Telnet is correct because it transmits authentication credentials and session data in plaintext over TCP port 23, making it highly susceptible to interception and manipulation during an on-path attack. SSH is incorrect because it encrypts session traffic and credentials, significantly reducing the effectiveness of passive interception. RDP is incorrect because modern implementations use encryption to protect session data. HTTPS is incorrect because it leverages TLS to encrypt web communications, preventing straightforward credential capture through simple traffic interception. OBJ. 5.2 

Medusa is a command-line-based free password cracking tool often used in brute force password attacks on remote authentication servers. W3AF (Web Application Attack and Audit Framework) is a Python tool included in Kali Linux that tries to identify and exploit any web app vulnerabilities. CeWL is a ruby app that crawls websites to generate word lists for use with other password crackers. Mimikatz is an open-source tool that enables you to view credential information stored on Microsoft Windows computers. OBJ. 4.3

Nikto is correct because it scans web servers for misconfigurations and vulnerabilities. Responder is incorrect because it captures authentication traffic. BloodHound is incorrect because it analyzes Active Directory relationships. Hydra is incorrect because it performs password attacks. OBJ. 3.1

The results may be unreliable is correct because packet loss can affect scan accuracy and lead to inconsistent findings. The services are unstable is incorrect because no evidence confirms service instability. The vulnerabilities are confirmed is incorrect because results are inconsistent. The scan results are complete is incorrect because reliability is compromised. OBJ. 3.2

OBJ 2.4 - Recon-ng is the most suitable tool for automating the process of gathering publicly available information, as it is specifically designed for reconnaissance and information gathering during a penetration test. It allows testers to collect data like subdomains, whois information, and DNS records from open sources. Burp Suite is primarily used for web application security testing, Nikto is a web scanner that identifies vulnerabilities, and Nessus is used for vulnerability scanning, not information gathering. OBJ. 2.4

OBJ 4.1: SSL 3.0 is an outdated and vulnerable encryption protocol, making systems that rely on it highly susceptible to attacks such as POODLE. Nicki should prioritize these systems, as compromising them could lead to intercepting sensitive data or gaining further access to the network. OBJ. 4.1

Personalized search results are disabled for this query is correct because the parameter pws=0 disables personalization, preventing prior user behavior from influencing the results returned. Results are limited to content hosted on the target domain is correct because the site: operator restricts results to pages and files hosted on example.com. Results are restricted to spreadsheet file formats is correct because filetype:xls filters results to Microsoft Excel files, which may contain structured data such as usernames or passwords. All search filters are disabled across the search engine is incorrect because filter=p does not disable all filters; instead, it affects duplicate or directory filtering behavior rather than completely removing all filtering mechanisms. Search results will include related domains automatically is incorrect because identifying related sites requires the related: operator, which is not used in this query. Results explicitly exclude spreadsheet-based documents is incorrect because the query specifically includes Excel files using the filetype:xls operator rather than excluding them. OBJ. 2.1

OBJ 3.1 - OpenVAS is the best choice for open-source vulnerability scanning with the capability to integrate with existing security management tools for continuous monitoring. Nessus, while powerful, is not open-source. Trivy focuses on scanning containers and Kube-hunter is for Kubernetes environments, neither of which is as suited for general network vulnerability management as OpenVAS. OBJ. 3.1

OBJ 2.4 - The Finder with Filters in Hunter.io enables you to narrow down search results based on specific criteria, such as job title or department, helping you target emails from particular roles within an organization. Domain Search provides general email addresses, Bulk Email Finder is for multiple searches, and Email Verifier checks the validity of individual emails. OBJ. 2.4

OBJ 5.2: Printers using the Line Printer Daemon (LPD) service often come with default settings that are left unchanged. These default configurations may include weak or no authentication, publicly accessible print queues, or open ports, making the service vulnerable to unauthorized access or abuse. Exploiting such default settings can allow an attacker to perform actions like retrieving print jobs, uploading malicious files, or even using the printer as a pivot point for further network exploitation. XSS is a web-related vulnerability and would not be applicable in this context, as LPD is not a web-based service. SQL injection targets database applications, not LPD services used for printing. Buffer overflows are common in various services, however they are not typically associated with LPD printers. OBJ. 5.2