network so that a victim host associates the attacker’s MAC address with the IP address of a legitimate system (commonly the default gateway or another target host). Once the victim’s ARP cache is poisoned, frames intended for the real destination are instead sent to the attacker, who can then forward them to the legitimate host to maintain connectivity while inspecting or altering the traffic.

The scenario states David “injects crafted messages” and then “all traffic between a finance workstation and the authentication server is silently routed through his system.” That behavior strongly indicates ARP spoofing performed in both directions: poisoning the workstation to believe the attacker is the authentication server (or gateway) and poisoning the server to believe the attacker is the workstation (or gateway). This enables a transparent MITM position where credentials can be observed—especially if protocols are unencrypted or if the attacker can downgrade or strip protections. The fact that “no proxy or VPN is in use” supports the idea that the redirection is happening at Layer 2/Layer 3 on the local segment rather than via an explicit application-level proxy.

Why the other options are less accurate: Switch port stealing targets switch CAM tables to redirect frames, but it is less directly described than ARP cache poisoning between two IP endpoints. An STP attack manipulates spanning tree to become the root bridge and can influence paths, but it is a different control-plane attack and usually affects broader Layer 2 topology. IRDP spoofing involves ICMP Router Discovery Protocol to advertise a rogue router, but the scenario fits the much more common and direct MITM sniffing technique on a switched LAN: ARP spoofing.

Therefore, David most likely used ARP spoofing.