ECCouncil Updated 312-50v13 Exam Questions and Answers by haleema

In CEH v13 Reconnaissance Techniques, passive monitoring of competitors’ online presence is a legitimate and effective intelligence-gathering activity. One of the most efficient tools for this purpose is Google Alerts.

Google Alerts allow analysts to receive automated notifications when new content containing specific keywords—such as company names, products, or executives—is indexed online. This enables continuous, passive surveillance without repeatedly visiting websites manually.

Option B directly addresses the analyst’s goal of staying updated efficiently.

Option A is illegal and unethical.

Option C involves direct interaction, which may reveal the analyst’s presence.

Option D provides anonymity but does not actively monitor changes.

CEH v13 strongly encourages automation in reconnaissance to reduce noise, effort, and detection risk. Therefore, Option B is the correct and CEH-aligned answer.

Whaling is the correct answer because the scenario describes a highly targeted phishing attempt aimed at a “big fish”—a senior executive (the CEO). In CEH terminology, whaling is a specialized form of phishing that focuses on high-profile, high-authority individuals (e.g., CEOs, CFOs, directors) to maximize impact. These targets often have access to sensitive data, financial approvals, privileged systems, and strategic communications, making their credentials significantly more valuable than those of typical employees.

The attacker (Clara) uses classic social engineering drivers emphasized in CEH training: authority (impersonating the legal department), urgency/fear (a “pending lawsuit”), and trust in internal processes (a link to a supposed internal portal). This combination is designed to short-circuit normal verification behavior and prompt quick compliance. The inclusion of a credential-harvesting link aligns with common phishing goals: capturing usernames/passwords, enabling account takeover, and potentially facilitating broader compromise (e.g., email access for business email compromise, lateral movement, or privileged escalation).

Why the other options are less accurate: Spear phishing is also targeted, but it is a broader category aimed at specific individuals or groups at any level. The defining clue here is the executive-level target, which elevates it to whaling. Clone phishing involves copying a legitimate email previously received and swapping a malicious link or attachment—this detail is not present. Consent phishing typically abuses legitimate OAuth/app consent flows rather than a fake portal requesting credentials.

The correct answer is A. Activating Dynamic ARP Inspection to validate ARP packets.

The scenario describes a switch discarding ARP replies that do not match known IP-to-MAC and address-to-port bindings. This is the function of Dynamic ARP Inspection (DAI).

CEH-aligned sniffing and ARP defense material states that Dynamic ARP Inspection is used with DHCP snooping, where IP-to-MAC bindings are tracked from DHCP transactions to protect against ARP poisoning. It also notes that DHCP snooping is required to build the MAC-to-IP bindings used for DAI validation . The same material lists the configuration command ip arp inspection vlan < vlan number > and the verification command show ip arp inspection .

Option B is incorrect because displaying the DHCP snooping table only verifies bindings; it does not enforce ARP validation.

Option C is incorrect because DHCP Snooping builds the trusted binding database, but DAI is the feature that validates and drops invalid ARP packets.

Option D is incorrect because BPDU Guard protects spanning-tree edge ports from unexpected BPDUs. It does not validate ARP packets.

Therefore, the best answer is A. Activating Dynamic ARP Inspection to validate ARP packets.

The correct answer is D. ntpq -p [host].

The scenario requires querying the active NTP service to review its current associations and operational state. The ntpq utility is designed to query and monitor the NTP daemon. CEH-aligned NTP enumeration material states that ntpq is a command-line utility used to query the NTP server, monitor ntpd operations, and determine performance. It also states that the -p option prints a list of peers known to the server and summarizes their state .

Option A. ntptrace is incorrect because ntptrace follows the chain of NTP servers back to the primary time source. The scenario specifically says Kevin is not tracing the upstream hierarchy.

Option B. ntpq [-inp] [-c command] [host] [...] is a general syntax form for ntpq, but the most precise command for viewing peer associations and state is ntpq -p [host].

Option C. ntpdc is incorrect because although ntpdc can query ntpd, it is more associated with querying daemon state and requesting state changes. The question asks for the command to review current associations and operational status, which is most directly matched by ntpq -p.

Option D. ntpq -p [host] is correct because it directly queries the NTP service and prints peer association/status information.

Therefore, the best answer is D. ntpq -p [host].