A downgrade attack forces a client to use a weaker SSL version that the attacker can crack. Since the devices are connected through your access point, you can establish a weaker SSL-based HTTPS connection between their web browser and the actual web server they wanted. This forcing of the client to use a weaker version is known as a downgrade attack, and it allows the attacker to capture the packets and later crack them offline since SSL-based HTTPS is weak enough to crack due to vulnerabilities in its design. A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. Deauthentication attacks are used in the service of an evil twin, replay, cracking, denial of service, and other attacks. All 802.11 Wi-Fi protocols include a management frame that a client can use to announce that it wishes to terminate a connection with an access point. The victim's device will be kicked off the access point by spoofing the victim's MAC address and sending the deauthentication frame to the access point. A karma attack is a variant of the evil twin attack. A karma attack exploits the behavior of a wireless client trying to connect to its preferred network list. This list contains the SSIDs of access points the device has connected to in the past. When a wireless device is looking to connect to the internet, it firsts beacons to determine if any of these previously connected networks are within range. OBJ. 4.7

OBJ 1.5: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers. OBJ. 1.5

OBJ 1.1: An external target type best describes these targets since the question doesn’t clearly describe if the servers are first-party or third-party hosted. An external target type is an asset that can be accessed from outside of the organization. For example, if the webserver is visible on the Internet, it is considered an external target. An internal target type means that assets can be accessed from within the organization. This can either be physically or logically from within the network, and it best simulates an insider threat. This target type can also be used to simulate an external hacker who has gained credentials on the network, such as using a spear phishing attack. First-party hosted targets are assets hosted by the client organization themselves. Third-party hosted targets are assets hosted by a vendor, partner, or cloud service provider. OBJ. 1.1

To gather information about the service version is correct because banner grabbing retrieves identifying information from a service, such as the application name and version, which a penetration tester can correlate with CVE data to determine whether the FTP service is vulnerable and worth targeting for exploitation. To detect open ports is incorrect because port discovery is typically performed through scanning tools such as Nmap rather than banner retrieval. To identify misconfigured firewalls is incorrect because firewall misconfigurations are assessed through filtering behavior and access control testing, not through service banners. To capture and analyze network traffic is incorrect because traffic capture is performed with packet analysis tools like Wireshark or tcpdump, not through banner grabbing techniques. OBJ. 2.1

OBJ 4.9: Skimming is a common attack against RFID systems where an attacker uses a reader to steal information from RFID tags, such as those used in contactless payment cards or access badges. Sniffing generally refers to capturing data packets on a network, spoofing involves impersonating another entity, and on-path attacks involve intercepting communication between two parties. OBJ. 4.9

OBJ 2.4 - Setting up a reverse shell in this instance is an example of persistence. This post-exploitation activity ensures that you maintain access to the compromised system, even if your initial access method is closed or the system is rebooted. Privilege escalation would involve increasing your access level, lateral movement refers to spreading to other systems, and data exfiltration is the process of transferring data out of the compromised environment. OBJ. 2.4

OBJ 4.7 - A karma attack is a variant of the evil twin attack. A karma attack exploits the behavior of a wireless client trying to connect to its preferred network list. This list contains the SSIDs of access points the device has connected to in the past. When a wireless device is looking to connect to the internet, it firsts beacons to determine if any of these previously connected networks are within range. This allows an attacker to answer the request, allowing the user to connect to them instead as an evil twin. At this point, the attacker is now the on-path between the wireless client and the internet, which is useful for many different exploits. Deauthentication attacks are used in the service of an evil twin, replay, cracking, denial of service, and other attacks. All 802.11 Wi-Fi protocols include a management frame that a client can use to announce that it wishes to terminate a connection with an access point. The victim's device will be kicked off the access point by spoofing the victim's MAC address and sending the deauthentication frame to the access point. A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. A downgrade attack forces a client to use a weaker SSL version that the attacker can crack. OBJ. 4.7

BloodHound is correct because BloodHound collects and analyzes Active Directory objects, permissions, and relationships to graphically identify potential privilege escalation and lateral movement paths, such as ACL misconfigurations or nested group memberships leading to high-value targets. Wireshark is incorrect because it is a packet capture and traffic analysis tool, not an AD relationship mapping utility. Metasploit is incorrect because it is primarily used for exploitation and payload delivery rather than visualizing AD trust paths. Nmap is incorrect because it focuses on network scanning and service discovery rather than directory permission analysis and attack path mapping. OBJ. 3.1

OBJ 4.2: In a Pass-the-hash attack, an attacker uses the hashed version of a user's credentials to authenticate without needing to crack the password/hash. Carlos captures the hash and uses it to impersonate the user directly. The other options, such as Pass-the-ticket and Pass-the-token, involve different mechanisms for gaining unauthorized access. OBJ. 4.

Save each result in a list or dictionary is correct because structured storage allows the tester to compare, filter, deduplicate, and reuse collected enumeration data later in the assessment. Replace all print statements with comments is incorrect because comments do not preserve runtime output. Move the DNS logic into a while loop only is incorrect because looping controls repetition but does not store data for later analysis. Run the script with elevated privileges is incorrect because privilege level does not address how results are retained. OBJ. 2.3