Certified Ethical Hacking [CEH] Exam Cheat Sheet (2025)

The EC Council’s Certified Ethical Hacking (CEH) remains as the world’s leading ethical hacking certification preferred by cybersecurity professionals. Its in-depth and up-to-date knowledge of penetration testing, system vulnerabilities, and malware countermeasures makes it trusted by employers globally resulting in one of the most in-demand ethical hacking credential in the market. Individuals considering Certified Ethical Hacking certification are expected to possess the skills and creativity of malicious hackers and validate them by passing the EC-Council’s CEH examination (CEH v11).

This four-hour MCQ-based exam is an intermediate-level challenge but still achievable with the right preparation, practice, and resources. However, individuals who have taken the exam often report difficulty in getting a proper grasp of the terminology, methods, and tools. CEH cheat sheets are often used in such cases to aid memorization and to quickly refresh before the examination.

While they are not complete comprehensive guides, they’re enough for instinctively accessing questions in order to better understand them. The goal of this guide is to provide such a resource that is also updated to the latest v11 standards. Below you’ll find our Certified Ethical Hacking [CEH] Exam Cheat Sheet (2024) that’s enough to give you a head start and establish a grasp of the terms on hand.

What is CEH Cheat Sheet?

In this newly introduced 11th version of the exam (hence termed v11), CEH continues to progress with the latest tactics, methodologies, and technology. The CEH v11 cheat sheet below contains most of the important terms and topics that you’ll come across during your exam.

From the basic five ethical hacking stages to more advanced networking, cloud, and cryptography tools and terms introduced for the first time in v11. This cheat sheet was designed from material extracted directly from CEH v11 dumps, considering each CEH v11 exam question.

How to Use a Cheat Sheet?

The entire material is properly categorized, with each term nested in its proper heading and sub-heading, making extensive use of the search function feasible. Start by going through the basic terminologies which are listed first. Another way to go through the cheat sheet is by following along with CEH credential modules; searching for unfamiliar terms as you come across them.

This ensures that you’re not suddenly overburdened with information as you start to scroll through the entire content. If in case you need to make any additions of your own, feel free to make a copy of our cheat sheet. But always remember to make it concise and to the point, so you can quickly access the terms when needed and add more content to it without making a mess.

Importance of CEH Certification

The fact that CEH is one of the most updated and comprehensive ethical hacking courses out there makes it an obvious choice for individuals looking to kick start their career in ethical hacking. While there are major benefits in pursuing the certification, both professionally and technically; the importance of the certificate itself is considerable: 

• Organizations all over the world are starting to understand the critical threat of cyberattacks and the need for qualified individuals in protecting against them. CEH provides them with a very clear outlook of a certified individual’s skill set and makes the hiring process much easier and straightforward. For the same reason, more and more companies are starting to make the CEH certificate a requirement for their job applications, surging its importance.
• The IT security sector is constantly evolving and advancing with new techniques, tools, and systems. Compared to other certifications, CEH is constantly being updated to meet the industry standards of today. Completing the certificate not only offers job security but also offers you the perfect chance to catch up with the latest trends in the industry.
• CEH trains individuals practically; introducing you to tools and systems used in professional ethical hacking practices. We highly recommend checking out CEH training courses and CEH v11 practice exams online before attempting the CEH v11 exam, in order to gain practical experience with the commonly used tools. For details, check out our Ethical Hacking certification online. 

Certified Ethical Hacking Cheat Sheet

The content of this cheat sheet while not comprehensive, is aimed at covering all exam areas; including tips in order to maintain the practical value of the content. Feel free to make any edits in order to personalize the cheat sheet to your preference, including content additions and mnemonics.

1. Basics

a. Essential Terms 

• Hack Value: A hacker’s interest in something based on its worth.
• Vulnerability: A weakness in a system that can be exploited.
• Exploit: Taking advantage of the identified vulnerability.
• Payload: Malware or exploit code that the hacker sends to the victim.
• Zero-day attack: Exploiting previously unknown unpatched vulnerabilities. 
• Daisy-chaining: A specific attack carried out by hackers to gain access to a single system and using it to access other systems on the same network.
• Doxing: Tracing an individual’s personally identifiable information (PII) with malicious intent.
• Bot: A software used to carry out automated tasks.

b. Elements of information security 

• Confidentiality: Ensures that information is available only to authorized people.
• Integrity: Ensures the accuracy of the information. 
• Availability: Ensuring availability of resources when required by authorized users. 
• Authenticity: Ensures the quality of being uncorrupted. 
• Non-repudiation: Ensures report of delivery and receipt by senders and recipient respectively.

c. Phases of Penetration Testing 

1. Reconnaissance
2. Scanning & Enumeration 
3. Gaining Access 
4. Maintaining Access 
5. Covering Tracks 

d. Types of Threats 

• Network threats: Attacker may break into the channel and steal the information that is being exchanged on a network.
• Host threats: Gains access to information from a system. 
• Application threats: Exploiting unprotected gateways in application itself.

e. Types of Attacks 

• OS: Attacks the primary OS of the victim. 
• App level: Application sourced attacks, usually caused by lack of security testing by developers.
• Shrink Wrap: Exploiting unpatched libraries and frameworks of the application. 
• Misconfiguration: Hacks carried out on systems with poorly configured security.

2. Legal

• 18 U.S.C 1029 & 1030 
• RFC 1918 - Private IP Standard 
• RFC 3227 – Data collection and storage 
• ISO 27002 - InfoSec Guidelines 
• CAN-SPAM - Email marketing 
• SPY-Act - License Enforcement 
• DMCA - Intellectual Property 
• SOX - Corporate Finance Processes 
• GLBA - Personal Finance Data 
• FERPA - Education Records 
• FISMA - Gov Networks Security Std 
• CVSS - Common Vulnerability Scoring System 
• CVE - Common Vulnerabilities and Exposure 

3. Reconnaissance

Also called footprinting, refers to preliminary surveying or research about the target.

a. Footprinting information 

• Network information: Domains, subdomains, IP addresses, Whois and DNS records, VPN firewalls using e.g. ike-scan. 
• System information: OS of web server, locations of servers, users, usernames, passwords, passcodes. 
• Organization information: Employee information, Organization's background, Phone numbers, Locations. 

b. Footprinting tools 

Maltego, Recon-ng (The Recon-ng Framework), FOCA, Recon-dog, Dmitry (DeepMagic Information Gathering Tool).

c. Google Hacking

Google Hacking uses advanced Google search engine operators called dorks to identify specific text errors in search results for the purpose of discovering vulnerabilities.

Common dorks: 

• site : Only from the specified domain 
• inurl: Only pages that has the query in its URL 
• intitle: Only pages that has the query in its title. 
• cache: Cached versions of the queried page 
• link : Only pages that contain the queried URL. Discontinued. 
• filetype: Only results for the given filetype 

Google hacking tools: 

Google hack honeypot, Google hacking database, metagoofil. 

4. Scanning Networks

Involves obtaining additional information about hosts, ports and services in the network of the victim. It’s meant to identify vulnerabilities and then create an attack plan.

a. Scanning types 

• Port scanning: Checking open ports and services.
• Network scanning: A list of IP addresses.
• Vulnerability scanning: Known vulnerabilities testing. 

b. Common ports to scan 

22	TCP	SSH (Secure Shell)  (Secure
23	TCP	Telnet
25	TCP	SMTP (Simple Mail (Simple
53	TCP/UDP	DNS (Domain Name (Domain
80	TCP	HTTP (Hypertext Transfer (Hypertext
123	TCP	NTP (Network Time (Network
443	TCP/UDP	HTTPS
500	TCP/UDP	IKE/IPSec (Internet Key (Internet
631	TCP/UDP	IPP (Internet Printing (Internet
3389	TCP/UDP	RDP (Remote Desktop (Remote
9100	TCP/UDP	AppSocket/JetDirect (HP JetDirect, (HP

c. Scanning Tools 

Nmap: Network scanning by sending specially crafted packets. Some common Nmap options include: 

• sA: ACK scan 
• sF: FIN scan 
• sS: SYN 
• sT: TCP scan 
• sI: IDLS scan 
• sn: PING sweep 
• sN: NULL 
• sS: Stealth Scan 
• sR: RPC scan 
• Po: No ping 
• sW: Window 
• sX: XMAS tree scan 
• PI: ICMP ping 
• PS: SYN ping 
• PT: TCP ping 
• oN: Normal output 
• oX: XML output 
• A OS/Vers/Script -T<0-4>: Slow – Fast

Hping: Port scanner. Open source. Hping is lower level and stealthier than Nmap as nmap can scan a range of IP addresses while hping can only port scan one individual IP address.

d. Techniques include 

• Scanning ICMP: Broadcast ICMP ping, ICMP ping sweep.
• Scanning TCP: TCP connect, SYN scanning, RFC 793 scans, ACK scanning, IDLE scan.
• Scanning UDP: It exploits the UDP behavior of the recipient sending an ICMP packet containing an error code when the port is unreachable.
• List Scanning: Reverse DNS resolution in order to identify the names of the hosts.
• SSDP Scanning: Detecting UPnP vulnerabilities following buffer overflow or DoS attacks.
• ARP Scan: Useful when scanning an ethernet LAN.

5. Enumeration 

Engaging with a system and querying it for required information. Involves uncovering and exploiting vulnerabilities. 

a. Enumeration techniques: 

• Windows enumeration 
• Windows user account enumeration 
• NetBIOS enumeration 
• SNMP enumeration 
• LDAP enumeration 
• NTP enumeration 
• SMTP enumeration 
• Brute forcing Active Directory

b. DNS enumeration: 

DNS stands for "Domain Name System". A DNS record is database record used to map a URL to an IP address. Common DNS records include:

DNS enumeration tools: dnsrecon, nslookup, dig, host.

c. DHCP: 

• Client —Discovers--> Server
• Client ßOffers à Server
• Client …. Request …> Server
• Client <…Ack…> Server
• IP is removed from pool

6. Sniffing

Involves obtaining packets of data on a network using a specific program or a device.

a. Sniffing types

• Passive sniffing: No requirement for sending any packets.
• Active sniffing: Require a packet to have a source and destination addresses. 

b. Sniffer

Are packet sniffing applications designed to capture packets that contain information such as passwords, router configuration, traffic. 

c. Wiretapping

Refers to telephone and Internet-based conversations monitoring by a third party. 

d. Sniffing Tools

• Cain and Abel 
• Libpcap 
• TCPflow 
• Tcpdump 
• Wireshark 
• Kismet 

e. Sniffing Attacks

• MAC flooding: Send large number of fake MAC addresses to the switch until CAM table becomes full. This causes the switch to enter fail-open mode where it broadcasts the incoming traffic to all ports on the network. Attacker can then starts sniffing the traffic passing through the network. 
• DHCP attacks: A type of Denial-of-Service attack which exhaust all available addresses from the server. 
• DNS poisoning: Manipulating the DNS table by replacing a legitimate IP address with a malicious one. 
• VLAN hopping: Attacking host on a VLAN to gain access to traffic on other VLANs. 
• OSPF attacks: Forms a trusted relationship with the adjacent router. 

7. Attacking a System

a. LM Hashing 

7 spaces hashed: AAD3B435B51404EE

b. Attack types 

• Passive Online: Learning about system vulnerabilities without affecting system resources 
• Active Online: Password guessing 
• Offline: Password stealing, usually through the SAM file.
• Non-electronic: Social Engineering 

c. Sidejacking 

Stealing access to a website, usually through cookie hijacking.

d. Authentication Types 

• Type 1: When you know something 
• Type 2: When you have something 
• Type 3: When you are something 

e. Session Hijacking 

Established session hijacking involves: 

1. Targeting and sniffing traffic between client and server 
2. Traffic monitoring and predicting sequence 
3. Desynchronize session with client 
4. Take over session by predicting session token 
5. Inject packets to the target server 

If you feel like you’re lagging in the fundamentals of cybersecurity, Check out our best cyber security courses at any time. 

8. Social engineering

Social engineering refers to compelling individuals of target organization to reveal confidential and sensitive information.

a. Steps of social engineering

1. Research: Gather enough information about the target company 
2. Select target: Choose a target employee 
3. Relationship: Earn the target employee's trust e.g. by creating a relationship 
4. Exploit: Extract information from the target employee 
5. Identity theft 

Stealing an employee’s personally identifiable information to pose as that person. 

b. Types of Social Engineers 

• Insider Associates: Limited authorized access
• Insider Affiliates: Insiders who can spoof identity. 
• Outsider Affiliates: Outsider who makes use of a vulnerable access point. 

9. Physical Security

• Physical measures: E.g., air quality, power concerns, humidity-control systems 
• Technical measures: E.g., smart cards and biometrics 
• Operational measures: E.g., security policies and procedures.
• Access control: 
  1. False rejection rate (FRR): When a biometric rejects a valid user 
  2. False acceptance rate (FAR): When a biometric accepts an invalid user 
  3. Crossover error rate (CER): Combination of the FRR ad FAR; determines how good a system is 
• Environmental disasters: E.g., hurricanes, tornadoes, floods. 

10. Web Based Hacking

a. Web server hacking 

A web server is a system used for storing, processing, and delivering websites. Web server hacking involves:

• Information gathering: Acquiring robots.txt to see directories/files that are hidden from web crawlers. 
• Footprinting: Enumerate common web apps nmap --script http-enum -p80 
• Mirroring. 
• Discover vulnerabilities. 
• Perform session hijacking and password cracking attacks. 

b. Web server hacking tools 

Wfetch, THC Hydra, HULK DoS, w3af, Metasploit 

c. Web application hacking 

Web Application is user interface to interact with web servers. Web application hacking methodology includes:

• Web infrastructure footprinting 
• Web server attack. 

d. SQL Injection 

Injecting malicious SQL queries into the application. Allows attacker to gain unauthorized access to system e.g. logging in without credentials. Steps involve: 

• Information gathering: E.g. database structure, name, version, type.
• SQL injection: Attacks to extract information from database such as name, column names, and records. 
• Advanced SQL injection: Goal is to compromise underlying OS and network 

Tools: 

Sqlmap, jSQL Injection, SQL Power Injector, The Mole, OWASP SQLiX tool.

11. Cryptography

Cryptography Is the process of hiding sensitive information. 

a. Terms: 

• Cipher: encryption and decryption algorithm.
• Clear text / plaintext: unencrypted data 
• Cipher text: encrypted data 

Encryption algorithms 

• DES (Data Encryption Standard): Block cipher, 56-bit key, 64-bit block size 
• 3DES (Triple Data Encryption Standard): Block cipher, 168-bit key
• AES: Iterated block cipher. 
• RC (Rivest Cipher): Symmetric-key algorithm. 
• Blowfish: fast symmetric block cipher, 64-bit block size, 32 to 448 bits key 
• Twofish: Symmetric-key block cipher 
• RSA (Rivest–Shamir–Adleman): Achieving strong encryption through the use of two large prime numbers. 
• Diffie–Hellman: Used for generating a shared key between two entities over an insecure channel. 
• DSA (Digital Signature Algorithm): Private key tells who signed the message. Public key verifies the digital signature 

12. Cloud security

Cloud providers implement limited access and access policies with logs and the ability to require access reason against repudiation. 

Cloud computing attacks 

• Wrapping attack: Changes the unique sign while still maintaining validity of the signature.
• Side channel attacks: Attacker controls a VM on same physical host (by compromising one or placing own) 
• Cloud Hopper attack: Goal is to compromise the accounts of staff or cloud service firms to obtain confidential information. 
• Cloudborne attack: Done by exploiting a specific BMC vulnerability 
• Man-In-The-Cloud (MITC) attack: Done by using file synchronization services (e.g. Google Drive and Dropbox) as infrastructure. 

13. Malware and Other Attacks

Malware is a malicious program designed to cause damage to systems and give system access to its creators. Mainly include: 

a. Trojans: 

Malware contained inside seemingly harmless programs. Types include: 

• Remote access trojans (RATs): Malware that includes a back door for administrative control over the target computer. 
• Backdoor Trojans: Uninterrupted access to attackers by installing a backdoor on the target system. 
• Botnet Trojans: Installation of Boot programs on target system. 
• Rootkit Trojans: enable access to unauthorized areas in a software. 
• E-banking Trojans: Intercepts account information before encryption and sends to attacker. 
• Proxy-server Trojans: Allows attacker to use victim’s computers as proxy to connect to the Internet.

b. Viruses: 

• Stealth virus: Virus takes active steps to conceal infection from antivirus 
• Logic Bomb virus: Not self-replicating, zero population growth, possibly parasitic. 
• Polymorphic virus: Modifies their payload to avoid signature detection.
• Metamorphic virus: Viruses that can reprogram/rewrite itself. 
• Macro virus: MS Office product macro creation.
• File infectors: Virus infects executables 
• Boot sector infectors: Malicious code executed on system startup.
• Multipartite viruses: Combines file infectors and boot record infectors. 

For next steps, check out our blog posts about Certified Ethical Hacker Exam Dump. 

Conclusion

While it’s true that a good portion of the applicants found the CEH v11 exam a little difficult, it’s entirely possible to clear the exam with a good score; provided you’ve practiced enough. The time limit of 4 hours is also enough to clear the exam.

Be confident in your preparation and avoid panicking. You can always revise our ethical hacking cheat sheet and take CEH v11 mock tests before the exam to make sure you’ve covered everything.

If you are interested in exploring CEH in-depth, we encourage you to sign up for Ethical Hacking certification online by KnowledgeHut and upskill yourself. Best of luck for the exam!