Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
Cheat sheet

CEH Cheat Sheet

Practice QuestionsStudy Guide

Security Overview

6%of exam

EthicsControlsMethodologyLawsScope

Reconnaissance Techniques

17%of exam

FootprintingScanningEnumerationOSINTDNS

System Hacking

15%of exam

Vulnerability AnalysisAccessMalwarePrivilegePersistence

Network Perimeter

24%of exam

SniffingSocial EngineeringDoSHijackingEvasion

Web Application

14%of exam

Web ServersWeb AppsSQL InjectionAPIsInput

Wireless Hacking

5%of exam

Wi-FiEncryptionBluetoothEvil TwinWPA

Mobile IoT OT

10%of exam

MobileAndroidiOSIoTOT

Cloud Computing

5%of exam

Cloud ModelsContainersServerlessShared ResponsibilityIAM

Cryptography

5%of exam

CiphersPKIHashingSignaturesCryptanalysis

Quick Facts

Exam
CEH
Code
312-50
Questions
125 MCQ
Time
4 hours
Pass
60-85%
Delivery
ECC or VUE
Credential
Valid 3 years
Blueprint
v5.0

Five Phases

Recon scan access persist cover

ReconScanAccessPersistCover

Attack Phase Picker

  1. Collect public dataRecon
  2. Map exposed servicesScanning
  3. Query users sharesEnumeration
  4. Use weaknessGaining access
  5. Keep footholdPersistence
  6. Document riskReporting

Ethics + Scope

Authorization
Written permission
Scope
Allowed targets
ROE
Testing rules
NDA
Confidentiality promise
White hat
Authorized tester
Black hat
Unauthorized attacker
Gray hat
Unapproved discovery
Disclosure
Report through channels

CIA Triad

Keep secrets accurate available

ConfidentialityIntegrityAvailability

Security Controls

CIA
Core security goals
Confidentiality
Prevent disclosure
Integrity
Prevent tampering
Availability
Keep accessible
Administrative
Policies and training
Technical
Logical safeguards
Physical
Facility safeguards
Least privilege
Minimum access

Hacking Phases

Recon
Gather information
Scanning
Find live services
Gaining access
Exploit weakness
Maintaining access
Keep foothold
Covering tracks
Hide evidence
Reporting
Document findings

Passive vs Active Recon

Passive

  • Public sources
  • No direct probes

Active

  • Touches target
  • More detectable

Contact changes risk

Recon Picker

  1. Need no contactPassive OSINT
  2. Need domain ownerWHOIS
  3. Need mail serversMX lookup
  4. Need live hostsPing sweep
  5. Need open portsPort scan
  6. Need service versionBanner grab

Footprinting

Passive recon
No target contact
Active recon
Target interaction
OSINT
Public sources
WHOIS
Domain registration
DNS
Name infrastructure
MX
Mail servers
NS
Name servers
Metadata
Hidden file data

Scanning vs Enumeration

Scanning

  • Find hosts
  • Find services

Enumeration

  • Extract details
  • Query services

Enumeration asks deeper

Scanning + Enumeration

Ping sweep
Find live hosts
Port scan
Find open ports
Banner grab
Identify service
OS fingerprint
Infer platform
SNMP
Device management
LDAP
Directory queries
NetBIOS
Windows names
SMB
File sharing
SMTP
Mail enumeration
NFS
Unix shares

Vulnerability + Access

CVE
Public vulnerability
CVSS
Severity score
False positive
Invalid finding
Exploit
Use weakness
Payload
Delivered action
Privilege escalation
Gain higher rights
Password cracking
Recover secrets
Hash
One-way digest

Malware + Persistence

Virus
Host-attached code
Worm
Self-spreading malware
Trojan
Disguised malware
Rootkit
Stealth control
Ransomware
Extortion encryption
Backdoor
Hidden access
Botnet
Controlled hosts
C2
Command channel

IDS vs IPS

IDS

  • Detects events
  • Alerts humans

IPS

  • Blocks traffic
  • Inline control

Inline can block

Network Attacks

Sniffing
Capture traffic
ARP spoofing
Poison MAC mapping
MITM
Intercept session
DoS
Deny service
DDoS
Distributed denial
Session hijacking
Steal session
Replay
Reuse captured data
DNS poisoning
Corrupt resolution

Social + Evasion

Phishing
Mass deception
Spear phishing
Targeted deception
Whaling
Executive targeting
Vishing
Voice phishing
Smishing
SMS phishing
IDS
Detect intrusion
IPS
Block intrusion
Honeypot
Decoy system

Web Input

Validate encode parameterize authorize

ValidateEncodeParameterizeAuthorize

XSS vs CSRF

XSS

  • Inject script
  • Victim runs code

CSRF

  • Forge action
  • Browser sends request

Code vs action

Web Defense Picker

  1. SQL injectionParameterized queries
  2. Stored XSSOutput encoding
  3. CSRF riskCSRF tokens
  4. IDOR riskObject authorization
  5. File inclusionPath allowlist
  6. API abuseRate limits

Web Attacks

XSS
Client script injection
CSRF
Forced browser action
SQLi
Database injection
IDOR
Broken object access
LFI
Local file include
RFI
Remote file include
SSRF
Server-side request
Web shell
Remote web control

SQL Injection Types

Union SQLi
Merge query output
Error SQLi
Leak via errors
Boolean blind
True false inference
Time blind
Delay inference
Stacked queries
Multiple statements
Parameterized
Bind inputs
Escaping
Neutralize characters
Least privilege
Limit database rights

Wireless Basics

SSID
Network name
BSSID
AP MAC
WEP
Broken RC4
WPA
TKIP transition
WPA2
AES CCMP
WPA3
SAE handshake
Evil twin
Rogue lookalike AP
Deauth
Forced disconnect

Jailbreak vs Rooting

Jailbreak

  • iOS restrictions
  • App Store bypass

Rooting

  • Android privileges
  • System control

Platform differs

Mobile IoT OT

Jailbreak
iOS restriction removal
Rooting
Android privilege gain
Sideloading
Unofficial app install
MDM
Device policy control
IoT
Connected devices
Default creds
Common IoT risk
OT
Physical process tech
SCADA
Industrial control

IaaS vs SaaS

IaaS

  • You manage OS
  • More control

SaaS

  • Provider manages app
  • Less control

Control shifts responsibility

Cloud Security

IaaS
Customer manages OS
PaaS
Customer manages app
SaaS
Customer manages data
IAM
Cloud access control
Bucket exposure
Public storage leak
Container escape
Break isolation
Serverless
Function execution
API keys
Cloud secrets

Crypto Goals

Encrypt hash sign certify

EncryptHashSignCertify

Symmetric vs Asymmetric

Symmetric

  • One shared key
  • Fast bulk data

Asymmetric

  • Key pair
  • Trust exchange

Speed vs trust

Crypto Picker

  1. Need confidentialityEncryption
  2. Need integrityHashing
  3. Need authenticityDigital signature
  4. Need key exchangeAsymmetric crypto
  5. Store passwordsSalted hashes
  6. Trust certificatesPKI

Cryptography

Symmetric
One shared key
Asymmetric
Public private keys
Hashing
One-way integrity
Salt
Unique hash input
PKI
Certificate trust
CA
Certificate issuer
Digital signature
Integrity and nonrepudiation
Cryptanalysis
Break cryptography

Common Traps

Authorization

Written permission Good intent only

Recon Detection

Passive OSINT Active probing

Vulnerability Testing

Finding weakness Proving exploit

Hashing

Integrity digest Reversible encryption

XSS

Browser executes script Database query changes

WPA

Handshake capture Plaintext password capture

Cloud Security

Shared responsibility Provider owns everything

IDS

Detection alerting Automatic blocking

Last Minute

  1. 1.Get written authorization first
  2. 2.Scope defines legal boundary
  3. 3.Recon before scanning always
  4. 4.Enumeration extracts service details
  5. 5.IDS detects; IPS blocks
  6. 6.SQLi: parameterize queries
  7. 7.XSS: encode output
  8. 8.WEP is broken
  9. 9.WPA3 uses SAE
  10. 10.Hashing is not encryption
  11. 11.IaaS means OS responsibility
  12. 12.CEH pass score varies

CEH

Practice QuestionsCheat Sheet
1 blog

CERTIFIED ETHICAL HACKER EXAM PREP 2025-2026: THE COMPLETE CEH v13 EXAM GUIDE

$38.90 · Buy on Amazon

Take courses on UdemyLearning path on Pluralsight
Same family resources

Explore More EC-Council Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CND

Practice Questions

EC-Council CEH Practical (312-50 Practical, 6-hr Cyber Range)

Practice Questions

EC-Council Certified Application Security Engineer (CASE .NET 312-95 / Java 312-96)

Practice Questions

EC-Council Certified Blockchain Professional (CBP)

Practice Questions

EC-Council Certified Chief Information Security Officer (CCISO 712-50)

Practice Questions

EC-Council Certified Cloud Security Engineer (CCSE 312-40)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCEH v13 in 2026: A 12-Week Study System That Balances Theory, Labs, and Exam Speed15 min read