This free CEH study guide covers every domain the current EC-Council Certified Ethical Hacker (CEH v13) exam tests, organized to the official CEH Exam Blueprint v5.0.[2] CEH validates that you can think and act like an attacker — but legally — to find and fix weaknesses across networks, web apps, wireless, cloud, mobile, and IoT before criminals do.
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.
The CEH exam has nine official domains drawn from 20 course modules, and we teach each domain as its own study module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official blueprint — not a replacement for hands-on lab practice.
CEH (v13) Exam Snapshot
| Detail | CEH (Certified Ethical Hacker v13) |
|---|---|
| Questions | 125 multiple-choice |
| Time | 4 hours (240 minutes) |
| Passing score | Scaled cut score per form, typically 60%–85% correct (no fixed %) |
| Exam code | 312-50 (knowledge exam) |
| Domains | 9 official domains (drawn from 20 modules) |
| CEH Master | Optional 6-hour, 20-challenge practical exam |
| Certifying body | EC-Council |
| Eligibility | Official training, OR ~2 years infosec experience + application |
| Cost | ≈ $1,199 voucher (self-study path adds ~$100 application) |
| Valid for | 3 years — renew with 120 ECE credits |
One domain dominates. Network & Perimeter Hacking (24%) alone is nearly a quarter of the exam, and the top four domains — Network & Perimeter, Reconnaissance (17%), System Hacking (15%), and Web Application Hacking (14%) — together make up 70% of your score.[2] Study by weight:
The exam also tests the five phases of hacking as a unifying mental model — they connect almost every technique below:
- 1
1 · Reconnaissance
Gather information about the target — passive (OSINT, WHOIS, Google dorking) and active footprinting — before touching the network.
- 2
2 · Scanning
Probe live hosts, open ports, services, and vulnerabilities (Nmap, banner grabbing, vuln scans). Enumeration extracts users, shares, and config.
- 3
3 · Gaining Access
Exploit a weakness to get in — password cracking, exploiting a vulnerability, or social engineering — and escalate privileges.
- 4
4 · Maintaining Access
Keep the foothold — install backdoors, rootkits, or create accounts so the attacker can return at will.
- 5
5 · Clearing Tracks
Cover the trail — clear logs, hide files, disable auditing — so the intrusion goes undetected.
Module 1 · Network & Perimeter Hacking
Domain 4 — 24% of the exam, the single largest. This domain bundles five course modules: sniffing, social engineering, denial-of-service, session hijacking, and evading IDS/firewalls/honeypots. It’s where the most exam questions live, so master it first.
1.1 Sniffing & Layer-2 Attacks
captures network traffic to harvest credentials and data. It works best on the same broadcast domain, with the attacker’s NIC in . Switched networks limit passive sniffing, so attackers turn to active Layer-2 attacks: (forged ARP replies redirect LAN traffic through the attacker — an on-path attack), (overflow the switch CAM table so it fails open), DHCP starvation with a rogue DHCP server, and .
ARP poisoning
Forges ARP replies to map the attacker's MAC to the gateway IP, intercepting LAN traffic.
Defense: Dynamic ARP Inspection (DAI), static ARP entries
MAC flooding
Floods the switch CAM table so it fails open and broadcasts frames like a hub.
Defense: Port security (limit MACs per port)
DHCP starvation / rogue DHCP
Exhausts the DHCP pool, then offers attacker-controlled gateway/DNS.
Defense: DHCP snooping
DNS poisoning
Injects false DNS records so victims resolve to attacker hosts.
Defense: DNSSEC, encrypted DNS (DoH/DoT)
1.2 Social Engineering
attacks the human, not the machine — often the easiest way in. The headliner is (fraudulent email); variants include (voice), (SMS), spear phishing (targeted), and whaling (executives). Other techniques: pretexting, tailgating/piggybacking, impersonation, baiting, and quid pro quo. Watch for the — someone misusing already-authorized access.
| Technique | How it works |
|---|---|
| Phishing | Fraudulent email to steal credentials or deliver malware |
| Vishing / Smishing | The same, by voice call / by SMS text |
| Spear phishing / whaling | Targeted at a specific person / at executives |
| Pretexting | Inventing a believable scenario to extract information |
| Tailgating / piggybacking | Following an authorized person through a secure door |
| Impersonation | Posing as IT, a vendor, or an executive to gain trust |
1.3 Denial-of-Service & Session Hijacking
A attack overwhelms a target so legitimate users can’t reach it; a does it from a of compromised hosts at once. Categories: volumetric floods (saturate bandwidth — UDP/ICMP floods), protocol attacks (exhaust state — SYN flood), and application-layer attacks (slow, low-volume HTTP requests like Slowloris). Defenses include rate limiting, SYN cookies, anycast, and traffic-scrubbing/CDN services.
takes over an authenticated session by stealing or predicting the session ID. Network-level hijacking intercepts TCP traffic (often after ARP poisoning); application-level hijacking steals a session cookie, frequently via . Defend with TLS, the HttpOnly and Secure cookie flags, unpredictable session IDs, and regenerating the ID after login.
| Category | Mechanism | Example |
|---|---|---|
| Volumetric | Saturate the target's bandwidth | UDP flood, ICMP flood, amplification |
| Protocol | Exhaust server/firewall state | SYN flood, Ping of Death |
| Application-layer | Exhaust app resources with valid-looking requests | Slowloris, HTTP flood |
1.4 Evading IDS, Firewalls & Honeypots
Defenders deploy an (detects and alerts, passive), an (detects and blocks inline, active), firewalls (packet-filter, stateful, next-gen/WAF), and a (a decoy that lures attackers and records them). Attackers evade detection with packet fragmentation, payload encoding/encryption, tunneling over allowed ports, source-address spoofing, and timing/throttling to slip under thresholds. Recognizing a honeypot (unusual openness, fake data) is itself a tested skill.
| Defense | Role |
|---|---|
| IDS | Detects and alerts on suspicious traffic (passive) |
| IPS | Detects and blocks suspicious traffic inline (active) |
| Firewall (stateful / NGFW) | Filters traffic by rules; tracks connection state; NGFW adds app awareness |
| WAF | Protects web apps from injection, XSS, and layer-7 attacks |
| Honeypot | A decoy system that lures and records attackers |
Checkpoint · Network & Perimeter Hacking
Question 1 of 10
A penetration tester needs a packet-capture utility that can operate from a command line on a Linux host with no graphical interface to record traffic into a file for later review. Which tool is best suited to capturing packets directly from the terminal?
Module 2 · Reconnaissance Techniques
Domain 2 — 17% of the exam. The second-largest domain bundles footprinting, scanning, and enumeration — the information-gathering that precedes every attack. Better recon means a more efficient, more successful engagement.
2.1 Footprinting & Reconnaissance
builds a profile of the target. The first split to know cold is (no direct contact — , , DNS records, , , social media, job postings, archived pages) versus (direct interaction — ping sweeps, port scans, banner grabbing). Passive is stealthy; active gives more detail but can be logged.
Passive reconnaissance
No direct contact
Gather info without touching the target — OSINT, WHOIS, DNS records, Google dorking, Shodan, social media. Stealthy; hard to detect.
Active reconnaissance
Direct interaction
Engage the target directly — ping sweeps, port scans (Nmap), banner grabbing, enumeration. Richer data, but it can trip IDS alerts.
| Source / tool | What it reveals |
|---|---|
| WHOIS | Domain registrar, registration dates, name servers, sometimes contacts |
| DNS / nslookup / dig | Records (A, MX, NS, TXT); a zone transfer can dump the whole zone |
| Google dorking | Exposed files/pages via operators (site:, inurl:, intitle:, filetype:) |
| Shodan | Internet-exposed devices, open ports, and service banners |
| theHarvester / Maltego | Emails, subdomains, and relationships from public sources |
| Social media / job posts | Employees, technologies in use, and org structure |
2.2 Scanning Networks
Scanning discovers live hosts, open ports, services, and vulnerabilities. is the standard tool.
Know the scan types: a TCP connect scan completes the full three-way handshake (reliable, loud); a (-sS, half-open) is stealthier; NULL, FIN, and Xmas scans send unusual flag combinations to evade simple filters; a UDP scan (-sU) probes connectionless services. and OS fingerprinting (-O) identify what’s running.
| Scan | Flag | Behavior |
|---|---|---|
| TCP connect | -sT | Completes the full 3-way handshake — reliable but easily logged |
| SYN / half-open | -sS | Sends SYN, never finishes — stealthier, the default for root |
| NULL / FIN / Xmas | -sN / -sF / -sX | Unusual flag combos to slip past simple filters |
| UDP | -sU | Probes connectionless services (DNS, SNMP, DHCP) |
| Version / OS detection | -sV / -O | Identifies service versions and the operating system |
2.3 Enumeration
actively extracts detailed information after scanning — usernames, group memberships, network shares, running services, and configuration that feed exploitation. Each protocol has its own enumeration path and default port. Classic footholds: SNMP with default community strings (“public”/“private”) and DNS zone transfers.
| Protocol | Port | What it can reveal |
|---|---|---|
| NetBIOS / SMB | 137–139, 445 | Shares, users, and system names on Windows networks |
| SNMP | 161 | Device config and inventory (default community strings leak a lot) |
| LDAP | 389 | Directory objects — users, groups, organizational units |
| SMTP | 25 | Valid email accounts via VRFY/EXPN/RCPT TO |
| NTP | 123 | Hosts and times that sync to a server |
| DNS | 53 | A zone transfer (AXFR) can dump all records for a zone |
Checkpoint · Reconnaissance Techniques
Question 1 of 10
A security consultant begins a sanctioned engagement and decides to start with reconnaissance. In the recognized ethical hacking workflow, what is the primary goal of this opening reconnaissance work?
Module 3 · System Hacking & Malware
Domain 3 — 15% of the exam. This domain covers vulnerability analysis, the system-hacking workflow (gaining and keeping access), and the malware zoo. It maps directly onto the “gaining” and “maintaining access” phases.
3.1 Vulnerability Analysis
A identifies, classifies, and prioritizes weaknesses. It’s a cycle: scan, then prioritize using severity scores and identifiers, confirm findings (true vs. false positive), remediate, and rescan to validate. Assessment types include active vs. passive, external vs. internal, and authenticated (credentialed) vs. unauthenticated.[5]
Asset
Anything of value worth protecting — data, a server, a service, or a reputation.
Vulnerability
A weakness or flaw in a system that could be exploited (e.g., an unpatched service).
Threat
A potential danger that could exploit a vulnerability (e.g., an attacker or malware).
Exploit
The actual code or technique that takes advantage of a vulnerability.
Risk
The likelihood AND impact of a threat exploiting a vulnerability. Risk = threat × vulnerability × impact.
3.2 System Hacking & Privilege Escalation
System hacking follows a sub-workflow: gain access → escalate privileges → execute applications → hide files → cover tracks. is central: dictionary, brute-force, hybrid, and attacks (defeated by ). Two high-yield credential attacks: (reuse a captured NTLM hash without cracking it) and (crack service-ticket hashes offline).
is vertical (to admin/root) or horizontal (to another user), via misconfigurations, unpatched flaws, SUID binaries, or DLL hijacking. Then attackers maintain access with a (user- or kernel-mode), , or backdoor, and clear logs to cover tracks. can hide data or tools inside ordinary files.
| Attack | How it works | Primary defense |
|---|---|---|
| Dictionary | Tries a wordlist of likely passwords | Long passphrases; lockout |
| Brute force | Tries every possible combination | Length + complexity; rate limiting |
| Rainbow table | Looks up precomputed hashes | Salting every hash |
| Pass-the-hash | Reuses a captured NTLM hash to authenticate | Kerberos, Credential Guard, least privilege |
| Kerberoasting | Cracks service-ticket (TGS) hashes offline | Strong service-account passwords; gMSA |
3.3 Malware Threats
Memorize the families and how they spread: a needs a host file and user action; a self-propagates across networks; a disguises itself as legitimate software; encrypts data for extortion; runs in memory to evade disk detection; and an is a stealthy, long-term, well-resourced intruder. Analysis is static (inspect without running) or dynamic (run in a sandbox to observe behavior).
| Type | Key trait |
|---|---|
| Virus | Attaches to a host file; needs user action to run |
| Worm | Self-propagating across networks; no user action |
| Trojan | Disguised as legitimate software; opens a hidden backdoor |
| Ransomware | Encrypts data and demands payment for the key |
| Fileless malware | Runs in memory using legitimate tools to evade detection |
| APT | Stealthy, long-term, well-resourced (often nation-state) |
Checkpoint · System Hacking & Malware
Question 1 of 10
A penetration tester outlines the recognized order of the system-hacking methodology to a client. Which sequence correctly lists the major goals an attacker pursues once a target system has been identified?
Module 4 · Web Application Hacking
Domain 5 — 14% of the exam. This domain covers attacking web servers, web applications, and databases via SQL injection. The is the backbone — learn the top web risks and their fixes.[4]
4.1 Hacking Web Servers
A targets the server software and its configuration rather than the application logic: unpatched servers (known CVEs), (../ to reach files outside the web root), default accounts and sample content, misconfiguration, and HTTP method abuse. The methodology is information-gathering → footprint → vulnerability scan → exploit. The leading defense is rigorous patch management and secure baselines.
4.2 Hacking Web Applications
Web-app attacks target the application’s own logic and inputs. The OWASP Top 10 frames the highest-risk classes: injection, broken access control, broken authentication, security misconfiguration, and more. Beyond and (covered below and at right), know (forcing an authenticated user’s browser to submit an unwanted request), command injection, file inclusion (LFI/RFI), and SSRF (server-side request forgery).
| Attack | What it does | Primary mitigation |
|---|---|---|
| SQL injection | Runs attacker SQL on the database | Parameterized queries + input validation |
| Cross-site scripting (XSS) | Runs script in another user's browser | Output encoding + Content Security Policy |
| CSRF | Forces an authenticated request the user didn't intend | Anti-CSRF tokens; SameSite cookies |
| Command injection | Runs OS commands through input | Avoid shell calls; validate/escape input |
| File inclusion (LFI/RFI) | Loads local/remote files via input | Whitelist paths; disable remote includes |
| SSRF | Makes the server request attacker-chosen URLs | Validate/allow-list outbound URLs |
4.3 SQL Injection
inserts malicious SQL into input so the database runs unintended commands — reading, altering, or deleting data, or bypassing login. The classic example: entering ' OR '1'='1 makes a WHERE clause always true.
Types include in-band (union/error-based), blind (boolean or time-based, inferring results bit by bit), and out-of-band. The definitive fix is the (prepared statement) plus strict input validation and least-privilege database accounts.[4]
Checkpoint · Web Application Hacking
Question 1 of 10
A web application passes user-supplied input directly into a backend database query without sanitization, allowing an attacker to alter the structure of the query by submitting characters like a single quote. Which web application attack does this describe?
Module 5 · Information Security & Ethical Hacking Overview
Domain 1 — 6% of the exam. This is the conceptual foundation: the goals of security, the five phases, hacker classes, attack frameworks, types of penetration test, and the laws and standards that make hacking ethical. Smaller in weight, but it sets the vocabulary for everything else.
5.1 Core Concepts & the CIA Triad
Security aims at the : Confidentiality (only authorized access), Integrity (data is unaltered), and Availability (accessible when needed) — plus authenticity and non-repudiation. Get the core vocabulary straight: a is a weakness, a could exploit it, an is the tool, and is likelihood × impact. layers controls so one failure isn’t a breach.
5.2 The Five Phases & Hacker Classes
The (reconnaissance → scanning → gaining access → maintaining access → clearing tracks) are the methodology behind every technique on the exam (see the diagram above). Know the / / classes — the only thing that separates a CEH from a criminal is authorization and scope.
White hat
Authorized, ethical hacker (a CEH). Tests with written permission to find and fix weaknesses before criminals do.
Black hat
Malicious attacker who breaks in without authorization for theft, damage, or profit. Their activity is a crime.
Gray hat
Operates in between — may probe systems without permission but without clear malicious intent. Still legally risky.
5.3 Methodologies, Scope & Law
Two frameworks recur: the (Lockheed Martin’s 7-stage intrusion model) and (a catalog of real adversary tactics and techniques).[3] Engagements are typed by knowledge given to the tester — (none), (partial), (full). Every engagement needs written authorization and . Finally, know the laws and standards: PCI-DSS, HIPAA, GDPR, SOX, and ISO/IEC 27001.
- 1
1 · Reconnaissance
Research and select the target; harvest emails, identities, and exposed services.
- 2
2 · Weaponization
Pair an exploit with a payload (e.g., a malicious PDF or Office macro).
- 3
3 · Delivery
Transmit the weapon to the target — phishing email, USB drop, or compromised website.
- 4
4 · Exploitation
Trigger the exploit to run the attacker's code on the victim system.
- 5
5 · Installation
Install malware/backdoor to establish a persistent foothold.
- 6
6 · Command & Control (C2)
Open a channel back to the attacker so the compromised host can be remotely controlled.
- 7
7 · Actions on Objectives
Achieve the goal — exfiltrate data, destroy, or pivot deeper into the network.
Checkpoint · Information Security & Ethical Hacking Overview
Question 1 of 10
A security analyst lists the standard ethical hacking phases in order. After scanning, which phase comes next in the five-phase methodology?
Module 6 · Mobile, IoT & OT Hacking
Domain 7 — 10% of the exam. This domain combines mobile platform hacking with the fast-growing IoT and OT (operational technology) attack surface.
6.1 Hacking Mobile Platforms
Mobile risks follow the OWASP Mobile Top 10: insecure data storage, weak server-side controls, and insecure communication. Attack vectors include (removing OS protections), repackaged/trojanized apps, malicious profiles, and overlay attacks that imitate a legitimate login screen. Organizations defend with and clear BYOD/COPE/CYOD policies that can block rooted devices.
6.2 IoT & OT Hacking
IoT devices ship with weak defaults, rarely get patched, and run for years — the OWASP IoT Top 10 leads with weak passwords, insecure network services, and missing update mechanisms.[7] systems run physical processes and prioritize availability and safety, so the CIA triad effectively flips to A-I-C — you often can’t take them offline to patch. The fix is network segmentation, strong defaults, and compensating controls.
| Challenge | Detail |
|---|---|
| Weak defaults | Default/hard-coded credentials rarely changed |
| Infrequent patching | Long lifecycles; many devices can't be updated easily |
| Availability-first | OT/ICS prioritize uptime and safety over confidentiality (AIC) |
| Broad protocols | Zigbee, BLE, and proprietary RF expand the attack surface |
Checkpoint · Mobile, IoT & OT Hacking
Question 1 of 10
A penetration tester is profiling the entry points an attacker could use to compromise a smartphone. Which of the following is the broadest and most commonly exploited mobile attack surface that lets a malicious app reach the user without the device being physically handled?
Module 7 · Wireless Network Hacking
Domain 6 — 5% of the exam. Wireless hacking centers on the evolution of Wi-Fi encryption and the attacks that target each generation.
7.1 Wireless Encryption (WEP/WPA/WPA2/WPA3)
uses RC4 with a short, reused IV and is completely broken — recoverable in minutes. uses AES-CCMP and a , but a captured handshake can be brute-forced offline against a weak passphrase. adds SAE (Dragonfly), which resists offline cracking even of weak passwords.
| Standard | Cipher | Status |
|---|---|---|
| WEP | RC4 (weak, reused IV) | Broken — never use |
| WPA | TKIP | Deprecated |
| WPA2 | AES-CCMP | Common; weak PSKs are crackable offline |
| WPA3 | AES + SAE (Dragonfly) | Current; resists offline cracking |
7.2 Wireless Attacks & Tools
Key attacks: capturing the and cracking the PSK offline (Aircrack-ng), the / rogue AP (a fake AP that mimics a real SSID to harvest credentials), and deauthentication/disassociation attacks that knock clients off so they reconnect (often to the evil twin). Bluetooth attacks — bluejacking, bluesnarfing, bluebugging — round out the short-range threats.
Checkpoint · Wireless Network Hacking
Question 1 of 10
A tester reviewing why WEP allows attackers to forge and modify encrypted frames without knowing the key learns that WEP protects frame integrity with a linear CRC-32 checksum called the Integrity Check Value. Why does this design choice let an attacker tamper with WEP frames undetected?
Module 8 · Cloud Computing
Domain 8 — 5% of the exam. Cloud security on CEH centers on the shared responsibility model and the new attack surface of containers and serverless — areas CEH v13 expanded.
8.1 Cloud Models & Shared Responsibility
Know the service models — , PaaS, and — and the : the provider secures the infrastructure (“security of the cloud”); the customer secures data, identities, and configuration (“security in the cloud”). The customer manages the most in IaaS and the least in SaaS. Misconfiguration — a public storage bucket, an over-permissioned IAM role — is the customer’s job and a leading breach cause.
| Model | Provider secures | Customer secures |
|---|---|---|
| IaaS | Physical, network, hypervisor | OS, apps, data, access (the most) |
| PaaS | Up through the runtime/platform | Apps, data, and access |
| SaaS | Almost everything | Data and access (the least) |
8.2 Cloud, Container & Serverless Attacks
CEH-relevant cloud attacks: exposed/public storage buckets, stolen long-lived API keys (then resource abuse such as cryptojacking), from a compromised pod to the host, exposed Kubernetes secrets, and over-permissioned serverless function roles that let an event-injection attack pivot. The fixes are least privilege on IAM, secrets management, blocking public access by default, and image/dependency scanning.
Checkpoint · Cloud Computing
Question 1 of 10
A startup subscribes to a fully managed email and document suite where the provider operates the entire stack and the customer only configures user accounts and sharing settings. Which cloud service model does this describe?
Module 9 · Cryptography
Domain 9 — 5% of the exam. Cryptography questions test the three families, which key does what, PKI, and the common cryptographic attacks.
9.1 Encryption, Hashing & Signatures
There are three families: (one shared key, fast — AES, DES/3DES), (a public/private pair — RSA, ECC), and (a one-way digest — SHA-256; MD5 and SHA-1 are broken). Know which key does what: encrypt FOR someone with their public key; create a by signing with YOUR private key. exchanges a shared secret over an insecure channel; TLS is hybrid.
Symmetric
One shared secret key
Fast bulk encryption — AES (Rijndael), DES/3DES, RC4. Same key encrypts and decrypts; key distribution is the hard part.
Asymmetric
Public/private key pair
Key exchange and digital signatures — RSA, ECC, Diffie-Hellman. Encrypt with one key, decrypt with the other.
Hashing
No key — one-way
Integrity and password storage — SHA-256, SHA-3. MD5 and SHA-1 are broken (collisions). Same input → same digest; not reversible.
| Goal | Use… | Example |
|---|---|---|
| Encrypt bulk data fast | Symmetric encryption | AES-256 |
| Exchange a key / sign | Asymmetric encryption | RSA, ECC, Diffie-Hellman |
| Verify integrity | Hashing | SHA-256, SHA-3 |
| Store passwords safely | Salted KDF | bcrypt, Argon2, PBKDF2 |
| Prove identity to a website | Digital certificate (PKI) | X.509 over TLS |
9.2 PKI & Cryptographic Attacks
is the system of Certificate Authorities, policies, and keys that issues X.509 certificates binding a public key to a verified identity; revocation is checked via CRL or OCSP. Common cryptographic attacks: brute-force/known-plaintext, the (collisions), man-in-the-middle/downgrade attacks (POODLE), and side-channel attacks. Weak choices to flag: ECB mode (leaks patterns), MD5/SHA-1 (collisions), and short keys.
Checkpoint · Cryptography
Question 1 of 10
A security engineer needs an encryption scheme in which the exact same secret key is used both to encrypt a file and to later decrypt it, and the key must be shared with anyone who needs access. Which category of cryptography does this describe?
How to Use This CEH Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. Network & Perimeter (24%), Reconnaissance (17%), System Hacking (15%), and Web App (14%) are 70% of the exam — start there.
- Anchor everything to the five phases. Reconnaissance → Scanning → Gaining Access → Maintaining Access → Clearing Tracks gives every tool and attack a place in the workflow.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Drill tools and ports. CEH rewards recall of tools (Nmap, Aircrack-ng, Metasploit), default ports, and attack-to-countermeasure pairs — perfect for the flashcards and a practice test.
CEH Concept Questions
Core CEH concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
CEH Glossary
The high-yield CEH terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Active reconnaissance
- Interacting with the target directly — ping sweeps, port scans, banner grabbing, enumeration.
- APT
- Advanced Persistent Threat — a skilled, well-resourced (often nation-state) adversary maintaining long-term stealthy access.
- ARP poisoning
- Sending forged ARP replies to redirect LAN traffic through the attacker (an on-path attack).
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC); data encrypted with one key is decrypted only with the other.
- Banner grabbing
- Reading a service's response to identify its software and version.
- Birthday attack
- A cryptographic attack that exploits the math of collisions to find two inputs with the same hash faster than brute force.
- Black hat
- A malicious attacker who breaks into systems without authorization for harm or gain.
- Black-box testing
- A penetration test where the tester has no prior knowledge of the target — simulating an external attacker.
- Botnet
- A network of malware-infected 'zombie' hosts remotely controlled by an attacker.
- CIA triad
- The three core goals of information security — Confidentiality (only authorized access), Integrity (data is unaltered), and Availability (accessible when needed).
- Container escape
- Breaking out of a container's isolation to access the host or other containers.
- Cross-site scripting
- Injecting malicious script into a trusted site that runs in another user's browser (stored, reflected, or DOM-based).
- CSRF
- Cross-Site Request Forgery — tricking an authenticated user's browser into sending an unwanted request to a site they trust.
- CVE
- Common Vulnerabilities and Exposures — a public catalog of unique IDs for known vulnerabilities.
- CVSS
- Common Vulnerability Scoring System — a 0–10 score rating the severity of a vulnerability.
- Cyber Kill Chain
- Lockheed Martin's 7-stage model of an intrusion: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives.
- DDoS
- A distributed denial-of-service attack launched from many compromised machines (a botnet) at once.
- Defense in depth
- Layering multiple independent security controls so that the failure of one does not expose the asset.
- Denial-of-service
- An attack that overwhelms a system or network so legitimate users cannot access it.
- Diffie-Hellman
- A key-exchange algorithm that lets two parties derive a shared secret over an insecure channel without sending it.
- Digital signature
- A hash of a message encrypted with the signer's private key; proves integrity and authenticity (non-repudiation).
- Directory traversal
- Manipulating file paths (../) to access files outside the intended web directory.
- DNS poisoning
- Injecting false DNS records so victims resolve a name to an attacker-controlled address.
- Enumeration
- Actively extracting detailed information — usernames, shares, services, configuration — from a target after scanning.
- Ethical hacking
- Authorized testing of systems using the same tools and techniques as a malicious attacker, with written permission and a defined scope, to find and fix weaknesses first.
- Evil twin
- A rogue access point that impersonates a legitimate Wi-Fi network to capture traffic or credentials.
- Exploit
- The code or technique that actively takes advantage of a vulnerability.
- Fileless malware
- Malware that runs in memory using legitimate tools, leaving little on disk to evade detection.
- Five phases of hacking
- Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Clearing Tracks — the standard methodology an ethical hacker follows.
- Footprinting
- The systematic process of gathering information to build a profile of a target's network, domains, people, and technology.
- Four-way handshake
- The WPA2 key-exchange; capturing it lets an attacker brute-force the passphrase offline.
- Google dorking
- Using advanced search operators (site:, inurl:, intitle:, filetype:) to find exposed or sensitive information indexed by search engines.
- Gray hat
- A hacker who operates between ethical and malicious — often probing without permission but without clear malicious intent.
- Gray-box testing
- A penetration test with partial knowledge, such as a standard user account.
- Hashing
- A one-way function producing a fixed-length digest (e.g., SHA-256); used for integrity and password storage, not reversible.
- Honeypot
- A decoy system that lures attackers away from real assets and records their behavior.
- IaaS
- Infrastructure as a Service — the provider supplies compute/storage/network; the customer manages OS, apps, and data.
- IDS
- Intrusion Detection System — monitors and alerts on suspicious traffic (passive).
- Insider threat
- A current or former employee, contractor, or partner who misuses authorized access to harm the organization.
- IPS
- Intrusion Prevention System — detects and blocks suspicious traffic inline (active).
- Jailbreaking / rooting
- Removing a mobile OS's built-in restrictions, which also removes security protections.
- Kerberoasting
- Requesting service tickets and cracking them offline to recover service-account passwords in Active Directory.
- Keylogger
- Software or hardware that records keystrokes to capture passwords and other input.
- MAC flooding
- Overflowing a switch's CAM table so it fails open and broadcasts frames like a hub.
- Malware
- Malicious software — including viruses, worms, trojans, ransomware, spyware, rootkits, and fileless malware.
- MDM
- Mobile Device Management — software to enforce policy, encryption, and remote wipe on mobile devices.
- MITRE ATT&CK
- A knowledge base that catalogs real-world adversary tactics and techniques across the attack lifecycle.
- Nmap
- The de facto network scanner used for host discovery, port scanning, service/version detection, and OS fingerprinting.
- OSINT
- Open-Source Intelligence — information gathered from publicly available sources.
- OT / ICS / SCADA
- Operational Technology and the industrial control systems that run physical processes; they prioritize availability and safety.
- OWASP Top 10
- The OWASP Foundation's regularly updated list of the most critical web application security risks.
- Parameterized query
- A prepared statement that separates SQL code from user input so the input is always treated as data.
- Pass-the-hash
- Authenticating with a captured NTLM password hash without ever cracking the plaintext password.
- Passive reconnaissance
- Gathering information without directly contacting the target (OSINT, WHOIS, DNS, Shodan, social media).
- Password cracking
- Recovering passwords from stored hashes via dictionary, brute-force, hybrid, or rainbow-table attacks.
- Phishing
- A fraudulent message (usually email) that tricks the victim into revealing credentials or running malware.
- PKI
- Public Key Infrastructure — the CAs, policies, and keys that issue and manage digital certificates.
- Privilege escalation
- Gaining higher access rights than granted — vertical (to admin/root) or horizontal (to another user).
- Promiscuous mode
- A network-card mode that captures all traffic on a segment, not just frames addressed to that host.
- Rainbow table
- A precomputed lookup of hashes used to reverse unsalted password hashes quickly.
- Ransomware
- Malware that encrypts a victim's data and demands payment for the decryption key.
- Risk
- The combination of the likelihood a threat exploits a vulnerability and the impact if it does.
- Rootkit
- Malware that hides deep in the system (often the kernel) to maintain stealthy, privileged access.
- Rules of engagement
- The agreed scope, methods, timing, and limits of an authorized engagement, set before any testing.
- SaaS
- Software as a Service — the provider manages almost everything; the customer manages mainly data and access.
- Salting
- Adding unique random data to a password before hashing so identical passwords produce different hashes and rainbow tables fail.
- Session hijacking
- Taking over a user's authenticated session by stealing or predicting the session identifier.
- Shared responsibility model
- Cloud division of duties: the provider secures the infrastructure; the customer secures data, identities, and configuration.
- Shodan
- A search engine that indexes Internet-connected devices and their open services and banners.
- Smishing
- SMS phishing — a social-engineering attack delivered by text message.
- Sniffing
- Capturing and inspecting network traffic, often to harvest credentials or sensitive data.
- Social engineering
- Manipulating people into divulging information or performing actions that compromise security.
- SQL injection
- A web attack inserting malicious SQL into input so the database runs unintended commands; fixed with parameterized queries.
- Steganography
- Hiding data inside other data (for example, within an image) so its very existence is concealed.
- Symmetric encryption
- Encryption using one shared secret key to both encrypt and decrypt (e.g., AES) — fast, but the key must be shared securely.
- SYN scan
- A stealthy 'half-open' port scan (-sS) that sends SYN and never completes the handshake.
- Threat
- A potential danger — such as an attacker or malware — that could exploit a vulnerability.
- Trojan
- Malware disguised as legitimate software that performs a hidden malicious action when run.
- Virus
- Malware that attaches to a host file and requires user action to execute and spread.
- Vishing
- Voice phishing — a social-engineering attack carried out over a phone call.
- Vulnerability
- A weakness or flaw in a system, process, or control that could be exploited by a threat.
- Vulnerability assessment
- A systematic review that identifies, classifies, and prioritizes vulnerabilities in a system.
- Web server attack
- Exploiting a web server's flaws or misconfiguration — directory traversal, default content, or unpatched software.
- WEP
- Wired Equivalent Privacy — an obsolete, broken Wi-Fi encryption using RC4 with a weak, reused IV.
- White hat
- An authorized, ethical hacker who tests systems with permission to improve security.
- White-box testing
- A penetration test where the tester has full knowledge of the target (architecture, source, credentials) — the most thorough.
- WHOIS
- A query that returns registration details for a domain or IP address (registrar, contacts, name servers).
- Worm
- Self-propagating malware that spreads across networks with no user interaction.
- WPA2
- Wi-Fi Protected Access 2 — uses AES-CCMP; vulnerable to offline dictionary attacks on weak pre-shared keys.
- WPA3
- The current Wi-Fi security standard; SAE (Dragonfly) resists offline password cracking.
CEH Study Guide FAQ
The CEH (312-50) knowledge exam has 125 multiple-choice questions and a 4-hour (240-minute) time limit — about 1.9 minutes per question. The CEH v13 also offers an optional 6-hour, 20-challenge practical exam to earn the CEH (Master) credential.
There is no single fixed passing percentage. Each exam form has a scaled cut score that varies, typically between 60% and 85% of items correct, because EC-Council statistically calibrates difficulty per form — a harder form needs fewer correct answers and an easier form needs more.
CEH v13 (Blueprint v5.0) has nine domains: Network & Perimeter Hacking (24%), Reconnaissance Techniques (17%), System Hacking Phases & Attack Techniques (15%), Web Application Hacking (14%), Mobile/IoT/OT Hacking (10%), Information Security & Ethical Hacking Overview (6%), and Wireless, Cloud, and Cryptography (5% each).
The five phases are Reconnaissance (gather information), Scanning (find live hosts, ports, and vulnerabilities), Gaining Access (exploit a weakness), Maintaining Access (keep the foothold with backdoors), and Clearing Tracks (erase evidence). An ethical hacker follows the same phases as an attacker, but with written authorization.
The CEH exam voucher is approximately $1,199 USD, and the self-study (experience) eligibility path adds a roughly $100 application fee; official training bundles run higher (about $1,699–$3,499+). Prices vary by region and provider — confirm the current price on EC-Council's site before you buy.
You qualify two ways: attend official EC-Council training (no application needed), or take the self-study path by submitting an eligibility application showing at least two years of work experience in information security (with a roughly $100 application fee) and getting approved.
CEH v13 integrates AI throughout the program — adding AI-driven attack and defense techniques and AI-assisted labs across the existing 20 modules — along with expanded cloud security coverage and updated hands-on lab environments. The nine-domain structure (Blueprint v5.0) is unchanged.
CEH is broad rather than deeply specialized — its challenge is the sheer range of tools, attacks, and terminology across 20 modules. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are all 100% free with no account required.
References
- 1.EC-Council. “Certified Ethical Hacker (CEH) — Program Overview.” eccouncil.org. ↑
- 2.EC-Council. “CEH Exam Blueprint v5.0.” cert.eccouncil.org. ↑
- 3.The MITRE Corporation. “MITRE ATT&CK — Enterprise Matrix.” attack.mitre.org. ↑
- 4.OWASP Foundation. “OWASP Top 10 Web Application Security Risks.” owasp.org. ↑
- 5.National Institute of Standards and Technology. “SP 800-115, Technical Guide to Information Security Testing and Assessment.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “Glossary (Computer Security Resource Center).” csrc.nist.gov. ↑
- 7.OWASP Foundation. “OWASP Internet of Things Project.” owasp.org. ↑
- 101.National Institute of Standards and Technology (NIST). “Vulnerability (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 102.National Institute of Standards and Technology (NIST). “Penetration Testing (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 103.The MITRE Corporation. “Reconnaissance, Tactic TA0043 (ATT&CK).” attack.mitre.org, accessed 19 June 2026. ↑
- 104.National Institute of Standards and Technology (NIST). “Port Scanning (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 105.The MITRE Corporation. “Use Alternate Authentication Material: Pass the Hash, T1550.002 (ATT&CK).” attack.mitre.org, accessed 19 June 2026. ↑
- 106.The MITRE Corporation. “Privilege Escalation, Tactic TA0004 (ATT&CK).” attack.mitre.org, accessed 19 June 2026. ↑
- 107.National Institute of Standards and Technology (NIST). “Rootkit (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 108.National Institute of Standards and Technology (NIST). “Malware (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 109.National Institute of Standards and Technology (NIST). “ARP Spoofing (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 110.National Institute of Standards and Technology (NIST). “Social Engineering (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 111.National Institute of Standards and Technology (NIST). “Denial of Service (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 112.OWASP Foundation. “Session Hijacking Attack.” owasp.org, accessed 19 June 2026. ↑
- 113.OWASP Foundation. “SQL Injection.” owasp.org, accessed 19 June 2026. ↑
- 114.OWASP Foundation. “Cross Site Scripting (XSS).” owasp.org, accessed 19 June 2026. ↑
- 115.National Institute of Standards and Technology (NIST). “WPA2 (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 116.National Institute of Standards and Technology (NIST). “Public Key Infrastructure (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 117.National Institute of Standards and Technology (NIST). “Hash Function (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
