How to Pass EC-Council CEH (Certified Ethical Hacker) in 2026: Study Guide

# How to Pass EC-Council CEH (Certified Ethical Hacker) in 2026: Study Guide The EC-Council Certified Ethical Hacker (CEH) is one of the most recognized cybersecurity credentials in the industry. It sits at a unique intersection: rigorous enough to demonstrate real technical knowledge, structured enough to be accessible to security professionals who are not yet full-time penetration testers. If you are preparing for the CEH in 2026, this guide covers everything from exam logistics to all 20 modules, study resources, and a focused 8-week plan. --- ## What Makes CEH Different from OSCP and PenTest+ Before investing time and money, it helps to understand where CEH fits among competing credentials. **OSCP (Offensive Security Certified Professional)** is a hands-on, lab-based exam where candidates must compromise real machines within a 24-hour window. There is no multiple-choice component. OSCP demands genuine offensive skill and is often the preferred credential for penetration testing roles at security firms and red teams. It is harder, more expensive, and more respected in offensive circles. **CompTIA PenTest+** targets a similar audience as CEH but tends to be more conceptual and less tool-specific. It covers planning, scoping, and reporting alongside technical techniques. PenTest+ is vendor-neutral and appears more frequently in U.S. government and compliance contexts. **CEH** occupies the middle ground. It is more technical than PenTest+ — you are expected to know specific tools, specific flags, and specific attack workflows. However, it tests this knowledge through scenario-based multiple-choice questions rather than live exploitation. CEH is widely accepted by enterprise security teams and appears frequently in job postings that require a structured methodology background rather than pure red-team capability. The bottom line: if you want to learn the vocabulary, frameworks, and tool landscape of ethical hacking in a structured way, CEH is an excellent starting point. If you eventually want to do hands-on offensive work, OSCP should follow. --- ## CEH Exam Facts (2026) | Detail | Value | |---|---| | Exam code | CEH v13 | | Number of questions | 125 | | Duration | 4 hours | | Passing score | 70% (approximately 87 correct) | | Question format | Multiple choice | | Delivery | Pearson VUE (proctored) | | Voucher cost | ~$950 USD | | Retake policy | Paid retake required | | Prerequisites | 2 years IT security experience OR official EC-Council training | EC-Council also offers a practical component called CEH Practical — a 6-hour lab exam on iLabs. The multiple-choice test is what most people refer to as "the CEH," and it is what this guide focuses on. --- ## The 5 Phases of Ethical Hacking CEH is built around a structured attack methodology. Every topic in the exam maps back to these five phases, and exam questions frequently ask you to identify which phase a given activity belongs to. **Phase 1: Reconnaissance** This is passive and active information gathering before any attack begins. The goal is to learn as much as possible about the target — IP ranges, DNS records, employee names, technology stack — without triggering alerts. Passive reconnaissance uses publicly available sources (WHOIS, Shodan, Google dorking). Active reconnaissance involves direct interaction with target systems (Nmap scans, banner grabbing). **Phase 2: Scanning and Enumeration** Once basic information is collected, the attacker scans for open ports, live hosts, running services, and operating system versions. Enumeration goes deeper — extracting usernames, shares, and service banners from systems that respond. This is where tools like Nmap, Nessus, and Netcat are used extensively. **Phase 3: Gaining Access** Using information gathered in the previous phases, the attacker exploits a vulnerability to access the system. This may involve password attacks, buffer overflows, web application exploits, social engineering, or session hijacking. Metasploit is the primary framework tested in this phase. **Phase 4: Maintaining Access** After initial compromise, the attacker installs backdoors, rootkits, or Trojans to ensure persistent access even if the original vulnerability is patched. This phase also covers privilege escalation — moving from a low-privilege shell to root or SYSTEM. **Phase 5: Covering Tracks** The attacker erases evidence of the intrusion: clearing log files, disabling auditing, altering timestamps, and removing installed tools. CEH tests your understanding of what logs exist and how attackers modify them. --- ## All 20 CEH Modules CEH v13 covers 20 modules. Understanding the purpose of each module — even at a high level — is essential for navigating scenario questions that span multiple technical areas. **Module 1: Introduction to Ethical Hacking** — Types of hackers (white/gray/black hat), hacking phases, attack classifications, information security laws, and the concept of scope and authorization. **Module 2: Footprinting and Reconnaissance** — OSINT tools (Maltego, theHarvester, Shodan), DNS reconnaissance (nslookup, dig), WHOIS lookups, Google dorking syntax, social engineering for information gathering. **Module 3: Scanning Networks** — Nmap scan types, ping sweeps, OS fingerprinting, banner grabbing, Netcat usage, Hping3 for custom packet crafting. **Module 4: Enumeration** — SMB enumeration (enum4linux), SNMP enumeration (snmpwalk), LDAP enumeration, NFS shares, NetBIOS, and banner grabbing from application services. **Module 5: Vulnerability Analysis** — Vulnerability scanning with Nessus and OpenVAS, CVE/CVSS scoring, zero-day vs known vulnerabilities, patch management concepts. **Module 6: System Hacking** — Password cracking (dictionary, brute-force, rainbow tables), privilege escalation, executing applications, keyloggers, spyware, and covering tracks. **Module 7: Malware Threats** — Virus types, worm propagation, Trojan classification (RAT, backdoor, rootkit), APT characteristics, malware analysis techniques. **Module 8: Sniffing** — Passive vs active sniffing, ARP poisoning/spoofing, MAC flooding, DNS poisoning, tools (Wireshark, Ettercap), SPAN ports. **Module 9: Social Engineering** — Phishing, spear phishing, vishing, impersonation, pretexting, insider threats, and countermeasures. **Module 10: Denial-of-Service** — DoS vs DDoS, volumetric/protocol/application-layer attacks, SYN flood, Smurf attack, botnet structure, amplification attacks, mitigations. **Module 11: Session Hijacking** — TCP session hijacking, cookie theft, MITM positioning, sequence number prediction, SSL stripping. **Module 12: Evading IDS, Firewalls, and Honeypots** — Packet fragmentation, protocol manipulation, TTL manipulation, firewall rule evasion, honeypot detection indicators. **Module 13: Hacking Web Servers** — Web server architecture vulnerabilities, HTTP response splitting, directory traversal, tools (Nikto, Metasploit web modules). **Module 14: Hacking Web Applications** — OWASP Top 10, SQL injection types, XSS categories, CSRF, SSRF, XXE, IDOR, insecure deserialization, web application proxies (Burp Suite). **Module 15: SQL Injection** — Union-based, blind, time-based blind, error-based injection, sqlmap tool usage, bypassing input validation. **Module 16: Hacking Wireless Networks** — WEP/WPA/WPA2/WPA3 protocols, 4-way handshake capture, dictionary attacks, evil twin AP, rogue access points, deauthentication attacks. **Module 17: Hacking Mobile Platforms** — Android rooting vs iOS jailbreaking, mobile malware, OWASP Mobile Top 10, MDM solutions, Bluetooth attacks (Bluejacking, Bluesnarfing). **Module 18: IoT and OT Hacking** — IoT attack surface, SCADA/ICS vulnerabilities, Modbus/DNP3 protocols, Shodan for IoT discovery, firmware analysis basics. **Module 19: Cloud Computing** — Cloud service models (IaaS/PaaS/SaaS), shared responsibility model, container security, serverless attack surface, cloud enumeration tools. **Module 20: Cryptography** — Symmetric (AES, 3DES, Blowfish) vs asymmetric (RSA, ECC, ElGamal), hashing algorithms (MD5, SHA-1, SHA-256), PKI and certificate chains, steganography, digital signatures. --- ## CEH vs CPENT vs OSCP: Comparison Table | Credential | Format | Difficulty | Hands-On | Ideal For | |---|---|---|---|---| | CEH | 125 MCQ, 4 hours | Medium | Optional (Practical add-on) | Security analysts, SOC staff moving into offensive work | | CPENT | Lab-based, 24 hours | Hard | Yes (required) | Experienced pentesters seeking EC-Council advanced credential | | OSCP | Lab + exam, 24 hours | Very Hard | Yes (required) | Aspiring professional penetration testers | CEH is the right first step. CPENT and OSCP are the natural progression once you want to prove live exploitation skills. --- ## Study Resources **Official EC-Council Resources** - EC-Council iClass platform: official courseware, labs, and practice exams. Bundled with training purchases. - EC-Council Courseware (v13): the 20-module study guide. Dense but authoritative — every exam objective is covered. **Third-Party Books** - Matt Walker, *CEH Certified Ethical Hacker All-in-One Exam Guide* (McGraw-Hill): the most recommended third-party book. Covers all modules with clear explanations and practice questions at the end of each chapter. - Kimberly Graves, *CEH: Certified Ethical Hacker Study Guide*: solid alternative with good coverage of tools and methodologies. **Practice Exams** - EC-Council official practice tests (available through iClass) - Boson CEH Practice Exams: widely respected for question quality - CertLand CEH Practice Exam: 340 scenario-based questions aligned to all 20 modules **Lab Practice** - TryHackMe: structured learning paths for ethical hacking fundamentals - Hack The Box (Starting Point): hands-on machines for tool practice - EC-Council iLabs: if you purchased official courseware, use the labs for Nmap and Metasploit walkthroughs --- ## 8-Week Study Plan This plan assumes roughly 10-12 hours per week. Adjust based on your existing background. **Week 1: Foundations and Reconnaissance (Modules 1-3)** Focus on hacking phases, legal concepts, and the distinction between passive and active reconnaissance. Practice Nmap scan types until you can describe what each flag does without looking it up. Read Matt Walker chapters 1-3. **Week 2: Enumeration, Vulnerability Analysis, System Hacking (Modules 4-6)** Understand the tools used at each step: enum4linux for SMB, snmpwalk for SNMP, Nessus for vulnerability scanning. Learn password attack types (dictionary vs brute-force vs rainbow tables). Do at least one Nessus or OpenVAS lab. **Week 3: Malware, Sniffing, Social Engineering (Modules 7-9)** Malware classification is heavily tested. Understand what distinguishes a RAT from a backdoor from a rootkit. For sniffing, focus on ARP poisoning mechanics. Social engineering questions often test your ability to name the correct attack type given a scenario. **Week 4: DoS, Session Hijacking, Evasion (Modules 10-12)** SYN flood mechanics, TCP session hijacking through sequence number prediction, and IDS evasion via fragmentation are all frequent exam topics. Build a clear mental model of how each attack works. **Week 5: Web Attacks (Modules 13-15)** This is one of the highest-weight areas. Know the OWASP Top 10, be able to distinguish SQL injection types, and understand XSS categories (stored/reflected/DOM). Practice reading basic SQL injection payloads. **Week 6: Wireless, Mobile, IoT (Modules 16-18)** WPA2 4-way handshake capture and offline dictionary attacks are key. Understand the difference between WEP (RC4, broken) and WPA2 (AES-CCMP, secure). Mobile module focuses on OWASP Mobile Top 10 and MDM concepts. **Week 7: Cloud and Cryptography (Modules 19-20)** Cloud shared responsibility model is frequently tested. For cryptography, memorize key sizes and algorithm classifications. Know that MD5 produces 128-bit output, SHA-1 produces 160 bits, SHA-256 produces 256 bits. **Week 8: Review and Practice Exams** Take at least two full 125-question timed practice exams. Review every wrong answer — understand why the correct answer is right AND why your chosen answer was wrong. Focus final review on your weakest modules. --- ## Final Tips **Learn the methodology, not just the tools.** CEH questions frequently test whether you can identify the correct phase or sequence, not just whether you know a tool's name. Always ask: which phase does this activity belong to? **Know your tool purposes.** Maltego is for relationship mapping. Shodan is for finding internet-exposed devices. Nikto is for web server scanning. Nessus is for vulnerability scanning. Metasploit is for exploitation. The exam will give you a scenario and ask which tool is appropriate. **Read questions twice.** CEH scenario questions often include a detail that disqualifies the obvious answer. "The tester has no prior knowledge" usually means passive reconnaissance. "The client wants to avoid detection" often points to a stealth scan type. **Do not skip the legal module.** Questions about authorization, scope, and the Computer Fraud and Abuse Act appear regularly. A signed scope of work and written authorization are non-negotiable prerequisites for ethical hacking — and the exam tests this. The CEH is a solid credential that opens doors across enterprise security, SOC, and consulting roles. With structured preparation across all 20 modules, the exam is well within reach.