How hard is the CEH exam compared to Security+?
The CEH (Certified Ethical Hacker) is harder than Security+ and requires more technical knowledge of offensive security techniques. CEH v13 covers 20 modules including reconnaissance, scanning, exploitation, web application hacking, social engineering, and cryptography. The exam is 4 hours long with 125 questions and requires a passing score of approximately 70%. EC-Council also requires 2 years of security experience or completion of official training.
The CEH (Certified Ethical Hacker) v13 certification from EC-Council is one of the most recognized penetration testing and ethical hacking credentials globally. It provides structured education in offensive security techniques, teaching candidates to think like attackers in order to better defend systems.
CEH is commonly required or preferred for penetration tester, red team analyst, security engineer, and security consultant roles. It is approved under DoD 8570 for CSSP Analyst positions. The exam costs $1,199 USD including the EC-Council courseware, or $550 USD for the exam-only voucher if you qualify with 2 years of experience. The exam consists of 125 questions over 4 hours.
Exam Overview
| Detail | Information |
|---|---|
| Exam Code | 312-50 (v13) |
| Full Name | Certified Ethical Hacker |
| Number of Questions | 125 |
| Time Limit | 4 hours |
| Passing Score | 70-72% (varies by question bank) |
| Exam Cost | $550 USD (exam only) |
| Training Cost | $1,199 USD (includes courseware) |
| Eligibility | 2 years security experience OR EC-Council training |
| DoD Approval | CSSP Analyst |
| Validity | 3 years |
CEH v13 covers 20 modules:
- Introduction to Ethical Hacking
- Footprinting and Reconnaissance
- Scanning Networks
- Enumeration
- Vulnerability Analysis
- System Hacking
- Malware Threats
- Sniffing
- Social Engineering
- Denial of Service
- Session Hijacking
- Evading IDS, Firewalls, and Honeypots
- Hacking Web Servers
- Hacking Web Applications
- SQL Injection
- Hacking Wireless Networks
- Hacking Mobile Platforms
- IoT and OT Hacking
- Cloud Computing
- Cryptography
"CEH v13 added artificial intelligence integration throughout the curriculum. Candidates should understand how AI tools are being used by attackers for automation, target selection, and evasion, as well as how AI-powered defensive tools work. This reflects the actual evolution of the threat landscape that ethical hackers must understand." -- EC-Council CEH training community
Module 2: Footprinting and Reconnaissance
Passive Reconnaissance Techniques
Passive footprinting collects information without directly interacting with the target:
- Google dorking: Using advanced search operators to find exposed information
site:company.com filetype:pdf- Find PDF filesintitle:"index of"- Find directory listingsinurl:admin- Find admin panels
- WHOIS lookup: Domain registration information (registrant, name servers, registration dates)
- DNS interrogation: Enumerating DNS records (A, MX, NS, TXT, CNAME)
- Social media OSINT: LinkedIn for employee roles, job postings for technology stack
- Shodan: Finding internet-exposed devices and services
Active Reconnaissance
Active footprinting directly queries target systems:
- DNS zone transfer: Attempting to download the entire DNS zone file (AXFR request)
- Traceroute: Mapping network topology between attacker and target
- Email tracking: Embedding tracking pixels to confirm email receipt and gather IP/OS information
- Social engineering calls: Phoning target organization to gather information
Module 3-4: Scanning and Enumeration
Network Scanning
Nmap scanning techniques:
| Scan Type | Nmap Flag | Description |
|---|---|---|
| TCP SYN (stealth) | -sS |
Half-open scan; less likely to be logged |
| TCP Connect | -sT |
Full three-way handshake; more detectable |
| UDP scan | -sU |
Scans UDP ports; slower |
| Ping sweep | -sn |
Host discovery without port scan |
| OS detection | -O |
Fingerprints OS from TCP/IP behavior |
| Service version | -sV |
Detects service and version |
| Aggressive | -A |
OS, version, script, traceroute |
Enumeration
Enumeration extracts detailed information from discovered services:
- NetBIOS enumeration: Enumerating Windows shares, sessions, and user accounts
- SNMP enumeration: Reading community strings to extract device configuration
- LDAP enumeration: Extracting Active Directory user and group information
- SMB enumeration: Enumerating shares, users, and sessions via enum4linux or crackmapexec
- SMTP enumeration: Verifying email addresses using VRFY and EXPN commands
Module 6: System Hacking
Password Attacks
| Attack Type | Method | Tool |
|---|---|---|
| Dictionary attack | Try words from wordlist | Hashcat, John the Ripper |
| Brute force | Try every combination | Hashcat |
| Hybrid attack | Dictionary + rule modifications | Hashcat with rules |
| Rainbow table | Precomputed hash lookup | Ophcrack |
| Pass-the-hash | Use captured hash without cracking | Mimikatz, Impacket |
Privilege Escalation
Windows privilege escalation techniques:
- AlwaysInstallElevated: MSI packages run with SYSTEM privileges if this registry key is set
- Unquoted service paths: Services with paths containing spaces can be hijacked
- DLL hijacking: Placing malicious DLLs in locations searched before legitimate DLLs
- Token impersonation: Using Mimikatz or PrintSpoofer to impersonate privileged tokens
Linux privilege escalation techniques:
- SUID binaries: Finding SUID-set binaries exploitable for privilege escalation
- Sudo misconfigurations: Commands runnable with sudo that allow shell escapes
- Cron jobs: Writable scripts run by root through cron
- Kernel exploits: Local privilege escalation through kernel vulnerabilities
Module 14-15: Web Application and SQL Injection
OWASP Testing Methodology
CEH testing approach for web applications follows OWASP testing guide principles:
- Information gathering (technology stack, entry points, authentication mechanisms)
- Configuration testing (default credentials, exposed admin interfaces, HTTP methods)
- Authentication testing (brute force resistance, lockout policies, session management)
- Authorization testing (IDOR, privilege escalation, direct object references)
- Input validation testing (injection, XSS, deserialization)
SQL Injection
SQL injection classification and examples:
Error-based injection (retrieves data through database error messages):
' HAVING 1=1 --
' GROUP BY column_name HAVING 1=1 --
Union-based injection (uses UNION to combine results):
' UNION SELECT null, username, password FROM users --
' ORDER BY 3 -- (determine number of columns)
Blind time-based injection (infers data from response delays):
'; IF (1=1) WAITFOR DELAY '0:0:5' -- (SQL Server)
' AND SLEEP(5) -- (MySQL)
Module 19: Cloud Computing Security
Cloud Attack Techniques
Cloud-specific attack vectors:
- Account hijacking: Stealing cloud management console credentials through phishing
- Insecure APIs: Exploiting misconfigured or unprotected API endpoints
- Data breaches: Accessing improperly secured cloud storage buckets (S3, Azure Blob)
- Misconfigured IAM: Exploiting overly permissive IAM roles for privilege escalation
- Side-channel attacks: Exploiting shared hardware in multi-tenant environments
Cloud Security Testing
Cloud penetration testing requires explicit written authorization from the cloud provider in addition to the customer:
- AWS: Submit testing request form for non-permitted services
- Azure: No prior approval needed for testing own resources, but prohibited activities listed in terms of service
- GCP: Most testing permitted; DDoS testing requires advance notice
Frequently Asked Questions
Is CEH recognized by employers? CEH is well-recognized by employers in cybersecurity, particularly for roles in security consulting, government contracting, and organizations that use EC-Council training programs. It is approved by the DoD for multiple security roles. However, OSCP is generally more respected by technical security professionals for hands-on penetration testing roles because it requires demonstrating actual exploitation skills rather than answering multiple-choice questions.
How should I prepare for the CEH exam? The most effective preparation combines the official EC-Council courseware (included with the training package), hands-on lab practice using TryHackMe or Hack The Box, and dedicated exam preparation with Matt Walker's CEH All-in-One study guide. Practice with tools like Nmap, Metasploit, Wireshark, and Burp Suite is essential for the performance-based lab component that EC-Council is adding to CEH.
What is CEH ANSI vs. CEH Practical? CEH ANSI (or CEH exam) is the traditional multiple-choice examination. CEH Practical is a 6-hour hands-on exam where candidates must perform actual penetration testing tasks in a live lab environment, earning the "CEH Master" designation when both are passed. The CEH Practical is more technically demanding and commands more respect from technical employers.
References
- EC-Council. (2025). CEH v13 Certification. https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh/
- Walker, M. (2023). CEH Certified Ethical Hacker All-in-One Exam Guide, 5th Edition. McGraw-Hill.
- OWASP Foundation. (2024). OWASP Testing Guide v4.2. https://owasp.org/www-project-web-security-testing-guide/
- MITRE ATT&CK. (2025). Enterprise Attack Matrix. https://attack.mitre.org/
- Santos, O. (2023). Ethical Hacking: A Hands-on Introduction to Breaking In. No Starch Press.
- TryHackMe. (2025). Offensive Security Learning Paths. https://tryhackme.com/