Career Employer

FREE CEH Study Guide 2026 (Certified Ethical Hacker v13)

The most important things the EC-Council CEH v13 exam tests — an interactive study guide with built-in quizzes and flashcards, organized by all 9 official domains and the 5 phases of hacking.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer CEH

By

This free CEH study guide covers every domain the current EC-Council Certified Ethical Hacker (CEH v13) exam tests, organized to the official CEH Exam Blueprint v5.0.[2] CEH validates that you can think and act like an attacker — but legally — to find and fix weaknesses across networks, web apps, wireless, cloud, mobile, and IoT before criminals do.

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.

The CEH exam has nine official domains drawn from 20 course modules, and we teach each domain as its own study module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official blueprint — not a replacement for hands-on lab practice.

CEH (v13) Exam Snapshot

EC-Council CEH exam at a glance
DetailCEH (Certified Ethical Hacker v13)
Questions125 multiple-choice
Time4 hours (240 minutes)
Passing scoreScaled cut score per form, typically 60%–85% correct (no fixed %)
Exam code312-50 (knowledge exam)
Domains9 official domains (drawn from 20 modules)
CEH MasterOptional 6-hour, 20-challenge practical exam
Certifying bodyEC-Council
EligibilityOfficial training, OR ~2 years infosec experience + application
Cost≈ $1,199 voucher (self-study path adds ~$100 application)
Valid for3 years — renew with 120 ECE credits

One domain dominates. Network & Perimeter Hacking (24%) alone is nearly a quarter of the exam, and the top four domains — Network & Perimeter, Reconnaissance (17%), System Hacking (15%), and Web Application Hacking (14%) — together make up 70% of your score.[2] Study by weight:

CEH v13 weighting by domain (EC-Council Exam Blueprint v5.0)
Network & Perimeter Hacking24% · biggest domain
Reconnaissance Techniques17%
System Hacking Phases & Attack Techniques15%
Web Application Hacking14%
Mobile, IoT & OT Hacking10%
Information Security & Overview6%
Wireless Network Hacking5%
Cloud Computing5%
Cryptography5%

The exam also tests the five phases of hacking as a unifying mental model — they connect almost every technique below:

Module 1 · Network & Perimeter Hacking

Domain 4 — 24% of the exam, the single largest. This domain bundles five course modules: sniffing, social engineering, denial-of-service, session hijacking, and evading IDS/firewalls/honeypots. It’s where the most exam questions live, so master it first.

1.1 Sniffing & Layer-2 Attacks

captures network traffic to harvest credentials and data. It works best on the same broadcast domain, with the attacker’s NIC in . Switched networks limit passive sniffing, so attackers turn to active Layer-2 attacks: (forged ARP replies redirect LAN traffic through the attacker — an on-path attack), (overflow the switch CAM table so it fails open), DHCP starvation with a rogue DHCP server, and .

1.2 Social Engineering

attacks the human, not the machine — often the easiest way in. The headliner is (fraudulent email); variants include (voice), (SMS), spear phishing (targeted), and whaling (executives). Other techniques: pretexting, tailgating/piggybacking, impersonation, baiting, and quid pro quo. Watch for the — someone misusing already-authorized access.

Social-engineering techniques at a glance
TechniqueHow it works
PhishingFraudulent email to steal credentials or deliver malware
Vishing / SmishingThe same, by voice call / by SMS text
Spear phishing / whalingTargeted at a specific person / at executives
PretextingInventing a believable scenario to extract information
Tailgating / piggybackingFollowing an authorized person through a secure door
ImpersonationPosing as IT, a vendor, or an executive to gain trust

1.3 Denial-of-Service & Session Hijacking

A attack overwhelms a target so legitimate users can’t reach it; a does it from a of compromised hosts at once. Categories: volumetric floods (saturate bandwidth — UDP/ICMP floods), protocol attacks (exhaust state — SYN flood), and application-layer attacks (slow, low-volume HTTP requests like Slowloris). Defenses include rate limiting, SYN cookies, anycast, and traffic-scrubbing/CDN services.

takes over an authenticated session by stealing or predicting the session ID. Network-level hijacking intercepts TCP traffic (often after ARP poisoning); application-level hijacking steals a session cookie, frequently via . Defend with TLS, the HttpOnly and Secure cookie flags, unpredictable session IDs, and regenerating the ID after login.

DoS/DDoS attack categories
CategoryMechanismExample
VolumetricSaturate the target's bandwidthUDP flood, ICMP flood, amplification
ProtocolExhaust server/firewall stateSYN flood, Ping of Death
Application-layerExhaust app resources with valid-looking requestsSlowloris, HTTP flood

1.4 Evading IDS, Firewalls & Honeypots

Defenders deploy an (detects and alerts, passive), an (detects and blocks inline, active), firewalls (packet-filter, stateful, next-gen/WAF), and a (a decoy that lures attackers and records them). Attackers evade detection with packet fragmentation, payload encoding/encryption, tunneling over allowed ports, source-address spoofing, and timing/throttling to slip under thresholds. Recognizing a honeypot (unusual openness, fake data) is itself a tested skill.

Perimeter defenses and what they do
DefenseRole
IDSDetects and alerts on suspicious traffic (passive)
IPSDetects and blocks suspicious traffic inline (active)
Firewall (stateful / NGFW)Filters traffic by rules; tracks connection state; NGFW adds app awareness
WAFProtects web apps from injection, XSS, and layer-7 attacks
HoneypotA decoy system that lures and records attackers

Checkpoint · Network & Perimeter Hacking

Question 1 of 10

A penetration tester needs a packet-capture utility that can operate from a command line on a Linux host with no graphical interface to record traffic into a file for later review. Which tool is best suited to capturing packets directly from the terminal?

Module 2 · Reconnaissance Techniques

Domain 2 — 17% of the exam. The second-largest domain bundles footprinting, scanning, and enumeration — the information-gathering that precedes every attack. Better recon means a more efficient, more successful engagement.

2.1 Footprinting & Reconnaissance

builds a profile of the target. The first split to know cold is (no direct contact — , , DNS records, , , social media, job postings, archived pages) versus (direct interaction — ping sweeps, port scans, banner grabbing). Passive is stealthy; active gives more detail but can be logged.

Footprinting sources and tools
Source / toolWhat it reveals
WHOISDomain registrar, registration dates, name servers, sometimes contacts
DNS / nslookup / digRecords (A, MX, NS, TXT); a zone transfer can dump the whole zone
Google dorkingExposed files/pages via operators (site:, inurl:, intitle:, filetype:)
ShodanInternet-exposed devices, open ports, and service banners
theHarvester / MaltegoEmails, subdomains, and relationships from public sources
Social media / job postsEmployees, technologies in use, and org structure

2.2 Scanning Networks

Scanning discovers live hosts, open ports, services, and vulnerabilities. is the standard tool.

Know the scan types: a TCP connect scan completes the full three-way handshake (reliable, loud); a (-sS, half-open) is stealthier; NULL, FIN, and Xmas scans send unusual flag combinations to evade simple filters; a UDP scan (-sU) probes connectionless services. and OS fingerprinting (-O) identify what’s running.

Common Nmap scan types
ScanFlagBehavior
TCP connect-sTCompletes the full 3-way handshake — reliable but easily logged
SYN / half-open-sSSends SYN, never finishes — stealthier, the default for root
NULL / FIN / Xmas-sN / -sF / -sXUnusual flag combos to slip past simple filters
UDP-sUProbes connectionless services (DNS, SNMP, DHCP)
Version / OS detection-sV / -OIdentifies service versions and the operating system

2.3 Enumeration

actively extracts detailed information after scanning — usernames, group memberships, network shares, running services, and configuration that feed exploitation. Each protocol has its own enumeration path and default port. Classic footholds: SNMP with default community strings (“public”/“private”) and DNS zone transfers.

Enumeration by protocol and port
ProtocolPortWhat it can reveal
NetBIOS / SMB137–139, 445Shares, users, and system names on Windows networks
SNMP161Device config and inventory (default community strings leak a lot)
LDAP389Directory objects — users, groups, organizational units
SMTP25Valid email accounts via VRFY/EXPN/RCPT TO
NTP123Hosts and times that sync to a server
DNS53A zone transfer (AXFR) can dump all records for a zone

Checkpoint · Reconnaissance Techniques

Question 1 of 10

A security consultant begins a sanctioned engagement and decides to start with reconnaissance. In the recognized ethical hacking workflow, what is the primary goal of this opening reconnaissance work?

Module 3 · System Hacking & Malware

Domain 3 — 15% of the exam. This domain covers vulnerability analysis, the system-hacking workflow (gaining and keeping access), and the malware zoo. It maps directly onto the “gaining” and “maintaining access” phases.

3.1 Vulnerability Analysis

A identifies, classifies, and prioritizes weaknesses. It’s a cycle: scan, then prioritize using severity scores and identifiers, confirm findings (true vs. false positive), remediate, and rescan to validate. Assessment types include active vs. passive, external vs. internal, and authenticated (credentialed) vs. unauthenticated.[5]

3.2 System Hacking & Privilege Escalation

System hacking follows a sub-workflow: gain access → escalate privileges → execute applications → hide files → cover tracks. is central: dictionary, brute-force, hybrid, and attacks (defeated by ). Two high-yield credential attacks: (reuse a captured NTLM hash without cracking it) and (crack service-ticket hashes offline).

is vertical (to admin/root) or horizontal (to another user), via misconfigurations, unpatched flaws, SUID binaries, or DLL hijacking. Then attackers maintain access with a (user- or kernel-mode), , or backdoor, and clear logs to cover tracks. can hide data or tools inside ordinary files.

Password attacks and their defenses
AttackHow it worksPrimary defense
DictionaryTries a wordlist of likely passwordsLong passphrases; lockout
Brute forceTries every possible combinationLength + complexity; rate limiting
Rainbow tableLooks up precomputed hashesSalting every hash
Pass-the-hashReuses a captured NTLM hash to authenticateKerberos, Credential Guard, least privilege
KerberoastingCracks service-ticket (TGS) hashes offlineStrong service-account passwords; gMSA

3.3 Malware Threats

Memorize the families and how they spread: a needs a host file and user action; a self-propagates across networks; a disguises itself as legitimate software; encrypts data for extortion; runs in memory to evade disk detection; and an is a stealthy, long-term, well-resourced intruder. Analysis is static (inspect without running) or dynamic (run in a sandbox to observe behavior).

Malware families at a glance
TypeKey trait
VirusAttaches to a host file; needs user action to run
WormSelf-propagating across networks; no user action
TrojanDisguised as legitimate software; opens a hidden backdoor
RansomwareEncrypts data and demands payment for the key
Fileless malwareRuns in memory using legitimate tools to evade detection
APTStealthy, long-term, well-resourced (often nation-state)

Checkpoint · System Hacking & Malware

Question 1 of 10

A penetration tester outlines the recognized order of the system-hacking methodology to a client. Which sequence correctly lists the major goals an attacker pursues once a target system has been identified?

Module 4 · Web Application Hacking

Domain 5 — 14% of the exam. This domain covers attacking web servers, web applications, and databases via SQL injection. The is the backbone — learn the top web risks and their fixes.[4]

4.1 Hacking Web Servers

A targets the server software and its configuration rather than the application logic: unpatched servers (known CVEs), (../ to reach files outside the web root), default accounts and sample content, misconfiguration, and HTTP method abuse. The methodology is information-gathering → footprint → vulnerability scan → exploit. The leading defense is rigorous patch management and secure baselines.

4.2 Hacking Web Applications

Web-app attacks target the application’s own logic and inputs. The OWASP Top 10 frames the highest-risk classes: injection, broken access control, broken authentication, security misconfiguration, and more. Beyond and (covered below and at right), know (forcing an authenticated user’s browser to submit an unwanted request), command injection, file inclusion (LFI/RFI), and SSRF (server-side request forgery).

High-yield web-app attacks and their fix
AttackWhat it doesPrimary mitigation
SQL injectionRuns attacker SQL on the databaseParameterized queries + input validation
Cross-site scripting (XSS)Runs script in another user's browserOutput encoding + Content Security Policy
CSRFForces an authenticated request the user didn't intendAnti-CSRF tokens; SameSite cookies
Command injectionRuns OS commands through inputAvoid shell calls; validate/escape input
File inclusion (LFI/RFI)Loads local/remote files via inputWhitelist paths; disable remote includes
SSRFMakes the server request attacker-chosen URLsValidate/allow-list outbound URLs

4.3 SQL Injection

inserts malicious SQL into input so the database runs unintended commands — reading, altering, or deleting data, or bypassing login. The classic example: entering ' OR '1'='1 makes a WHERE clause always true.

Types include in-band (union/error-based), blind (boolean or time-based, inferring results bit by bit), and out-of-band. The definitive fix is the (prepared statement) plus strict input validation and least-privilege database accounts.[4]

Checkpoint · Web Application Hacking

Question 1 of 10

A web application passes user-supplied input directly into a backend database query without sanitization, allowing an attacker to alter the structure of the query by submitting characters like a single quote. Which web application attack does this describe?

Module 5 · Information Security & Ethical Hacking Overview

Domain 1 — 6% of the exam. This is the conceptual foundation: the goals of security, the five phases, hacker classes, attack frameworks, types of penetration test, and the laws and standards that make hacking ethical. Smaller in weight, but it sets the vocabulary for everything else.

5.1 Core Concepts & the CIA Triad

Security aims at the : Confidentiality (only authorized access), Integrity (data is unaltered), and Availability (accessible when needed) — plus authenticity and non-repudiation. Get the core vocabulary straight: a is a weakness, a could exploit it, an is the tool, and is likelihood × impact. layers controls so one failure isn’t a breach.

5.2 The Five Phases & Hacker Classes

The (reconnaissance → scanning → gaining access → maintaining access → clearing tracks) are the methodology behind every technique on the exam (see the diagram above). Know the / / classes — the only thing that separates a CEH from a criminal is authorization and scope.

5.3 Methodologies, Scope & Law

Two frameworks recur: the (Lockheed Martin’s 7-stage intrusion model) and (a catalog of real adversary tactics and techniques).[3] Engagements are typed by knowledge given to the tester — (none), (partial), (full). Every engagement needs written authorization and . Finally, know the laws and standards: PCI-DSS, HIPAA, GDPR, SOX, and ISO/IEC 27001.

Checkpoint · Information Security & Ethical Hacking Overview

Question 1 of 10

A security analyst lists the standard ethical hacking phases in order. After scanning, which phase comes next in the five-phase methodology?

Module 6 · Mobile, IoT & OT Hacking

Domain 7 — 10% of the exam. This domain combines mobile platform hacking with the fast-growing IoT and OT (operational technology) attack surface.

6.1 Hacking Mobile Platforms

Mobile risks follow the OWASP Mobile Top 10: insecure data storage, weak server-side controls, and insecure communication. Attack vectors include (removing OS protections), repackaged/trojanized apps, malicious profiles, and overlay attacks that imitate a legitimate login screen. Organizations defend with and clear BYOD/COPE/CYOD policies that can block rooted devices.

6.2 IoT & OT Hacking

IoT devices ship with weak defaults, rarely get patched, and run for years — the OWASP IoT Top 10 leads with weak passwords, insecure network services, and missing update mechanisms.[7] systems run physical processes and prioritize availability and safety, so the CIA triad effectively flips to A-I-C — you often can’t take them offline to patch. The fix is network segmentation, strong defaults, and compensating controls.

IoT/OT — why they're hard to secure
ChallengeDetail
Weak defaultsDefault/hard-coded credentials rarely changed
Infrequent patchingLong lifecycles; many devices can't be updated easily
Availability-firstOT/ICS prioritize uptime and safety over confidentiality (AIC)
Broad protocolsZigbee, BLE, and proprietary RF expand the attack surface

Checkpoint · Mobile, IoT & OT Hacking

Question 1 of 10

A penetration tester is profiling the entry points an attacker could use to compromise a smartphone. Which of the following is the broadest and most commonly exploited mobile attack surface that lets a malicious app reach the user without the device being physically handled?

Module 7 · Wireless Network Hacking

Domain 6 — 5% of the exam. Wireless hacking centers on the evolution of Wi-Fi encryption and the attacks that target each generation.

7.1 Wireless Encryption (WEP/WPA/WPA2/WPA3)

uses RC4 with a short, reused IV and is completely broken — recoverable in minutes. uses AES-CCMP and a , but a captured handshake can be brute-forced offline against a weak passphrase. adds SAE (Dragonfly), which resists offline cracking even of weak passwords.

Wi-Fi security standards
StandardCipherStatus
WEPRC4 (weak, reused IV)Broken — never use
WPATKIPDeprecated
WPA2AES-CCMPCommon; weak PSKs are crackable offline
WPA3AES + SAE (Dragonfly)Current; resists offline cracking

7.2 Wireless Attacks & Tools

Key attacks: capturing the and cracking the PSK offline (Aircrack-ng), the / rogue AP (a fake AP that mimics a real SSID to harvest credentials), and deauthentication/disassociation attacks that knock clients off so they reconnect (often to the evil twin). Bluetooth attacks — bluejacking, bluesnarfing, bluebugging — round out the short-range threats.

Checkpoint · Wireless Network Hacking

Question 1 of 10

A tester reviewing why WEP allows attackers to forge and modify encrypted frames without knowing the key learns that WEP protects frame integrity with a linear CRC-32 checksum called the Integrity Check Value. Why does this design choice let an attacker tamper with WEP frames undetected?

Module 8 · Cloud Computing

Domain 8 — 5% of the exam. Cloud security on CEH centers on the shared responsibility model and the new attack surface of containers and serverless — areas CEH v13 expanded.

8.1 Cloud Models & Shared Responsibility

Know the service models — , PaaS, and — and the : the provider secures the infrastructure (“security of the cloud”); the customer secures data, identities, and configuration (“security in the cloud”). The customer manages the most in IaaS and the least in SaaS. Misconfiguration — a public storage bucket, an over-permissioned IAM role — is the customer’s job and a leading breach cause.

Cloud shared responsibility by service model
ModelProvider securesCustomer secures
IaaSPhysical, network, hypervisorOS, apps, data, access (the most)
PaaSUp through the runtime/platformApps, data, and access
SaaSAlmost everythingData and access (the least)

8.2 Cloud, Container & Serverless Attacks

CEH-relevant cloud attacks: exposed/public storage buckets, stolen long-lived API keys (then resource abuse such as cryptojacking), from a compromised pod to the host, exposed Kubernetes secrets, and over-permissioned serverless function roles that let an event-injection attack pivot. The fixes are least privilege on IAM, secrets management, blocking public access by default, and image/dependency scanning.

Checkpoint · Cloud Computing

Question 1 of 10

A startup subscribes to a fully managed email and document suite where the provider operates the entire stack and the customer only configures user accounts and sharing settings. Which cloud service model does this describe?

Module 9 · Cryptography

Domain 9 — 5% of the exam. Cryptography questions test the three families, which key does what, PKI, and the common cryptographic attacks.

9.1 Encryption, Hashing & Signatures

There are three families: (one shared key, fast — AES, DES/3DES), (a public/private pair — RSA, ECC), and (a one-way digest — SHA-256; MD5 and SHA-1 are broken). Know which key does what: encrypt FOR someone with their public key; create a by signing with YOUR private key. exchanges a shared secret over an insecure channel; TLS is hybrid.

Cryptography quick reference
GoalUse…Example
Encrypt bulk data fastSymmetric encryptionAES-256
Exchange a key / signAsymmetric encryptionRSA, ECC, Diffie-Hellman
Verify integrityHashingSHA-256, SHA-3
Store passwords safelySalted KDFbcrypt, Argon2, PBKDF2
Prove identity to a websiteDigital certificate (PKI)X.509 over TLS

9.2 PKI & Cryptographic Attacks

is the system of Certificate Authorities, policies, and keys that issues X.509 certificates binding a public key to a verified identity; revocation is checked via CRL or OCSP. Common cryptographic attacks: brute-force/known-plaintext, the (collisions), man-in-the-middle/downgrade attacks (POODLE), and side-channel attacks. Weak choices to flag: ECB mode (leaks patterns), MD5/SHA-1 (collisions), and short keys.

Checkpoint · Cryptography

Question 1 of 10

A security engineer needs an encryption scheme in which the exact same secret key is used both to encrypt a file and to later decrypt it, and the key must be shared with anyone who needs access. Which category of cryptography does this describe?

How to Use This CEH Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. Network & Perimeter (24%), Reconnaissance (17%), System Hacking (15%), and Web App (14%) are 70% of the exam — start there.
  • Anchor everything to the five phases. Reconnaissance → Scanning → Gaining Access → Maintaining Access → Clearing Tracks gives every tool and attack a place in the workflow.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Drill tools and ports. CEH rewards recall of tools (Nmap, Aircrack-ng, Metasploit), default ports, and attack-to-countermeasure pairs — perfect for the flashcards and a practice test.

CEH Concept Questions

Core CEH concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

CEH Glossary

The high-yield CEH terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Active reconnaissance
Interacting with the target directly — ping sweeps, port scans, banner grabbing, enumeration.
APT
Advanced Persistent Threat — a skilled, well-resourced (often nation-state) adversary maintaining long-term stealthy access.
ARP poisoning
Sending forged ARP replies to redirect LAN traffic through the attacker (an on-path attack).
Asymmetric encryption
Encryption using a public/private key pair (e.g., RSA, ECC); data encrypted with one key is decrypted only with the other.
Banner grabbing
Reading a service's response to identify its software and version.
Birthday attack
A cryptographic attack that exploits the math of collisions to find two inputs with the same hash faster than brute force.
Black hat
A malicious attacker who breaks into systems without authorization for harm or gain.
Black-box testing
A penetration test where the tester has no prior knowledge of the target — simulating an external attacker.
Botnet
A network of malware-infected 'zombie' hosts remotely controlled by an attacker.
CIA triad
The three core goals of information security — Confidentiality (only authorized access), Integrity (data is unaltered), and Availability (accessible when needed).
Container escape
Breaking out of a container's isolation to access the host or other containers.
Cross-site scripting
Injecting malicious script into a trusted site that runs in another user's browser (stored, reflected, or DOM-based).
CSRF
Cross-Site Request Forgery — tricking an authenticated user's browser into sending an unwanted request to a site they trust.
CVE
Common Vulnerabilities and Exposures — a public catalog of unique IDs for known vulnerabilities.
CVSS
Common Vulnerability Scoring System — a 0–10 score rating the severity of a vulnerability.
Cyber Kill Chain
Lockheed Martin's 7-stage model of an intrusion: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives.
DDoS
A distributed denial-of-service attack launched from many compromised machines (a botnet) at once.
Defense in depth
Layering multiple independent security controls so that the failure of one does not expose the asset.
Denial-of-service
An attack that overwhelms a system or network so legitimate users cannot access it.
Diffie-Hellman
A key-exchange algorithm that lets two parties derive a shared secret over an insecure channel without sending it.
Digital signature
A hash of a message encrypted with the signer's private key; proves integrity and authenticity (non-repudiation).
Directory traversal
Manipulating file paths (../) to access files outside the intended web directory.
DNS poisoning
Injecting false DNS records so victims resolve a name to an attacker-controlled address.
Enumeration
Actively extracting detailed information — usernames, shares, services, configuration — from a target after scanning.
Ethical hacking
Authorized testing of systems using the same tools and techniques as a malicious attacker, with written permission and a defined scope, to find and fix weaknesses first.
Evil twin
A rogue access point that impersonates a legitimate Wi-Fi network to capture traffic or credentials.
Exploit
The code or technique that actively takes advantage of a vulnerability.
Fileless malware
Malware that runs in memory using legitimate tools, leaving little on disk to evade detection.
Five phases of hacking
Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Clearing Tracks — the standard methodology an ethical hacker follows.
Footprinting
The systematic process of gathering information to build a profile of a target's network, domains, people, and technology.
Four-way handshake
The WPA2 key-exchange; capturing it lets an attacker brute-force the passphrase offline.
Google dorking
Using advanced search operators (site:, inurl:, intitle:, filetype:) to find exposed or sensitive information indexed by search engines.
Gray hat
A hacker who operates between ethical and malicious — often probing without permission but without clear malicious intent.
Gray-box testing
A penetration test with partial knowledge, such as a standard user account.
Hashing
A one-way function producing a fixed-length digest (e.g., SHA-256); used for integrity and password storage, not reversible.
Honeypot
A decoy system that lures attackers away from real assets and records their behavior.
IaaS
Infrastructure as a Service — the provider supplies compute/storage/network; the customer manages OS, apps, and data.
IDS
Intrusion Detection System — monitors and alerts on suspicious traffic (passive).
Insider threat
A current or former employee, contractor, or partner who misuses authorized access to harm the organization.
IPS
Intrusion Prevention System — detects and blocks suspicious traffic inline (active).
Jailbreaking / rooting
Removing a mobile OS's built-in restrictions, which also removes security protections.
Kerberoasting
Requesting service tickets and cracking them offline to recover service-account passwords in Active Directory.
Keylogger
Software or hardware that records keystrokes to capture passwords and other input.
MAC flooding
Overflowing a switch's CAM table so it fails open and broadcasts frames like a hub.
Malware
Malicious software — including viruses, worms, trojans, ransomware, spyware, rootkits, and fileless malware.
MDM
Mobile Device Management — software to enforce policy, encryption, and remote wipe on mobile devices.
MITRE ATT&CK
A knowledge base that catalogs real-world adversary tactics and techniques across the attack lifecycle.
Nmap
The de facto network scanner used for host discovery, port scanning, service/version detection, and OS fingerprinting.
OSINT
Open-Source Intelligence — information gathered from publicly available sources.
OT / ICS / SCADA
Operational Technology and the industrial control systems that run physical processes; they prioritize availability and safety.
OWASP Top 10
The OWASP Foundation's regularly updated list of the most critical web application security risks.
Parameterized query
A prepared statement that separates SQL code from user input so the input is always treated as data.
Pass-the-hash
Authenticating with a captured NTLM password hash without ever cracking the plaintext password.
Passive reconnaissance
Gathering information without directly contacting the target (OSINT, WHOIS, DNS, Shodan, social media).
Password cracking
Recovering passwords from stored hashes via dictionary, brute-force, hybrid, or rainbow-table attacks.
Phishing
A fraudulent message (usually email) that tricks the victim into revealing credentials or running malware.
PKI
Public Key Infrastructure — the CAs, policies, and keys that issue and manage digital certificates.
Privilege escalation
Gaining higher access rights than granted — vertical (to admin/root) or horizontal (to another user).
Promiscuous mode
A network-card mode that captures all traffic on a segment, not just frames addressed to that host.
Rainbow table
A precomputed lookup of hashes used to reverse unsalted password hashes quickly.
Ransomware
Malware that encrypts a victim's data and demands payment for the decryption key.
Risk
The combination of the likelihood a threat exploits a vulnerability and the impact if it does.
Rootkit
Malware that hides deep in the system (often the kernel) to maintain stealthy, privileged access.
Rules of engagement
The agreed scope, methods, timing, and limits of an authorized engagement, set before any testing.
SaaS
Software as a Service — the provider manages almost everything; the customer manages mainly data and access.
Salting
Adding unique random data to a password before hashing so identical passwords produce different hashes and rainbow tables fail.
Session hijacking
Taking over a user's authenticated session by stealing or predicting the session identifier.
Shared responsibility model
Cloud division of duties: the provider secures the infrastructure; the customer secures data, identities, and configuration.
Shodan
A search engine that indexes Internet-connected devices and their open services and banners.
Smishing
SMS phishing — a social-engineering attack delivered by text message.
Sniffing
Capturing and inspecting network traffic, often to harvest credentials or sensitive data.
Social engineering
Manipulating people into divulging information or performing actions that compromise security.
SQL injection
A web attack inserting malicious SQL into input so the database runs unintended commands; fixed with parameterized queries.
Steganography
Hiding data inside other data (for example, within an image) so its very existence is concealed.
Symmetric encryption
Encryption using one shared secret key to both encrypt and decrypt (e.g., AES) — fast, but the key must be shared securely.
SYN scan
A stealthy 'half-open' port scan (-sS) that sends SYN and never completes the handshake.
Threat
A potential danger — such as an attacker or malware — that could exploit a vulnerability.
Trojan
Malware disguised as legitimate software that performs a hidden malicious action when run.
Virus
Malware that attaches to a host file and requires user action to execute and spread.
Vishing
Voice phishing — a social-engineering attack carried out over a phone call.
Vulnerability
A weakness or flaw in a system, process, or control that could be exploited by a threat.
Vulnerability assessment
A systematic review that identifies, classifies, and prioritizes vulnerabilities in a system.
Web server attack
Exploiting a web server's flaws or misconfiguration — directory traversal, default content, or unpatched software.
WEP
Wired Equivalent Privacy — an obsolete, broken Wi-Fi encryption using RC4 with a weak, reused IV.
White hat
An authorized, ethical hacker who tests systems with permission to improve security.
White-box testing
A penetration test where the tester has full knowledge of the target (architecture, source, credentials) — the most thorough.
WHOIS
A query that returns registration details for a domain or IP address (registrar, contacts, name servers).
Worm
Self-propagating malware that spreads across networks with no user interaction.
WPA2
Wi-Fi Protected Access 2 — uses AES-CCMP; vulnerable to offline dictionary attacks on weak pre-shared keys.
WPA3
The current Wi-Fi security standard; SAE (Dragonfly) resists offline password cracking.

CEH Study Guide FAQ

The CEH (312-50) knowledge exam has 125 multiple-choice questions and a 4-hour (240-minute) time limit — about 1.9 minutes per question. The CEH v13 also offers an optional 6-hour, 20-challenge practical exam to earn the CEH (Master) credential.

References

  1. 1.EC-Council. “Certified Ethical Hacker (CEH) — Program Overview.” eccouncil.org.
  2. 2.EC-Council. “CEH Exam Blueprint v5.0.” cert.eccouncil.org.
  3. 3.The MITRE Corporation. “MITRE ATT&CK — Enterprise Matrix.” attack.mitre.org.
  4. 4.OWASP Foundation. “OWASP Top 10 Web Application Security Risks.” owasp.org.
  5. 5.National Institute of Standards and Technology. “SP 800-115, Technical Guide to Information Security Testing and Assessment.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “Glossary (Computer Security Resource Center).” csrc.nist.gov.
  7. 7.OWASP Foundation. “OWASP Internet of Things Project.” owasp.org.
  8. 101.National Institute of Standards and Technology (NIST). “Vulnerability (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  9. 102.National Institute of Standards and Technology (NIST). “Penetration Testing (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  10. 103.The MITRE Corporation. “Reconnaissance, Tactic TA0043 (ATT&CK).” attack.mitre.org, accessed 19 June 2026.
  11. 104.National Institute of Standards and Technology (NIST). “Port Scanning (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  12. 105.The MITRE Corporation. “Use Alternate Authentication Material: Pass the Hash, T1550.002 (ATT&CK).” attack.mitre.org, accessed 19 June 2026.
  13. 106.The MITRE Corporation. “Privilege Escalation, Tactic TA0004 (ATT&CK).” attack.mitre.org, accessed 19 June 2026.
  14. 107.National Institute of Standards and Technology (NIST). “Rootkit (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  15. 108.National Institute of Standards and Technology (NIST). “Malware (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  16. 109.National Institute of Standards and Technology (NIST). “ARP Spoofing (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  17. 110.National Institute of Standards and Technology (NIST). “Social Engineering (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  18. 111.National Institute of Standards and Technology (NIST). “Denial of Service (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  19. 112.OWASP Foundation. “Session Hijacking Attack.” owasp.org, accessed 19 June 2026.
  20. 113.OWASP Foundation. “SQL Injection.” owasp.org, accessed 19 June 2026.
  21. 114.OWASP Foundation. “Cross Site Scripting (XSS).” owasp.org, accessed 19 June 2026.
  22. 115.National Institute of Standards and Technology (NIST). “WPA2 (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  23. 116.National Institute of Standards and Technology (NIST). “Public Key Infrastructure (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  24. 117.National Institute of Standards and Technology (NIST). “Hash Function (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.