Certified Ethical Hacker Study Guide (2026)

Certified Ethical Hacker Study Guide 2026 – Pass on Your First Attempt

This Certified Ethical Hacker study guide covers all exam domains, key concepts, and real exam-style scenarios to help you pass on your first attempt. Learn what topics matter most, avoid common mistakes, and follow a structured plan based on the official exam blueprint.

Edureify AI helps you identify your strengths and weak areas using real exam-style questions, detailed explanations, and domain-level analysis. Get a personalized study plan, track your progress, and focus only on what will improve your Certified Ethical Hacker exam score.

"I passed my Certified Ethical Hacker exam on the first try after just 6 weeks of studying with Edureify AI!"

What should you study for the Certified Ethical Hacker exam?

To pass the Certified Ethical Hacker certification exam, you should focus on:

  • Reconnaissance and Footprinting: Passive and active information gathering techniques used to profile target organisations before an attack.
  • Scanning and Enumeration: Active techniques to discover live hosts, open ports, services, and users on target systems.
  • System Hacking: Techniques for gaining access, escalating privileges, executing malware, and covering tracks on target systems.
  • Malware and Social Engineering: Types of malware, malware analysis, and human-based social engineering attacks.
  • Network Attacks: Sniffing, session hijacking, DoS/DDoS, wireless attacks, and evasion techniques.
  • Web Application and Cloud Security: OWASP Top 10 vulnerabilities, web app attacks, SQL injection, API security, and cloud environment attacks.
  • Cryptography and AI in Hacking: Cryptographic concepts, PKI, and the new v13 AI-assisted hacking module.
  • Penetration Testing Methodology: Legal and ethical considerations, structured pen test phases, reporting, and compliance frameworks.

The exam tests your ability to apply concepts in real scenarios, not just memorize definitions.

Certified Ethical Hacker Exam Syllabus and Topics

The Certified Ethical Hacker exam is divided into 8 domains. Each domain tests specific skills and contributes to your overall score.

Reconnaissance and Footprinting

Passive and active information gathering techniques used to profile target organisations before an attack.

10%
Weight
13
Questions
125
Marks

Passive Reconnaissance

  • OSINT: Google dorking, Shodan, Maltego, and social media profiling
  • WHOIS lookups and DNS enumeration: A, MX, NS, TXT records
  • Certificate transparency logs and subdomain enumeration
  • Job posting analysis and technology fingerprinting
  • Dark web monitoring and data breach checking

Active Reconnaissance

  • Network scanning with Nmap: TCP SYN, FIN, XMAS, NULL scans
  • Banner grabbing with Netcat, Telnet, and curl
  • Email header analysis and email footprinting
  • Traceroute and network topology mapping

Scanning and Enumeration

Active techniques to discover live hosts, open ports, services, and users on target systems.

10%
Weight
13
Questions
125
Marks

Network Scanning

  • Host discovery: ICMP echo, TCP SYN ping, ARP ping
  • Port scanning: Nmap scan types, timing templates, and OS detection (-O)
  • Service version detection (-sV) and script scanning (-sC, --script)
  • Firewall and IDS evasion: fragmentation, decoys, and source port manipulation
  • Vulnerability scanning with Nessus, OpenVAS, and Qualys

Enumeration Techniques

  • NetBIOS and SMB enumeration: Enum4linux, Smbclient
  • SNMP enumeration: community strings, OIDs, and SNMPwalk
  • LDAP enumeration for Active Directory information
  • NFS, SMTP, and DNS enumeration techniques
  • Web application enumeration: dirbusting, Nikto, and robots.txt

System Hacking

Techniques for gaining access, escalating privileges, executing malware, and covering tracks on target systems.

12%
Weight
15
Questions
150
Marks

Gaining Access

  • Password attacks: brute force, dictionary, rainbow table, credential stuffing
  • Password cracking tools: Hashcat, John the Ripper
  • Exploitation frameworks: Metasploit structure (exploits, payloads, encoders)
  • Buffer overflow concepts: stack-based and heap-based
  • Pass-the-hash and pass-the-ticket attacks

Privilege Escalation and Persistence

  • Vertical vs horizontal privilege escalation
  • Windows privilege escalation: unquoted service paths, weak permissions, token impersonation
  • Linux privilege escalation: SUID binaries, sudo misconfigurations, cron jobs
  • Maintaining access: backdoors, Netcat listeners, scheduled tasks
  • Rootkits: user-mode vs kernel-mode, detection evasion

Covering Tracks

  • Windows event log manipulation and MACE attribute modification
  • Linux log clearing: /var/log/auth.log, history manipulation
  • Steganography for data exfiltration and hiding payloads
  • Timestomping and file attribute manipulation

Malware and Social Engineering

Types of malware, malware analysis, and human-based social engineering attacks.

8%
Weight
10
Questions
100
Marks

Malware Types and Analysis

  • Virus types: file infectors, boot sector, macro, polymorphic, metamorphic
  • Worms vs Trojans vs RATs: propagation and purpose
  • Ransomware: encryption mechanisms, delivery, and decryption keys
  • Fileless malware and living-off-the-land (LOLBins) techniques
  • Static vs dynamic malware analysis: sandbox environments

Human-Based Attacks

  • Phishing, spear phishing, whaling, vishing, and smishing
  • Pretexting, tailgating, and impersonation techniques
  • BEC (Business Email Compromise) attack patterns
  • Social engineering frameworks: SET (Social Engineering Toolkit)
  • Countermeasures: security awareness training and email gateway controls

Network Attacks

Sniffing, session hijacking, DoS/DDoS, wireless attacks, and evasion techniques.

15%
Weight
19
Questions
188
Marks

Packet Sniffing

  • Passive vs active sniffing: hubs vs switches
  • ARP poisoning and MITM attacks: arpspoof, Ettercap
  • MAC flooding to overflow CAM table
  • Wireshark: capture filters, display filters, and protocol analysis
  • Countermeasures: dynamic ARP inspection, port security

Session Hijacking and DoS

  • TCP session hijacking: sequence number prediction
  • Cookie theft and XSS-based session attacks
  • DoS vs DDoS: volumetric, protocol, and application-layer attacks
  • Botnets and C2 infrastructure for DDoS
  • DDoS mitigation: rate limiting, scrubbing centres, Anycast

Wireless Hacking

  • WEP, WPA, WPA2, and WPA3 vulnerabilities
  • PMKID attack and 4-way handshake capture with Aircrack-ng
  • Evil twin attacks and rogue access points
  • Bluetooth attacks: Bluejacking, Bluesnarfing, KNOB
  • Wireless IDS evasion techniques

IDS, Firewall, and Honeypot Evasion

  • Firewall types: packet filter, stateful, NGFW, WAF
  • Evasion: fragmentation, tunnelling, encrypted payloads
  • IDS evasion: session splicing, obfuscation, TTL manipulation
  • Honeypots and honeytraps: types and detection

Web Application and Cloud Security

OWASP Top 10 vulnerabilities, web app attacks, SQL injection, API security, and cloud environment attacks.

20%
Weight
25
Questions
250
Marks

OWASP Top 10 and Attack Techniques

  • Injection attacks: SQL injection (union-based, blind, error-based), command injection
  • XSS: reflected, stored, DOM-based and exploitation techniques
  • IDOR: insecure direct object references and broken access control
  • SSRF: server-side request forgery and internal network pivoting
  • XXE: XML external entity attacks
  • CSRF: cross-site request forgery and SameSite cookie defences
  • Security misconfiguration and default credentials

Web Attack Tools

  • Burp Suite: proxy, scanner, intruder, and repeater modules
  • SQLmap: automated SQL injection detection and exploitation
  • OWASP ZAP: active and passive scanning
  • Directory brute-forcing: Gobuster, Dirbuster, Feroxbuster

Cloud Security

  • AWS, Azure, GCP attack surfaces: IAM misconfigurations, exposed buckets, SSRF
  • Container security: Docker escape, Kubernetes RBAC misconfigurations
  • Cloud enumeration tools: Scout Suite, Prowler, CloudSploit
  • Serverless attacks: function injection and over-privileged roles

IoT and OT/ICS

  • IoT attack surface: firmware extraction, default credentials, insecure protocols
  • Shodan for IoT device discovery
  • OT/ICS protocols: Modbus, DNP3, SCADA vulnerabilities
  • ICS attack case studies: Stuxnet, Colonial Pipeline

Cryptography and AI in Hacking

Cryptographic concepts, PKI, and the new v13 AI-assisted hacking module.

10%
Weight
10
Questions
100
Marks

Cryptographic Algorithms and PKI

  • Symmetric encryption: AES, DES, 3DES, Blowfish
  • Asymmetric encryption: RSA, ECC, Diffie-Hellman
  • Hashing: MD5, SHA-1, SHA-256, bcrypt
  • PKI: certificate lifecycle, CA hierarchy, CRL, OCSP
  • SSL/TLS: handshake process, cipher suites, and certificate pinning
  • Cryptographic attacks: birthday, MITM on TLS, padding oracle

AI-Assisted Attack and Defence

  • Using AI/ML for automated vulnerability discovery
  • AI-powered phishing and deepfake social engineering
  • LLM prompt injection attacks
  • AI-based anomaly detection and AI-driven SIEM
  • Adversarial machine learning: evasion attacks on ML models

Penetration Testing Methodology

Legal and ethical considerations, structured pen test phases, reporting, and compliance frameworks.

15%
Weight
20
Questions
187
Marks

Legal and Ethical Framework

  • Rules of engagement (RoE) and statement of work
  • Types of pen tests: black box, white box, grey box
  • Authorisation and scope: why written permission is essential
  • Computer crime laws: CFAA (US), Computer Misuse Act (UK)
  • Security assessment types: vulnerability assessment vs pen test vs red team

Pen Test Phases and Reporting

  • CEH pen test phases: pre-attack, attack, post-attack
  • Pen test report structure: executive summary, technical findings, CVSS scores
  • CVSS v3.1: base, temporal, and environmental metrics
  • Remediation prioritisation and re-testing
  • Responsible disclosure vs full disclosure
Certified Ethical Hacker study guide 2026 Certified Ethical Hacker exam syllabus Certified Ethical Hacker certification preparation how to pass Certified Ethical Hacker exam Certified Ethical Hacker exam topics and domains
🔥 1,247 professionals tested in last 24 hours

Know If You'll Pass Certified Ethical Hacker Before You Start

Take our 10-minute diagnostic test and get a personalized report showing your exact readiness level, weak domains, and days needed to pass.

47,328 professionals discovered their readiness
92% went on to pass on their first attempt
100% Free No Credit Card Results in 10 Min

AI-Powered Learning Experience

Master your Certified Ethical Hacker certification with structured learning, real exam questions, and AI-powered guidance.
Personal AI Mentor

24/7 AI Mentor Support

Get instant answers and personalized guidance throughout your Certified Ethical Hacker certification journey

  • Instant doubt resolution and concept explanations
  • Adaptive learning path based on your performance
  • Focus recommendations for weak areas

Hi! I'm your AI Tutor. Let's create a personalized study plan for your Certified Ethical Hacker certification.

I need help understanding Reconnaissance and Footprinting

Track Your Progress

Get detailed insights into your learning journey with our advanced analytics

  • Topic-wise performance analysis
  • Real-time progress tracking
  • Weak area identification

Learning Progress

Reconnaissance and Footprinting 85%
Scanning and Enumeration 92%

Practice Test Scores

95%
Latest Score
Above passing threshold

Frequently Asked Questions