The CEH (Certified Ethical Hacker) qualification covers a wide range of skills needed for penetration testing and ethical hacking. Here's a full, detailed list of skills you gain or are expected to demonstrate after completing CEH, organized by domain:
OSINT (Open Source Intelligence) gathering
Passive vs active reconnaissance
WHOIS, DNS interrogation, and IP tracking
Website footprinting (robots.txt, metadata, etc.)
Social engineering reconnaissance
Tools: Maltego, Recon-ng, FOCA, Google Dorking
Network scanning (ping sweeps, port scanning)
Identifying live hosts and open ports
Banner grabbing and service enumeration
Network mapping (topology discovery)
Vulnerability scanning
Tools: Nmap, Netcat, Angry IP Scanner, OpenVAS, Nessus
Password cracking (brute force, dictionary, rainbow tables)
Privilege escalation (local and remote)
Maintaining access (rootkits, backdoors, trojans)
Clearing logs and covering tracks
Tools: Metasploit, Mimikatz, Hydra, John the Ripper
Types of malware (viruses, worms, trojans, ransomware)
Fileless malware attacks
Payload development basics
Malware analysis (static vs dynamic)
Detection and mitigation techniques
Packet sniffing and analysis
ARP spoofing, MAC flooding
DHCP, DNS, and ICMP attacks
Man-in-the-Middle (MITM) attacks
Tools: Wireshark, Cain & Abel, Ettercap
Phishing, spear phishing, whaling
Vishing, smishing attacks
Impersonation and pretexting techniques
Baiting and tailgating
Defenses against social engineering
Types of DoS (volumetric, protocol, application layer)
Botnets and amplification attacks
DoS detection and mitigation
Tools: LOIC, HOIC, Hping3
TCP, HTTP, and HTTPS session hijacking
MITM session attacks
Cross-Site Scripting (XSS)-based session theft
Session fixation and replay attacks
Countermeasures
Intrusion detection system (IDS) evasion techniques
Firewall rule evasion
Proxy chaining and tunneling
Honeypot detection techniques
Web server and application vulnerabilities
SQL Injection, Command Injection
XSS, CSRF, SSRF attacks
Directory traversal and LFI/RFI
Tools: Burp Suite, OWASP ZAP, Nikto, SQLmap
Wi-Fi reconnaissance and packet capture
WEP/WPA/WPA2/WPA3 cracking techniques
Evil twin attacks, rogue APs
Bluetooth, NFC, and RFID attacks
Tools: Aircrack-ng suite, Kismet, Reaver
Android and iOS vulnerabilities
Mobile application penetration testing
Mobile malware analysis
Securing mobile platforms
IoT architecture and vulnerabilities
IoT device exploitation
Securing IoT devices and networks
Cloud architecture (SaaS, PaaS, IaaS) threats
Cloud-specific attacks (data breaches, account hijacking)
Security controls for cloud environments
Encryption algorithms (symmetric, asymmetric, hashing)
Public Key Infrastructure (PKI)
Cryptanalysis (attacking weak crypto)
Digital signatures and certificates
Steganography
Planning and scoping engagements
Rules of engagement and legal considerations
Vulnerability assessment vs penetration testing
Reporting and documentation (executive summary + technical report)
Remediation recommendations
Footprinting is the first phase of ethical hacking.
It focuses on gathering as much information as possible about the target.
Reconnaissance is about understanding the attack surface.
Good reconnaissance reduces guesswork during exploitation.
Ethical hackers perform footprinting legally and within scope.
Black-hat hackers also use footprinting, but for malicious purposes.
CEH teaches this phase to help organizations defend against attackers.
Footprinting is both passive and active.
Passive reconnaissance is stealthy and less likely to trigger alarms.
Active reconnaissance interacts directly with the target system.
OSINT is the process of collecting publicly available information.
It uses sources like websites, blogs, social media, and forums.
Corporate press releases can reveal upcoming projects or partners.
LinkedIn profiles reveal employee names and roles.
GitHub repositories sometimes leak sensitive code or credentials.
Job postings reveal technologies used (e.g., “Looking for AWS DevOps Engineer”).
OSINT helps create a profile of the target’s digital footprint.
Even cached or archived data on the Wayback Machine can be valuable.
OSINT tools automate data gathering to save time.
Examples of OSINT tools: Shodan, Censys, FOCA, Recon-ng.
Passive reconnaissance collects information without touching the target.
It includes social media research, public records, and search engine queries.
Active reconnaissance interacts with the target, e.g., ping sweeps.
Passive is safer for red teamers who want to stay undetected.
Active may get logged by firewalls or IDS systems.
Combining both methods gives a complete picture of the target.
Ethical hackers usually start with passive, then move to active if allowed.
Passive reconnaissance often produces 70–80% of required intel.
Active techniques include WHOIS lookups and traceroutes.
OSINT + active scanning = effective footprinting phase.
WHOIS lookup reveals domain registration info.
Data includes domain owner, registrar, and name servers.
Some domains use privacy protection to hide ownership.
DNS interrogation helps map subdomains and mail servers.
Tools like nslookup, dig, and DNSdumpster assist here.
Zone transfers can reveal entire DNS records if misconfigured.
IP tracking finds the IP address range owned by the organization.
ARIN or RIPE databases reveal IP allocations.
Reverse DNS lookups map IPs back to hostnames.
IP geolocation gives an idea of the physical server location.
Websites are a goldmine for reconnaissance.
robots.txt reveals directories meant to be hidden from search engines.
Page source code sometimes leaks developer comments.
Metadata from documents (PDFs, DOCX) can reveal usernames.
FOCA automates document metadata extraction.
Directory brute-forcing tools like Gobuster find hidden folders.
Website technologies can be identified using Wappalyzer or WhatWeb.
CMS version detection reveals vulnerabilities to exploit later.
Analyzing error messages may leak server configuration info.
Screenshots of websites can be used to compare historical changes.
People are often the weakest link.
Social engineering exploits human trust.
Recon can include collecting employee contact details.
Phishing campaigns may be tested as part of an authorized engagement.
Dumpster diving is a form of physical social engineering reconnaissance.
Social media posts can leak internal company events or photos.
Employee badges visible online may reveal access levels.
Tailgating relies on observing employee movement patterns.
Email harvesting tools find addresses for spear-phishing.
Reconnaissance here prepares for later human-targeted attacks.
Maltego is a powerful link analysis tool.
It creates graphs showing relationships between people, domains, IPs.
Recon-ng is a web recon framework with modules for OSINT gathering.
FOCA extracts metadata from files found online.
Google Dorking uses advanced search operators to find sensitive data.
Example Google dork: filetype:pdf site:example.com.
Shodan finds internet-exposed devices and services.
Censys searches for SSL certificates and exposed hosts.
TheHarvester collects emails and subdomains.
Combining multiple tools gives the best results.
All recon must respect the scope of engagement.
Unauthorized active reconnaissance can be illegal.
The goal is to help the organization secure its systems.
Reporting must include all findings clearly.
Screenshots and evidence make the report actionable.
Red teamers often provide a risk rating for each finding.
A good report allows the blue team to patch vulnerabilities.
Recon results often become part of a penetration testing plan.
Ethics are crucial — do no harm.
CEH emphasizes responsible disclosure.
Start with passive methods to avoid detection.
Organize data systematically (mind maps, spreadsheets).
Validate information from multiple sources.
Use automation but verify manually.
Respect privacy and laws at all times.
Always log your activities for auditing.
Don’t rely solely on tools — human analysis is key.
Stay updated with new OSINT techniques.
Prioritize intel that directly affects security posture.
Remember: reconnaissance is continuous, not just one-time.
Use threat intelligence feeds to identify known compromises.
Monitor darknet forums for leaked credentials.
Track certificate transparency logs for new domains.
Correlate employee social media activity with work timelines.
Monitor job boards for competitor technology stacks.
Use passive DNS history to find old infrastructure.
Study network routes using traceroute for possible choke points.
Analyze supply chain partners for weak links.
Use OSINT for physical security recon (Google Maps, Street View).
Combine recon data to build a complete attack tree before exploitation.
Scanning and enumeration is the second phase of ethical hacking.
It builds on the information gathered during reconnaissance.
The goal is to find live hosts, open ports, and running services.
It’s more intrusive than reconnaissance and may trigger alerts.
Enumeration digs deeper, extracting detailed information.
Together, they form the foundation for later exploitation.
Ethical hackers must have permission before performing scans.
CEH stresses documenting all scanning activities carefully.
Scanning answers “what is out there?”
Enumeration answers “what can I interact with and exploit?”
Network scanning discovers systems connected to a network.
Ping sweeps are used to identify live hosts.
Ping sweep tools send ICMP echo requests to multiple IPs.
Firewalls may block ICMP, so alternative methods are used.
ARP scanning works at Layer 2 and bypasses ICMP blocks.
TCP SYN scan is a popular stealth scanning method.
UDP scanning is slower but finds services like DNS, SNMP.
Full TCP connect scans complete the 3-way handshake.
Xmas, NULL, and FIN scans are used for firewall evasion.
Timing options help control scan speed and stealth.
After host discovery, ports are scanned for services.
Common ports include 21 (FTP), 22 (SSH), 80 (HTTP).
Open ports indicate services that may be vulnerable.
Closed ports respond but are not listening for connections.
Filtered ports are blocked by a firewall or ACL.
Port scanning helps narrow down attack vectors.
Ethical hackers focus only on in-scope systems.
Knowledge of port states helps prioritize testing.
Open ports can reveal entry points for exploitation.
Documenting port results is crucial for reporting.
Banner grabbing identifies service details like version numbers.
Telnet or Netcat can manually grab banners.
HTTP headers reveal web server information.
SSH, FTP, and SMTP banners can reveal software versions.
Service enumeration digs into running services.
SNMP enumeration reveals device names and network info.
SMB enumeration shows shared folders and user accounts.
LDAP enumeration reveals directory structure.
DNS enumeration reveals subdomains and zone records.
Enumerating user accounts can aid password attacks later.
Network mapping creates a visual diagram of the network.
It shows which systems are connected and how.
Traceroute maps paths between source and destination.
Layer 3 topology shows routers and firewalls.
Layer 2 topology shows switches and VLANs.
Mapping identifies choke points and key infrastructure.
Tools like Nmap can generate network maps.
Combining recon and mapping data gives a complete picture.
Topology discovery helps plan attacks logically.
Blue teams use the same maps to defend and monitor.
Vulnerability scanning identifies known weaknesses.
It matches system information with vulnerability databases.
Common vulnerabilities include unpatched software and misconfigurations.
Scanners generate reports with CVE identifiers.
Vulnerability severity is rated (critical, high, medium, low).
Automated scanners speed up assessment but may generate false positives.
Nessus is one of the most widely used vulnerability scanners.
OpenVAS is an open-source alternative.
Vulnerability scans must be scheduled carefully to avoid disruption.
Results feed into the remediation process or penetration test plan.
Nmap is the king of network scanning.
Nmap supports SYN, UDP, and stealth scans.
Nmap Scripting Engine automates advanced enumeration tasks.
Zenmap provides a GUI for Nmap.
Netcat is the “Swiss army knife” of networking.
It can scan ports, grab banners, and create reverse shells.
Angry IP Scanner is fast and simple for ping sweeps.
OpenVAS is used for vulnerability scanning.
Nessus provides enterprise-grade vulnerability reports.
Combining tools gives a full scanning picture.
Scanning without consent can be illegal.
Some organizations treat scanning as an attack.
IDS/IPS systems may block or log scans.
Ethical hackers must follow scope and rules of engagement.
Reports should include dates, times, and scan types.
Scan results must remain confidential.
Scanning should avoid production disruptions.
Some scans can crash fragile systems (e.g., printers, IoT devices).
CEH stresses ethical use of scanning skills.
Red teaming engagements simulate real attackers but remain authorized.
Start with non-intrusive host discovery first.
Gradually increase scan intensity if permitted.
Use randomization to avoid detection by security systems.
Document every step to reproduce results.
Verify open ports manually to avoid false positives.
Don’t overload the network with too many concurrent scans.
Use timing templates in Nmap (T0–T5) wisely.
Re-scan after fixes to confirm remediation success.
Maintain a library of common ports and services.
Combine scanning results with recon data for context.
OS fingerprinting identifies operating systems from packet responses.
Version detection reveals software builds and patches.
Service fingerprinting compares responses to known signatures.
Idle scans use a third-party host to stay stealthy.
Timing analysis can reveal firewall rules or IDS behavior.
Enumerating NetBIOS reveals Windows workgroups and shares.
IPv6 scanning requires special tools and techniques.
Automate scans in CI/CD pipelines for continuous security testing.
Use correlation with threat intelligence to prioritize findings.
Scanning and enumeration prepare you for the exploitation phase.
System hacking is the third phase of ethical hacking.
Its main goal is to gain unauthorized access to systems (legally, in scope).
It simulates what real attackers would do after reconnaissance and scanning.
This phase focuses on exploitation and control.
Ethical hackers use it to test an organization’s defenses.
CEH covers this phase extensively to teach both attack and defense.
Activities include password attacks, privilege escalation, and backdoor installation.
Covering tracks is also a key topic — but for learning purposes.
System hacking is the most hands-on part of penetration testing.
Proper reporting and authorization are critical to avoid legal issues.
Passwords are still the most common authentication method.
Weak passwords are a major attack vector.
Password cracking aims to recover plaintext passwords.
Brute force tries every possible combination until success.
Dictionary attacks use precompiled wordlists.
Hybrid attacks combine dictionary + mutation (adding numbers, symbols).
Rainbow tables use precomputed hashes to speed up cracking.
Salting passwords defends against rainbow table attacks.
Online attacks target live login portals (e.g., SSH, RDP).
Offline attacks crack password hashes dumped from systems.
John the Ripper is a classic offline password cracker.
Hashcat is GPU-powered and very fast.
Hydra is great for online brute force against multiple protocols.
Medusa is another fast online brute force tool.
Mimikatz extracts plaintext credentials from memory on Windows.
Cain & Abel can sniff network passwords and crack hashes.
Ophcrack uses rainbow tables to crack Windows passwords.
Ethical hackers must get explicit permission before running these tools.
Password cracking reports help improve password policy compliance.
Cracked passwords can be reused for privilege escalation.
Privilege escalation means moving from a low-privileged user to admin/root.
Local privilege escalation exploits flaws on the compromised machine.
Common flaws: weak service permissions, unpatched OS, misconfigured SUID binaries.
Exploiting kernel vulnerabilities can lead to root access.
Remote privilege escalation leverages vulnerabilities over the network.
Example: exploiting SMB to escalate from guest to admin.
Token impersonation can allow lateral movement on Windows.
Pass-the-Hash attacks reuse stolen NTLM hashes.
Privilege escalation opens access to sensitive files and system control.
Patches, least privilege, and monitoring are key defenses.
Once in, attackers want to keep their access persistent.
Backdoors are hidden programs allowing re-entry.
Rootkits hide malicious processes from detection.
Trojans masquerade as legitimate software but create remote access.
Persistence mechanisms include scheduled tasks, registry edits, cron jobs.
Metasploit provides persistence modules for penetration testing.
Maintaining access allows long-term testing of defenses.
Defenders must monitor for unusual outbound connections.
Ethical hackers remove backdoors after testing is complete.
Documentation of persistence methods helps blue teams harden systems.
Attackers clear logs to avoid detection.
Windows logs include event logs for security and system events.
Linux logs are stored in /var/log/.
Clearing logs may alert security teams if done poorly.
Attackers sometimes modify logs instead of deleting them.
Timestomping changes file modification dates to hide activity.
Anti-forensics techniques aim to erase evidence.
Covering tracks is part of a real attack lifecycle.
Ethical hackers demonstrate it to show how intrusions could go unnoticed.
Blue teams should have log monitoring and SIEM alerts for suspicious changes.
Metasploit is a framework for exploitation and post-exploitation.
It allows payload delivery and remote shell creation.
Metasploit’s Meterpreter provides stealthy in-memory execution.
Mimikatz dumps Windows credentials and Kerberos tickets.
Hydra performs online brute force for many protocols.
John the Ripper cracks local password hashes.
Empire is a post-exploitation framework using PowerShell.
BloodHound maps Active Directory relationships for privilege escalation.
CrackMapExec automates lateral movement across networks.
Choosing the right tool depends on engagement scope and objectives.
System hacking must always be authorized.
Unauthorized hacking is illegal under computer crime laws.
Ethical hackers sign contracts specifying allowed techniques.
Clearing logs or planting backdoors outside scope is illegal.
The goal is to improve security, not cause harm.
Reports must document every action taken during hacking.
Blue teams use this information to fix weaknesses.
Ethics training is a key part of CEH certification.
Professional hackers follow a strict code of conduct.
The end result is stronger security for the organization.
Start with non-destructive attacks first.
Use controlled environments for dangerous exploits.
Limit brute-force attempts to avoid account lockouts.
Snapshot virtual machines before exploiting in a lab.
Always maintain detailed notes for your final report.
Clean up all backdoors and test artifacts after the engagement.
Provide actionable recommendations, not just findings.
Use least privilege principles even during testing.
Coordinate with blue team to avoid triggering real incidents.
Focus on business impact — show how compromise affects operations.
Pivoting uses a compromised host to attack deeper network segments.
Keylogging can capture sensitive credentials post-exploitation.
Screenshot capture can prove system access visually.
Memory dumping allows offline credential analysis.
Lateral movement spreads access across multiple systems.
Privilege escalation chaining combines multiple small exploits.
Exfiltration testing shows how data could be stolen.
Red teams simulate advanced persistent threats (APTs).
Blue teams must detect both the initial compromise and persistence.
System hacking is the bridge between vulnerability discovery and full security testing.