EC-Council CEH (Certified Ethical Hacker) Study Guide
The EC-Council Certified Ethical Hacker (CEH) validates that a candidate can think and act like an attacker while staying within legal, authorized boundaries. It spans the full offensive lifecycle - reconnaissance, scanning, enumeration, system and web attacks, wireless, mobile, IoT/OT, cloud, and cryptography - along with the defensive countermeasures for each. It suits security analysts, penetration testers, SOC staff, and IT professionals moving into offensive or defensive security roles.
Reviewed Jul 2026.
Domain 1: Information Security and Ethical Hacking Overview
- The CIA triad defines the core goals: confidentiality (preventing unauthorized disclosure), integrity (preventing unauthorized or undetected modification), and availability (ensuring access when needed). Altering data in transit is an integrity violation.
- Risk is a function of threat, vulnerability, and impact - it expresses the likelihood and consequence of loss when a threat exploits a weakness. A vulnerability is an exploitable flaw in design, implementation, operation, or configuration.
- The Cyber Kill Chain (Lockheed Martin) runs in a fixed order: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives.
- Weaponization is the phase where an attacker couples an exploit with a payload (such as a RAT or backdoor) into a deliverable artifact like a malicious document, before any contact with the target.
- MITRE ATT&CK is a knowledge base of real-world adversary behavior organized as tactics (the goal, the 'why') and techniques (the 'how'), with sub-techniques and procedures.
- The five phases of a hack are Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Clearing Tracks. Scanning actively probes for live hosts, open ports, and services.
- Maintaining access means retaining persistent control of a compromised system (for example via backdoors or rootkits), while clearing tracks removes evidence of the intrusion.
- Hacker classes differ by authorization and intent: black hats act maliciously without authorization, white hats act with authorization, and gray hats act without authorization but generally without malicious intent.
- A script kiddie runs others' tools without deep understanding, while hacktivists attack to promote a political or social cause.
- Security controls are categorized by function: administrative/managerial (such as awareness training and policy), technical, and physical - and by type such as preventive, detective (an alert-only IDS), and corrective.
- Key compliance frameworks: ISO/IEC 27001 specifies requirements for an ISMS, PCI-DSS protects cardholder data, HIPAA protects health information (PHI), GDPR grants rights such as erasure and imposes turnover-based fines, and DMCA governs digital copyright.
- Testing knowledge levels: white-box (tester has full internal knowledge), black-box (no prior knowledge), and gray-box (partial knowledge), each simulating a different adversary perspective.
- A threat is any potential danger that could exploit a vulnerability, whereas an exploit is the actual code or technique that takes advantage of it - distinguishing capability from realization is a common exam point.
Domain 2: Reconnaissance Techniques
- Passive footprinting gathers information from public sources (search engines, social media, WHOIS, archives) without sending packets to the target's own infrastructure, so it is undetectable by the target.
- Active footprinting interacts directly with target-owned systems - for example querying the target's own authoritative name server - and can therefore be detected.
- WHOIS queries registry/registrar databases and can reveal the registrant organization, admin/technical contacts, sponsoring registrar, name servers, and creation/updated/expiration dates unless masked by privacy services.
- Regional Internet Registries allocate IP address blocks by region; ARIN covers North America, and querying the right RIR maps a target's address ranges.
- Core DNS records for footprinting: A maps a host to IPv4, AAAA (quad-A) to IPv6, MX lists inbound mail servers with preference values, and SOA holds the zone's authoritative parameters (primary name server, admin contact, serial, timers).
- A DNS zone transfer (AXFR) replicates a full zone to secondaries; a misconfigured server that honors AXFR from any host lets an attacker download every record, exposing internal hostnames and IPs. dig is the flexible DNS query tool used for this.
- Google dorking uses advanced search operators to surface indexed sensitive content - for example the site: operator restricts results to one domain, and filetype:, inurl:, and intitle: narrow further.
- Shodan and Censys are Internet-wide search engines that index connected devices, service banners, and certificates rather than web page content, revealing exposed services and misconfigurations.
- OSINT tooling: Maltego is a graphical link-analysis tool driven by transforms, theHarvester collects emails/names/subdomains/hosts from public sources, and Recon-ng is a modular Python framework with a Metasploit-style console.
- The Wayback Machine archives historical versions of sites (revealing removed content), robots.txt lists paths the owner asks crawlers to skip (pointing to sensitive directories), and HTTrack mirrors a site locally for offline analysis.
- Email intelligence: a tracking pixel or web bug reports when a message is opened, and email headers expose the routing path, originating servers/IPs, and timestamps.
- Competitive intelligence is the lawful collection of public business information about competitors, distinct from illegal industrial espionage.
- Network reconnaissance combines traceroute for path/topology mapping, banner grabbing for service versions, and social media/job postings for technology-stack and personnel details.
Domain 3: System Hacking Phases and Attack Techniques
- Password attacks differ by strategy: a dictionary attack tests a curated wordlist, brute force exhausts the entire keyspace (guaranteed but slow), and a hybrid attack mutates dictionary words with appended digits or character substitutions.
- Password spraying tries one common password across many accounts to stay under lockout thresholds, making it stealthier than hammering a single account.
- Rainbow tables are precomputed hash-to-plaintext lookup structures that trade storage for speed; salting (unique random data per password) defeats them by making precomputation per-user impractical.
- John the Ripper and Hashcat are the standard offline crackers; Hashcat is known for GPU-accelerated, massively parallel hash computation.
- Windows stores local account hashes in the SAM database; the legacy LM hash uppercases the password and splits it into two independently hashed 7-character halves, drastically weakening it.
- The NTLM hash is an unsalted MD4 hash of the password and can be replayed in a pass-the-hash attack, which authenticates using a captured hash without ever knowing the plaintext.
- Linux stores password hashes in /etc/shadow, which is readable only by root, separating them from the world-readable /etc/passwd.
- Privilege escalation is vertical when an account gains higher-level rights (for example user to SYSTEM/root) and horizontal when it accesses another same-level account's resources.
- Windows privilege escalation vectors include unquoted service paths, weak service permissions, and DLL hijacking, which let a lower-privileged binary run in a high-privileged context.
- Keyloggers capture keystrokes in software or hardware form; hardware keyloggers are physical inline devices, so physical inspection detects them, while spyware covertly collects user behavior.
- Clearing tracks includes clearing Windows event logs (for example with wevtutil), wiping shell history files on Linux, and disabling auditing to erase evidence of activity.
- Centralized, tamper-resistant log forwarding to a remote SIEM preserves evidence beyond an attacker's reach, since local log deletion cannot alter records already shipped off-host.
- Attackers hide files using NTFS alternate data streams (ADS), hidden/system attributes, or steganography to embed data inside other files and evade casual detection.
- Rootkits maintain covert persistence by subverting the OS at the kernel, library, or firmware level to hide processes, files, and network connections from defenders.
Domain 4: Network and Perimeter Hacking
- Passive sniffing only captures traffic already visible on the segment (a hub or a SPAN/mirror port) with the NIC in promiscuous mode, while active sniffing injects packets to redirect traffic on switched networks.
- A switch learns MAC-to-port mappings in its CAM table and forwards unicast frames only out the owning port, isolating conversations - which is why sniffing on a switch requires an active attack.
- ARP is stateless and unauthenticated, so hosts cache any reply, including unsolicited (gratuitous) ones. Forged ARP replies poison victim caches so gateway traffic flows to the attacker, creating a man-in-the-middle.
- Dynamic ARP Inspection (DAI) validates ARP packets on untrusted ports against the DHCP snooping binding table and drops invalid IP-to-MAC bindings, neutralizing ARP poisoning.
- MAC flooding fills the finite CAM table with bogus source MACs so the switch fails open and floods unknown-unicast frames out all ports; port security caps MACs per port and triggers a shutdown/restrict/protect action.
- DHCP starvation exhausts the address pool by requesting all leases with spoofed MACs (a DoS), while a rogue DHCP server hands out a malicious gateway/DNS to route client traffic through the attacker.
- DHCP snooping classifies ports as trusted or untrusted and drops server-sourced DHCP messages (OFFER/ACK) arriving on untrusted ports, blocking rogue DHCP servers.
- DNS cache poisoning injects a forged answer the resolver caches so future lookups return an attacker-controlled IP; DNSSEC adds cryptographic signatures so resolvers can reject forged or tampered responses.
- Clear-text protocols expose credentials and data to a sniffer on the path: FTP, Telnet, HTTP, and SNMPv1 send data or community strings in plaintext, whereas HTTPS and SSH are encrypted.
- Encryption is the fundamental defense against sniffing - even if an attacker captures the frames, the payload remains unreadable without the key.
- Wireshark uses display filters (for example 'http' or 'arp' to show only those protocols), while tcpdump uses BPF syntax (for example 'host 10.0.0.5 and tcp port 23' for Telnet, or 'port 53' for DNS over UDP and TCP).
- SPAN (port mirroring) copies traffic from source ports or VLANs to a destination monitor port so a capture tool can see traffic it would otherwise never receive on a switch.
- Ettercap is a suite for LAN man-in-the-middle attacks including ARP poisoning and traffic interception, illustrating how Layer 2 trust weaknesses are weaponized.
- Promiscuous mode configures the NIC to pass all received frames to the OS instead of discarding those not addressed to it, a prerequisite for capturing other hosts' traffic.
Domain 5: Web Application Hacking
- Directory (path) traversal uses dot-dot-slash sequences to escape the web root and read arbitrary files; the primary defense is strict input validation and canonicalization of user-supplied paths.
- Banner grabbing and web server fingerprinting read Server and X-Powered-By headers and response behavior to identify software and versions; masking banners and using generic error pages reduces this fingerprinting.
- Default credentials are a leading compromise vector because many servers ship with documented default admin accounts; hardening requires changing or removing all defaults.
- HTTP response splitting injects unsanitized CRLF characters into response headers (such as a redirect Location or cookie), letting an attacker forge headers and body, enabling cache poisoning, XSS, or defacement; strip or encode CR/LF to prevent it.
- Web cache poisoning stores an attacker-controlled, unkeyed response in a shared cache so it is served to many victims; the defense is keying the cache on all inputs that affect the response.
- Directory listing (directory browsing) discloses files, backups, scripts, and folder layout; disable it and provide default index documents.
- Server misconfigurations - exposed backup files, default management consoles, verbose error messages that leak paths/frameworks/connection strings - give attackers reconnaissance and should be eliminated.
- The typical web architecture has three tiers: the web server tier serves static content and forwards dynamic requests to the application tier, which in turn talks to the data tier.
- A DMZ segments the web server so its compromise does not grant direct access to internal networks, limiting lateral movement.
- Patch management is one of the highest-impact defenses because most web server compromises exploit already-disclosed flaws; pair it with an asset inventory and a tested rollback plan.
- Nikto is a web server scanner that checks for known vulnerabilities, misconfigurations, default files, and dangerous scripts.
- A web application firewall (WAF) inspects HTTP requests and blocks malicious patterns before they reach the application, adding a layer over secure coding.
- Disabling the HTTP TRACE method during hardening prevents cross-site tracing (XST) attacks that abuse TRACE to read otherwise protected headers.
- Server hardening centers on removing defaults, patching promptly, enforcing least privilege, disabling unneeded features/services, and applying a documented, repeatable hardening baseline - not enabling conveniences like directory browsing.
Domain 6: Wireless Network Hacking
- WEP uses the RC4 stream cipher with a weak 24-bit IV; on busy networks IVs are reused, causing keystream reuse that lets attackers statistically recover the key after enough capture.
- WPA2 (802.11i) mandates CCMP, which uses AES in counter mode for confidentiality and CBC-MAC for integrity, replacing the transitional RC4-based TKIP of WPA.
- WPA3-Personal replaces the PSK handshake with SAE (Dragonfly), providing forward secrecy and resistance to offline dictionary attacks; a weak WPA2 PSK, by contrast, can be recovered by offline cracking of a captured handshake.
- WPA2-Enterprise uses 802.1X/EAP with a RADIUS authentication server; EAP-TLS uses mutual certificate-based authentication, avoiding password-based weaknesses.
- An evil twin is a rogue AP configured with a legitimate SSID to lure auto-connecting clients, enabling traffic interception or captive-portal credential harvesting.
- A rogue access point is any unauthorized AP attached to the corporate network, expanding the attack surface regardless of intent.
- WPS is vulnerable because the 8-digit external-registrar PIN is validated in two halves and the last digit is a checksum, shrinking the search space from 10^8 to roughly 10^4 + 10^3 and enabling online brute forcing in hours.
- The Aircrack-ng suite splits by role: airmon-ng enables monitor mode, airodump-ng captures 802.11 frames including handshakes and IVs to a file, aireplay-ng injects and replays frames (including deauth), and aircrack-ng performs offline key analysis.
- Deauthentication and disassociation are unprotected 802.11 management frames by default, so an attacker can spoof a MAC and force clients off the network (also to capture a fresh handshake) unless 802.11w is enabled.
- 802.11w Protected Management Frames authenticates management frames such as deauth to stop spoofing, and it is required in WPA3.
- KRACK (Key Reinstallation Attack) abuses the WPA2 four-way handshake by forcing reinstallation and reuse of a nonce/key, undermining encryption regardless of PSK strength.
- Bluetooth attacks differ in impact: bluesnarfing steals data without consent, bluejacking sends unsolicited messages without compromising data, and bluebugging takes control of device functions.
- Wardriving is moving through an area to detect and map wireless networks; a hidden SSID offers little protection because it is still present in other management frames and is trivially discovered by sniffing.
- MAC addresses travel unencrypted in frame headers, so MAC filtering is weak - an attacker can observe an allowed address and spoof it. 802.11 PHY facts also appear on the exam, such as 802.11a being 5 GHz OFDM up to 54 Mbps and 802.11ax (Wi-Fi 6) using OFDMA for dense-deployment efficiency.
Domain 7: Mobile, IoT, and OT Hacking
- Android builds its application sandbox on the Linux kernel by assigning each app a unique UID at install, so by default one app cannot read another app's process memory or private data directory.
- SELinux adds mandatory access control that confines processes to policy-defined domains, limiting damage even from privileged or compromised processes.
- Rooting (Android) and jailbreaking (iOS) grant privileged access that defeats sandboxing, code-signing, and secure boot, widening the attack surface and allowing unverified software; client-side root/jailbreak detection helps but can be bypassed and must be one layer among server-side controls.
- Unofficial app stores often skip the malware scanning, publisher verification, and policy review official stores perform, so repackaged/trojanized apps reach users; iOS defaults to App Store installs while Android permits user-enabled sideloading.
- App repackaging (trojanizing) means modifying a legitimate app to insert malicious code and redistributing it, often through third-party stores.
- The iOS Keychain is the encrypted, access-controlled store for secrets (passwords, keys, tokens), and the Secure Enclave is an isolated hardware coprocessor that handles keys and biometrics separately from the main CPU.
- Certificate (or public key) pinning binds an app to an expected certificate or key so a rogue certificate presented by an on-path attacker is rejected, defending against man-in-the-middle even after CA compromise.
- Key OWASP Mobile Top 10 categories include Insecure Data Storage (sensitive data recoverable from device files, databases, logs, or caches), Insecure Authentication/Authorization (weak identity or access checks), and Extraneous Functionality (leftover test hooks, debug menus, or hidden backdoors in production builds).
- Sensitive data written to logs can be recovered by other processes, backups, or forensics, so tokens and credentials must never be logged.
- Smishing is phishing over SMS; banking trojans that request SMS-read permission are specifically designed to intercept OTPs and defeat SMS-based two-factor authentication.
- Runtime permissions let users grant only the specific, in-context permissions an app needs and revoke them later, supporting least privilege on the device.
- Enterprise mobility controls: MDM/UEM enforces passcodes, remote wipe, and app distribution across a fleet; containerization isolates corporate apps/data for selective management and wipe without touching personal content; an always-on VPN encrypts corporate traffic even over rogue Wi-Fi.
- Stalkerware/spyware covertly monitors and exfiltrates a victim's activity and is frequently installed by someone with physical access to the device.
- IoT/OT devices expand risk through weak default credentials, unencrypted or legacy protocols (such as Modbus in ICS/SCADA), infrequent patching, and long lifecycles, so network segmentation and monitoring are primary defenses.
Domain 8: Cloud Computing
- Under the shared responsibility model, IaaS gives the customer the most control and responsibility (guest OS patching, hardening, apps, data), while the provider secures the physical facilities, hardware, network fabric, and hypervisor.
- In PaaS the provider manages the OS and runtime and the customer secures only their code, configuration, and data; in SaaS the provider manages nearly everything, but the customer always retains ownership of data, identity, permissions, and sharing settings.
- NIST deployment models: a private cloud is dedicated to one organization, a public cloud is shared, a community cloud serves a group with shared concerns, and a hybrid cloud binds two or more distinct clouds that remain separate but enable portability (such as cloud bursting).
- Public-read storage misconfiguration exposes objects to anonymous internet access, so a single wrong setting can leak large volumes of data to anyone who finds the URL.
- SSRF can coerce a server-side app into fetching the cloud instance metadata endpoint and leaking temporary credentials; enforce session-based (IMDSv2-style) metadata access and least-privilege roles.
- IAM failures - overly broad permissions, unused privileged accounts, and privilege-escalation paths - are a leading cloud attack vector, mitigated by least privilege and MFA on all accounts, especially privileged ones.
- Exposed access keys are harvested rapidly by automated scanners, so leaked keys must be revoked/rotated immediately and the incident investigated for misuse.
- Container image security requires scanning images in CI/CD and using trusted, minimal, regularly updated base images; running a container in privileged mode grants near-host capabilities and raises container-escape risk.
- Kubernetes RBAC governs which subjects can perform which actions on which resources, and network policies restrict pod-to-pod traffic to contain lateral movement.
- In Kubernetes, ConfigMaps are for non-sensitive data while secrets belong in Secrets objects, ideally encrypted at rest and externally managed by a dedicated secrets manager.
- In serverless, the provider runs the platform while the customer secures the function code, dependencies, IAM permissions, and untrusted event inputs.
- Cloud security tooling: CSPM continuously assesses configuration for misconfigurations, drift, and compliance gaps, while CWPP protects workloads (VMs, containers, serverless) including at runtime.
- Shared technology vulnerabilities concern flaws in components common to multiple tenants (hypervisor, shared CPU/hardware), and shadow IT is unsanctioned, unreviewed cloud resource usage.
- Data protection/classification and identity/access management remain customer responsibilities across all service models, so security is never fully outsourced to the provider.
Domain 9: Cryptography
- AES is a symmetric block cipher that encrypts fixed 128-bit blocks with a single shared key and supports 128, 192, and 256-bit keys (using 10, 12, and 14 rounds respectively).
- DES has only a 56-bit effective key (64-bit with 8 parity bits) that modern hardware brute-forces quickly; 3DES runs DES three times in an encrypt-decrypt-encrypt sequence to extend key strength but is now legacy, retired in favor of AES.
- Block ciphers (such as AES) process fixed-size blocks and use modes of operation, while stream ciphers (such as RC4) generate a keystream XORed with plaintext one unit at a time. RC4 was deprecated in WEP and TLS due to keystream biases.
- ECB mode encrypts each block independently, so identical plaintext blocks produce identical ciphertext and leak structure; GCM is an authenticated encryption mode providing confidentiality and integrity in one operation.
- RSA security rests on the hardness of factoring a large semiprime modulus, while ECC achieves equivalent strength with much smaller keys, saving processing and bandwidth.
- Diffie-Hellman lets two parties agree on a shared secret over a public channel without transmitting the key; unauthenticated Diffie-Hellman is vulnerable to a man-in-the-middle who negotiates separate keys with each side.
- Symmetric encryption uses one shared key and is fast for bulk data; asymmetric encryption uses a public/private key pair for key exchange and signatures - hybrid systems use asymmetric crypto to exchange a symmetric session key.
- Cryptographic hashes are one-way and fixed-length; the avalanche effect means a small input change flips roughly half the output bits unpredictably.
- MD5 and SHA-1 are broken for collision resistance (MD5 collisions are trivial; SHA-1 fell to the SHAttered attack), so both are deprecated for signatures and certificates; SHA-256 (SHA-2 family) outputs a 256-bit digest.
- A unique random salt per password ensures identical passwords hash differently, defeating precomputed rainbow tables, and key-stretching functions (bcrypt, scrypt, PBKDF2, Argon2) slow brute forcing.
- HMAC combines a hash function with a secret key to verify both message integrity and sender authenticity, unlike a plain hash which anyone can recompute.
- A digital signature is created with the signer's private key and verified with their public key, providing integrity, authentication, and non-repudiation.
- Public key infrastructure: a CA issues and signs X.509 certificates that bind public keys to subjects, and the chain of trust links a server certificate through intermediate CAs up to a trusted root CA.
- Certificate revocation is checked via CRLs (bulk revocation lists) or OCSP, which queries a responder for the live status of a single certificate.
EC-Council CEH (Certified Ethical Hacker) exam tips
- Watch authorization and intent keywords to classify hackers and testing types: 'authorized' points to white hat and white/black/gray-box scope, while 'without permission' plus intent separates black hats from gray hats.
- Memorize the fixed orderings the exam loves: the seven Cyber Kill Chain phases and the five hacking phases, and be able to place a described activity (for example weaponization vs delivery) in the right slot.
- For each attack, know the single best countermeasure: DAI for ARP poisoning, port security for MAC flooding, DHCP snooping for rogue DHCP, DNSSEC for cache poisoning, salting for rainbow tables, and 802.11w for deauth attacks.
- Map tools to their exact role - Shodan/Censys index devices, Maltego does link analysis, Nikto scans web servers, and in Aircrack-ng know airmon-ng vs airodump-ng vs aireplay-ng vs aircrack-ng.
- For cloud and mobile questions, reason from the shared responsibility model and the platform's built-in protections (sandbox UIDs, Keychain/Secure Enclave, IAM least privilege) rather than memorizing product names.
Study guide FAQ
How is the CEH exam structured and what is the passing score?
The CEH (ANSI) knowledge exam has 125 multiple-choice questions with a 4-hour time limit. There is no single fixed passing percentage - the cut score varies by exam form and typically falls between 60 and 85 percent depending on question difficulty. EC-Council also offers the separate hands-on CEH Practical.
What is the difference between passive and active reconnaissance?
Passive reconnaissance gathers information from public, third-party sources (WHOIS, search engines, Shodan, archives) without ever touching the target's own systems, so it leaves no trace. Active reconnaissance interacts directly with target-owned infrastructure - such as scanning ports or querying the target's own name server - and can be logged and detected.
Do I need programming or command-line experience to pass CEH?
You do not need to be a developer, but you must be comfortable recognizing tool usage and command syntax. The exam expects you to interpret tcpdump BPF filters, Wireshark display filters, dig output, and common tool invocations, and to know what each tool does, so hands-on lab practice significantly improves your results.
How much cryptography does CEH require and at what depth?
CEH covers cryptography conceptually, not mathematically. You should know cipher types (symmetric vs asymmetric, block vs stream), specific algorithms and their status (AES, 3DES, RSA, ECC, RC4, MD5, SHA-1, SHA-256), modes like ECB and GCM, hashing with salt and HMAC, and PKI components (CA, X.509, chain of trust, OCSP), but you will not perform key computations.