CEH Exam Flashcards

Q: What is the passing score for the CEH exam?

CEH has no single fixed passing score. EC-Council uses a cut score between 60% and 85% that varies by the specific exam form a candidate receives, because question difficulty differs across forms. The exam has 125 multiple-choice questions and a 4-hour time limit.

Q: What are the eligibility requirements for CEH?

There is no degree requirement. Candidates either complete official EC-Council CEH training, which waives the experience-based application, or self-study and submit an eligibility application demonstrating at least 2 years of information security work experience plus a non-refundable application fee.

Q: How is the CEH exam structured by domain?

The CEH blueprint covers 9 domains: Information Security and Ethical Hacking Overview (6%), Reconnaissance Techniques (17%), System Hacking Phases and Attack Techniques (15%), Network and Perimeter Hacking (24%), Web Application Hacking (14%), Wireless Network Hacking (5%), Mobile Platform/IoT/OT Hacking (10%), Cloud Computing (5%), and Cryptography (5%).

Q: What is the CEH exam retake policy?

There is no waiting period before the second attempt. A 14-day wait applies before attempts 3, 4, and 5. A maximum of 5 attempts is allowed in a 12-month period, after which a 12-month wait applies before a sixth attempt. Each attempt requires a new voucher.

Q: How long is the CEH certification valid?

CEH is valid for 3 years and is maintained through EC-Council's Continuing Education (ECE) program, which requires earning 120 ECE credits within the 3-year cycle plus an annual membership fee to keep the credential active.

Q: What is the difference between CEH ANSI and CEH Practical?

CEH (ANSI) is the 4-hour, 125-question multiple-choice knowledge exam. CEH Practical is a separate 6-hour hands-on lab exam where candidates perform real ethical hacking tasks. Passing both earns the CEH Master designation.

Question 1

Five phases of the CEH hacking methodology

Accepted Answer

Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Clearing Tracks. Order matters: information gathering always precedes exploitation, and covering tracks is the final step to avoid detection.

Question 2

White box vs. black box vs. gray box testing

Accepted Answer

Black box = tester has no prior knowledge (simulates an outside attacker). White box = full knowledge of the environment. Gray box = partial knowledge, simulating an insider or a low-privilege user.

Question 3

CIA triad

Accepted Answer

Confidentiality (only authorized access), Integrity (data is unaltered/trustworthy), Availability (systems accessible when needed). Most attacks map to compromising one of these three pillars.

Question 4

Why a Rules of Engagement / authorization is mandatory before testing

Accepted Answer

Ethical hacking is legal only with written authorization defining scope, targets, timing, and methods. Without it, the same activity is an offense under laws like the US Computer Fraud and Abuse Act.

Question 5

Passive vs. active reconnaissance

Accepted Answer

Passive recon gathers data without touching the target (WHOIS, OSINT, Google dorking, social media). Active recon directly probes the target (DNS queries, port scans), which can be logged and detected.

Question 6

Google dorking (Google hacking)

Accepted Answer

Using advanced search operators to find exposed data. Examples: site: limits to a domain, filetype: finds documents, inurl: matches URL strings, intitle: matches page titles. The GHDB catalogs known vulnerable queries.

Question 7

DNS zone transfer (AXFR)

Accepted Answer

A request that asks a DNS server to return all records for a zone. If a misconfigured server allows it to anyone, an attacker maps the entire internal namespace. Tools: dig axfr, nslookup, dnsrecon.

Question 8

Enumeration vs. scanning

Accepted Answer

Scanning discovers live hosts, open ports, and services. Enumeration actively connects to those services to extract usernames, shares, and configuration data (e.g., SNMP community strings, SMB shares, LDAP, NetBIOS).

Question 9

TCP three-way handshake (relevant to scanning)

Accepted Answer

SYN -> SYN/ACK -> ACK. A full-connect scan completes it; a SYN (half-open/stealth) scan sends SYN, reads SYN/ACK, then sends RST to avoid completing the connection and reduce logging.

Question 10

Nmap -sS vs. -sT vs. -sU vs. -sV

Accepted Answer

-sS = SYN/stealth scan (default for privileged users). -sT = full TCP connect scan. -sU = UDP scan. -sV = service/version detection via banner probing. -O adds OS fingerprinting.

Question 11

Banner grabbing

Accepted Answer

Connecting to a service to read its response banner, revealing software and version (e.g., telnet to port 80, netcat, Nmap -sV). Used to match a target version against known exploits.

Question 12

Vulnerability assessment vs. penetration testing

Accepted Answer

A vulnerability assessment identifies and lists weaknesses (often automated, no exploitation). A penetration test actively exploits them to prove real-world impact and demonstrate exploitability.

Question 13

CVSS score

Accepted Answer

Common Vulnerability Scoring System rates severity 0.0-10.0. Bands: Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0). Used to prioritize remediation.

Question 14

Vertical vs. horizontal privilege escalation

Accepted Answer

Vertical = gaining higher privileges than granted (user to admin/root). Horizontal = accessing resources of another user at the same privilege level. Both follow initial access.

Question 15

Password attack types: dictionary vs. brute force vs. rainbow table

Accepted Answer

Dictionary tries a wordlist of likely passwords. Brute force tries every combination (slow but exhaustive). A rainbow table uses precomputed hash chains; a unique salt per password defeats it.

Question 16

Pass-the-hash attack

Accepted Answer

Authenticating with a captured NTLM hash instead of cracking the plaintext password. Works because Windows NTLM accepts the hash as proof of identity; mitigated by Credential Guard and least privilege.

Question 17

Steganography

Accepted Answer

Hiding data inside another file (image, audio, video) so its existence is concealed, unlike encryption which hides only the content. Used to exfiltrate data and evade DLP.

Question 18

Rootkit

Accepted Answer

Malware that hides its presence and maintains privileged access by subverting the OS. Kernel-mode rootkits are the most dangerous and often require reimaging the system to fully remove.

Question 19

Virus vs. worm

Accepted Answer

A virus needs a host file and user action to spread. A worm is self-replicating and spreads across networks without user interaction, making it propagate far faster (e.g., Conficker, WannaCry).

Question 20

Trojan

Accepted Answer

Malware disguised as legitimate software that the user installs willingly. Unlike viruses/worms it does not self-replicate; its goal is to deliver a payload such as a backdoor (RAT) or keylogger.

Question 21

Ransomware

Accepted Answer

Malware that encrypts files and demands payment for the decryption key. Modern variants add double extortion: data is exfiltrated first, then victims are threatened with public leaks.

Question 22

Fileless malware

Accepted Answer

Malware that runs in memory using legitimate tools (PowerShell, WMI, living-off-the-land binaries) and writes little or nothing to disk, evading signature-based antivirus.

Question 23

Static vs. dynamic malware analysis

Accepted Answer

Static analysis inspects the sample without running it (strings, hashes, disassembly). Dynamic analysis executes it in a sandbox to observe behavior. Sandbox-aware malware may not detonate if it detects analysis.

Question 24

ARP spoofing (ARP poisoning)

Accepted Answer

Sending forged ARP replies so the attacker's MAC is mapped to the gateway's IP, placing the attacker in the path of traffic. Enables man-in-the-middle on a switched LAN. Mitigated by Dynamic ARP Inspection.

Question 25

MAC flooding

Accepted Answer

Overwhelming a switch's CAM table with bogus MAC addresses so it fails open and behaves like a hub, broadcasting frames to all ports for sniffing. Port security limits MACs per port to prevent it.

Question 26

Active vs. passive sniffing

Accepted Answer

Passive sniffing works on a hub (all traffic visible, undetectable). Active sniffing is required on a switch and injects traffic (ARP poisoning, MAC flooding, DHCP attacks), which is detectable.

Question 27

Phishing vs. spear phishing vs. whaling

Accepted Answer

Phishing is mass, generic bait. Spear phishing is tailored to a specific person or org using researched details. Whaling specifically targets high-value executives (C-suite).

Question 28

Pretexting and tailgating

Accepted Answer

Pretexting = inventing a believable scenario to extract information (posing as IT support). Tailgating (piggybacking) = following an authorized person through a secured door without credentials.

Question 29

Why social engineering is hard to defend technically

Accepted Answer

It exploits human trust, authority, urgency, and helpfulness rather than software flaws. The primary defense is security awareness training, verification procedures, and a no-blame reporting culture.

Question 30

DoS vs. DDoS

Accepted Answer

DoS comes from a single source; DDoS uses many distributed compromised hosts (a botnet), making it harder to filter by source and far higher in volume.

Question 31

SYN flood

Accepted Answer

Sending many SYN packets with spoofed sources and never completing the handshake, exhausting the target's half-open connection table. SYN cookies mitigate it without keeping per-connection state.

Question 32

Session hijacking

Accepted Answer

Taking over an authenticated session, typically by stealing or predicting a session token/cookie, so the attacker inherits the victim's authenticated state without needing credentials.

Question 33

IDS vs. IPS

Accepted Answer

An IDS detects and alerts but does not block (out of band). An IPS sits inline and can drop malicious traffic. False negatives (missed attacks) are more dangerous than false positives.

Question 34

Honeypot

Accepted Answer

A decoy system designed to attract and study attackers. Any interaction with it is suspicious by definition. Useful for early detection and threat intelligence, not for production service.

Question 35

Common IDS/firewall evasion techniques

Accepted Answer

Packet fragmentation, encryption/tunneling, source-port manipulation, decoy scanning (Nmap -D), slow/low scans, and encoding payloads to avoid signature matches.

Question 36

SQL injection

Accepted Answer

Injecting SQL through unsanitized input to read or alter the database. The definitive fix is parameterized queries (prepared statements); input filtering and least-privilege DB accounts are secondary defenses.

Question 37

Blind vs. error-based vs. union-based SQL injection

Accepted Answer

Union-based extracts data via UNION SELECT. Error-based reads data from DB error messages. Blind SQLi infers data from true/false responses (boolean) or response delays (time-based) when no output is shown.

Question 38

Stored vs. reflected vs. DOM-based XSS

Accepted Answer

Stored XSS persists in the database and hits every viewer. Reflected XSS bounces off the server in a crafted link. DOM-based XSS executes purely client-side via unsafe DOM manipulation.

Question 39

CSRF (Cross-Site Request Forgery)

Accepted Answer

Tricking an authenticated user's browser into sending an unwanted request to a trusted site. Defended with anti-CSRF tokens and SameSite cookies. Contrast with XSS, which executes attacker script.

Question 40

Directory traversal

Accepted Answer

Using ../ sequences in a path parameter to read files outside the web root (e.g., /etc/passwd). Mitigated by input validation and serving files through safe, canonicalized paths.

Question 41

Wireless encryption evolution: WEP -> WPA -> WPA2 -> WPA3

Accepted Answer

WEP (RC4, broken). WPA (TKIP, interim fix). WPA2 (AES-CCMP, long standard). WPA3 (SAE/Dragonfly handshake) resists offline dictionary attacks and adds forward secrecy.

Question 42

Evil twin attack

Accepted Answer

A rogue access point broadcasting a legitimate SSID to lure clients into connecting, enabling man-in-the-middle and credential capture. Mitigated by WPA3, certificate-based 802.1X, and WIPS.

Question 43

WPS PIN vulnerability

Accepted Answer

Wi-Fi Protected Setup's 8-digit PIN is validated in two halves, reducing brute-force effort dramatically (Reaver/Pixie Dust). Recommendation: disable WPS entirely.

Question 44

OWASP Mobile Top 10 relevance

Accepted Answer

Mobile risks center on insecure data storage, weak server-side controls, insecure communication, and reverse engineering. Rooting/jailbreaking removes OS sandbox protections an attacker relies on.

Question 45

Why IoT and OT devices are high-risk targets

Accepted Answer

They often ship with default credentials, no patch mechanism, weak or no encryption, and long deployment lifetimes. Compromised IoT devices are commonly recruited into botnets (e.g., Mirai).

Question 46

Cloud shared responsibility model

Accepted Answer

The provider secures the cloud (physical, hypervisor, host). The customer secures what is in the cloud (data, identity, configuration, access). Most cloud breaches stem from customer misconfiguration.

Question 47

Container vs. virtual machine security boundary

Accepted Answer

VMs are isolated by a hypervisor with separate kernels. Containers share the host kernel, so a container escape can compromise the host. Harden with namespaces, cgroups, and minimal images.

Question 48

Symmetric vs. asymmetric encryption

Accepted Answer

Symmetric uses one shared key (fast, e.g., AES) but has a key-distribution problem. Asymmetric uses a public/private key pair (e.g., RSA, ECC), solving key exchange but slower. TLS uses both.

Question 49

Hashing vs. encryption

Accepted Answer

Hashing is one-way and fixed-length (SHA-256), used for integrity and password storage. Encryption is reversible with a key, used for confidentiality. A hash cannot be 'decrypted'.

Question 50

Digital signature: what it provides

Accepted Answer

Signing a message hash with the sender's private key provides integrity, authentication, and non-repudiation. It does NOT provide confidentiality unless the message is also encrypted.

Free CEH Exam Flashcards

Filter by Topic

Jump to Card

About These CEH Flashcards

Topics Covered

Frequently Asked Questions

CEH

Explore More EC-Council Certifications

CND

EC-Council CEH Practical (312-50 Practical, 6-hr Cyber Range)

EC-Council Certified Application Security Engineer (CASE .NET 312-95 / Java 312-96)

EC-Council Certified Blockchain Professional (CBP)

EC-Council Certified Chief Information Security Officer (CCISO 712-50)

EC-Council Certified Cloud Security Engineer (CCSE 312-40)

More From This Family