Reinforce CEH concepts with active-recall study cards covering all 13 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For CEH preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the CEH question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your CEH flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real CEH exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass CEH.
Sample cards from the CEH flashcard bank. Read the question, think of the answer, then read the explanation below.
A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?
Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
Option B is correct because the `-sS` flag initiates a TCP SYN stealth scan, `-sV` enables service version detection, and `-O` attempts OS fingerprinting. The `-p 22,80,443,3389` limits the scan to those four ports, and the target `192.168.1.0/24` scans the entire Class C subnet. This combination performs a half-open scan on the specified ports, probes for application versions, and tries to identify the operating system of each live host.
A security analyst wants to enumerate NetBIOS names on a Windows network. Which built-in Windows command-line tool should they use?
nbtstat
The nbtstat command is the correct built-in Windows tool for enumerating NetBIOS names because it directly queries and displays NetBIOS over TCP/IP (NetBT) statistics, name tables, and caches. NetBIOS name enumeration relies on the NBT protocol (RFC 1001/1002), and nbtstat -a or -A retrieves the remote machine's NetBIOS name table, which includes service types like file sharing, messaging, and workstation services.
A security analyst notices a high volume of ICMP Echo Reply packets on the network. The source IPs are varied, but the destination IP is the same. Which type of attack is MOST likely occurring?
Smurf attack
The Smurf attack is a distributed denial-of-service (DDoS) attack that exploits ICMP by sending a large number of ICMP Echo Request packets with a spoofed source IP (the victim's IP) to a network's broadcast address. All devices on that network then respond with ICMP Echo Reply packets to the victim, overwhelming it. The scenario describes varied source IPs (the responding devices) and a single destination IP (the victim), which is the hallmark of a Smurf attack.
A security analyst notices that the web application returns different response times when a valid username is submitted versus an invalid one during login. Which type of vulnerability is likely being exploited?
Time-based SQL injection
Time-based SQL injection involves injecting SQL code that causes the database to pause if a condition is true, allowing an attacker to infer information based on response times. The observed difference in response times for valid vs. invalid usernames is characteristic of this technique.
A security analyst suspects that an attacker is scanning their network. They notice a large number of TCP SYN packets being sent to various ports on a single host, but no SYN-ACK responses are returned. Which type of scan is most likely being used?
SYN scan
C is correct because a SYN scan (also known as a half-open scan) sends TCP SYN packets to target ports and does not complete the three-way handshake. If no SYN-ACK is returned, it indicates the port is filtered or the host is not responding, which matches the scenario where the attacker receives no SYN-ACK responses. This scan is stealthier than a full TCP connect scan because it never establishes a full connection.
During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?
A stateful firewall is blocking inbound SYN packets to port 80 but allowing responses to outbound connections.
A stateful firewall tracks the state of network connections. When you browse to the server, your browser initiates an outbound TCP connection, and the firewall allows the return SYN-ACK packets as part of the established session. However, a standalone TCP SYN scan sends unsolicited SYN packets to port 80, which the firewall sees as a new inbound connection attempt and blocks, preventing the server from responding. The server's ICMP echo reply is allowed because ICMP is stateless and not typically filtered by the same rules.
A penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?
enum4linux
enum4linux is a tool specifically designed to enumerate information from Windows and Samba systems via SMB. It leverages the SMB protocol to extract users, shares, OS details, and other system information from a target with port 445 open, making it the correct choice for this scenario.
A security analyst captures a large number of unique initialization vectors (IVs) from a wireless network using airodump-ng. Which attack are they MOST likely preparing to execute?
WEP key recovery using aircrack-ng
WEP encryption is vulnerable to statistical attacks that require capturing many unique IVs to recover the WEP key. The large number of unique IVs indicates preparation for a WEP cracking attack using a tool like aircrack-ng.
A penetration tester is performing a footprinting exercise on a target company. The tester wants to identify the network range and ISP of the target. Which of the following tools or techniques is MOST appropriate for this purpose?
Perform a WHOIS lookup against the domain
A WHOIS lookup against the target domain returns registration details that include the organization's network range (via the 'NetRange' or 'CIDR' fields) and the ISP (via the 'OrgName' or 'descr' fields). This directly maps to the footprinting goal of identifying the target's IP address block and upstream provider, as defined in RFC 3912 and common WHOIS database schemas.
During a penetration test, you notice that a web application accepts user input and displays it directly in the browser without sanitization. Which attack is most likely to succeed?
Cross-Site Scripting (XSS)
Option C is correct because the scenario describes a classic reflected Cross-Site Scripting (XSS) vulnerability. The application accepts user input and displays it directly in the browser without sanitization, allowing an attacker to inject malicious JavaScript that executes in the victim's browser. This is the defining characteristic of XSS, not SQL injection or command injection, which target server-side interpreters.
A security analyst discovers that an IoT device in a smart building is periodically sending small DNS queries to an external domain known for command-and-control activity. Which security control should be implemented to detect and block such traffic without disrupting legitimate operations?
Configure egress filtering on the firewall to block outbound connections to known malicious domains.
Option C is correct because egress filtering on the firewall can block outbound DNS queries to known malicious domains by using a blocklist or threat intelligence feed, preventing command-and-control (C2) communication without affecting legitimate traffic to other domains. This control operates at the network perimeter, inspecting DNS requests against a reputation database and dropping matches, which is the most effective way to stop C2 traffic while allowing normal operations.
A security analyst receives an alert about a suspicious file hash. The analyst wants to check if the file is known malware by querying an online database of malware signatures. Which tool should the analyst use?
VirusTotal
VirusTotal is a free online service that aggregates multiple antivirus engines and malware detection tools, allowing users to upload files or query file hashes against a vast database of known malware signatures. This directly matches the requirement to check if a file is known malware by querying an online database.
A penetration tester is assessing an organization's physical security. The tester wants to gain unauthorized access to a secured server room that uses a biometric fingerprint scanner. Which of the following techniques would be MOST effective for bypassing the biometric scanner?
Using a gelatin mold of an authorized user's fingerprint
Option C is correct because gelatin molds can replicate the exact ridge and valley patterns of a fingerprint, which many capacitive and optical fingerprint scanners read. This bypasses the biometric authentication without requiring the user's cooperation, making it the most direct method to defeat the scanner itself.
The CEH flashcard bank covers all 13 official blueprint domains published by EC-Council. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Footprinting, Reconnaissance and Scanning
Enumeration and System Hacking
Malware, Social Engineering and Network Attacks
Web Application and Injection Attacks
Introduction to Ethical Hacking
Scanning Networks and Enumeration
Vulnerability Analysis and System Hacking
Advanced Topics: Wireless, Cloud, IoT, Cryptography
Footprinting and Reconnaissance
Network and Web Application Attacks
Wireless, IoT and Cloud Security
Cryptography and Malware Analysis
Social Engineering and Physical Security
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that CEH questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.CEH questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective CEH study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free CEH flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 1020+ original CEH flashcards across all 13 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official EC-Council exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official CEH exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included