Certified Ethical Hacker (CEH v13) — Exam Survival Guide

Window: Early-mid security practitioners | Format: 4-hour, 125-question MCQ (312-50), plus optional Practical exam later

Must-do topics

CEH = “do you understand the attacker mindset and workflow enough to replicate it ethically?”

Ethical hacking process

Recon → Scanning → Gaining access → Maintaining access → Covering tracks.

Recon & footprinting

Search engines, WHOIS, DNS, OSINT, social media, email and network footprinting; countermeasures.

Scanning & enumeration

Port scanning, service detection, banner grabbing, SNMP, NetBIOS, directory enumeration, vuln scanning basics.

System & network hacking

Windows/Linux basics, password attacks, privilege escalation, malware basics, sniffing, ARP poisoning, MITM, DoS/DDoS concepts.

Web, wireless, and app attacks

SQL injection, XSS, CSRF, auth/session attacks, OWASP-style logic.

Wi-Fi attacks (WEP/WPA/WPA2, evil twin, WPS abuse), mobile/app vectors.

Cloud, IoT, and emerging areas (v13 curric)

Cloud attack surfaces, misconfig risks, basic container/cloud security ideas.

Security controls & countermeasures

Hardening, patching, network segmentation, logging, IDS/IPS, WAF, EDR.

Top traps (avoid)

Treating CEH like a “tool names” exam instead of methods + countermeasures.

Memorising a hundred switches for one tool and then getting confused when the exam uses generic wording.

Ignoring legal/ethical boundaries and getting tripped up on what is actually allowed in a test.

Leaving web and wireless weak — these keep showing up.

Time split

125 Q, 4 hours. ~1.8 minutes per question, but most will be faster.

Last-48h checklist

Two 60-question mixed blocks per day; review explanations properly.

Re-read:

OSI vs TCP/IP stack in practical “traffic” terms.

Attack → detectable sign → mitigation maps for common attacks (MITM, ARP poisoning, SQLi, XSS, password spraying, phishing).

Make a “methods, not tools” sheet:

For each phase, list 2–3 methods and what they achieve (e.g., DNS zone transfers, directory brute-forcing, parameter tampering).

Quick frames

For every question:

Which phase of the hacking lifecycle is this?

What is the attacker’s goal? (recon, exploit, escalate, pivot, persist, erase)

What is the cleanest technique to get there?

Speed tactics

When tool names are mentioned, ask “what class of tool is this?” (scanner, sniffer, exploit framework, password cracker); option that fits the class wins.

If asked for countermeasures, favour defence-in-depth answers (segmentation + monitoring + least privilege) rather than a single gadget.

Day-of mini-plan

Warm-up: 10–15 Q across recon, web, and wireless.

Mid-exam:

If you get a block of tools/questions that feel off, stay calm — CEH mixes some awkward wording. Focus on intent.

Think like: “I’m a defender who knows how attackers think, not a script kiddie flexing.”