The Certified Ethical Hacker (CEH) v13 from EC-Council is one of the most recognized entry-to-mid-level certifications in the cybersecurity field. It validates your knowledge of ethical hacking techniques across 20 domains, from reconnaissance and malware analysis to cloud security and AI-driven attacks. Whether you are entering the field or adding credentials to an existing security career, this guide covers the exam structure, all 20 domains, the best study resources, and practical strategies to pass in 2026.
CEH v13 Exam Overview
| Detail | Information |
|---|
| Certification body | EC-Council |
| Exam code | 312-50 |
| Format | 125 multiple-choice questions |
| Duration | 4 hours |
| Passing score | Approximately 70% (varies by exam form) |
| Delivery | Proctored online or at Pearson VUE testing center |
| Validity | 3 years (requires continuing education credits) |
| Prerequisites | 2 years IT security experience OR official EC-Council training |
| Price | ~$950 USD (voucher) |
CEH v13 introduced significant updates around AI-powered attacks and defenses, cloud-native security, and OT/ICS hacking — distinguishing it from v12.
Eligibility Requirements
You have two paths to sit the exam:
- Official EC-Council training — Complete an authorized CEH course (in-person, online, or through an accredited partner). No experience requirement.
- Self-study / work experience — Submit an eligibility form demonstrating at least 2 years of information security work experience. Pay the $100 eligibility fee. Once approved, you receive a voucher.
The self-study path is the more cost-effective route for experienced practitioners.
The 20 CEH v13 Exam Domains
Module 1: Introduction to Ethical Hacking
Covers the phases of ethical hacking (reconnaissance, scanning, gaining access, maintaining access, covering tracks), types of hackers, security policies, and legal frameworks including the Computer Fraud and Abuse Act (CFAA).
Key concepts: Penetration testing vs. vulnerability assessment, rules of engagement, cyber kill chain, MITRE ATT&CK framework.
Passive and active information gathering — WHOIS, DNS interrogation, Google dorking, social media OSINT, email harvesting with theHarvester, Maltego, and Shodan.
Tools to know: theHarvester, Maltego, Recon-ng, Shodan
Module 3: Scanning Networks
Network scanning with Nmap, OS fingerprinting, banner grabbing, enumeration of services, and IDS/firewall evasion techniques.
Commands to memorize:
nmap -sS -O -sV target_ip # SYN scan, OS detection, version detection
nmap -sU -p 53,161 target_ip # UDP scan
nmap -sN target_ip # NULL scan (firewall bypass)
nmap -f target_ip # Fragment packets (IDS evasion)
Module 4: Enumeration
Deep dive into extracting usernames, shares, services, and policies from discovered hosts. Covers NetBIOS/SMB enumeration, LDAP enumeration, SNMP enumeration, and NFS.
enum4linux -a target_ip
smbclient -L //target_ip -N
snmpwalk -v 2c -c public target_ip
Module 5: Vulnerability Analysis
Using vulnerability scanners (Nessus, OpenVAS, Qualys), understanding CVSS scoring, CVE identifiers, and the Common Vulnerability Scoring System.
Key concepts: CVSSv3 scoring components (AV, AC, PR, UI, S, C, I, A), vulnerability databases (NVD, ExploitDB, VulnDB).
Module 6: System Hacking
The four-phase system hacking methodology:
- Gaining access — password cracking, exploitation
- Escalating privileges — vertical and horizontal privilege escalation
- Maintaining access — backdoors, rootkits, Trojans
- Clearing logs — event log manipulation, covering tracks
Tools: Metasploit, Mimikatz, PowerSploit, John the Ripper, Hashcat
Module 7: Malware Threats
Types of malware: viruses, worms, Trojans, ransomware, spyware, adware, fileless malware. Malware analysis techniques: static analysis (strings, file headers) and dynamic analysis (sandboxes like Cuckoo, Any.run).
Key concepts: APT (Advanced Persistent Threat) lifecycle, indicators of compromise (IOCs), YARA rules.
Module 8: Sniffing
Passive and active sniffing, ARP poisoning, MAC flooding, DNS spoofing, DHCP starvation. Tools: Wireshark, Tcpdump, Ettercap, Bettercap.
# Capture HTTP traffic
tcpdump -i eth0 port 80 -w capture.pcap
# Filter for credentials in Wireshark
http.request.method == "POST"
Module 9: Social Engineering
Phishing, spear-phishing, vishing, smishing, tailgating, pretexting. The psychology of social engineering: authority, urgency, scarcity, social proof. Tools: SET (Social Engineering Toolkit), GoPhish.
Module 10: Denial of Service
DoS and DDoS attack types: volumetric (UDP flood, ICMP flood), protocol (SYN flood, Ping of Death), application layer (HTTP flood, Slowloris). Mitigation: rate limiting, CDN scrubbing, BCP38.
Module 11: Session Hijacking
TCP session hijacking, cookie theft, XSS-based session theft, MITM attacks. Tools: Burp Suite, Hamster/Ferret (for cookie theft).
Key concepts: Session token entropy, HttpOnly and Secure cookie flags, SameSite attribute.
Module 12: Evading IDS, Firewalls, and Honeypots
Fragmentation, encoding, tunneling (DNS tunneling, ICMP tunneling), protocol manipulation, polymorphic shellcode, and detecting honeypots.
# Nmap firewall evasion techniques
nmap -D RND:10 target_ip # Decoy scan
nmap --source-port 53 target_ip # Spoof source port
nmap -sI zombie_ip target_ip # Idle/zombie scan
Module 13: Hacking Web Servers
Web server vulnerabilities: directory traversal, default credentials, misconfiguration, HTTP response splitting. Tools: Nikto, Metasploit web modules, Netcat for banner grabbing.
Module 14: Hacking Web Applications
OWASP Top 10, SQL injection, XSS, CSRF, SSRF, XXE, IDOR, broken authentication. Tools: Burp Suite, sqlmap, OWASP ZAP, ffuf.
Module 15: SQL Injection
In-band (error-based, UNION-based), inferential (blind boolean-based, time-based), and out-of-band SQL injection. Manual and automated (sqlmap) approaches.
sqlmap -u "http://target.com/page?id=1" --dbs --batch --level=5
Module 16: Hacking Wireless Networks
WEP, WPA/WPA2 cracking, evil twin attacks, KARMA attacks, WPS PIN exploitation, Bluetooth attacks. Tools: Aircrack-ng, Kismet, Wifite, Hashcat for PMKID attacks.
Android and iOS attack surfaces: APK reversing, ADB exploitation, mobile malware, OWASP Mobile Top 10. Tools: MobSF (Mobile Security Framework), APKTool, Frida.
Module 18: IoT and OT Hacking
IoT attack surface (MQTT, CoAP, Zigbee), Shodan for IoT discovery, OT/ICS protocols (Modbus, DNP3, PROFINET), Stuxnet-style attacks on SCADA systems.
Module 19: Cloud Computing
Cloud attack vectors (misconfigured S3 buckets, IAM misconfigurations, cloud metadata exploitation), container security (Docker escape techniques), serverless security, shared responsibility model.
# Check for public S3 buckets
aws s3 ls s3://bucket-name --no-sign-request
# Cloud metadata exploitation (SSRF to metadata)
curl http://169.254.169.254/latest/meta-data/
Module 20: Cryptography
Symmetric (AES, 3DES), asymmetric (RSA, ECC, Diffie-Hellman), hashing (MD5, SHA family), PKI, certificate management, disk encryption (BitLocker, LUKS), and cryptographic attack types (brute force, rainbow tables, birthday attack).
Study Resources
Official Resources
- EC-Council Official Courseware — comprehensive but expensive ($850–$1,500 for official training)
- EC-Council iLabs — hands-on virtual lab environment included with official training
Third-Party Study Materials (Recommended)
| Resource | Format | Cost |
|---|
| Matt Walker’s CEH Certified Ethical Hacker Study Guide | Book | ~$40 |
| Ric Messier’s CEH All-in-One Exam Guide | Book | ~$50 |
| TotalSeminars (Mike Chapple/Total Sem) | Video | ~$30/month |
| Udemy CEH courses (Ermin Kreponic) | Video | ~$15 sale |
| Boson ExSim Practice Exams | Practice tests | ~$90 |
| Exam-Labs CEH practice questions | Practice tests | Free/paid |
Free Resources
- Professor Messer — free CompTIA videos (not CEH-specific but excellent foundations)
- TCM Security YouTube channel — practical ethical hacking techniques
- TryHackMe — hands-on labs covering CEH topics interactively
- Hack The Box — machines that practice CEH skills in realistic environments
Practical Study Strategy
12-Week Study Plan (Recommended)
Weeks 1–3: Modules 1–7 (Fundamentals, recon, scanning, enumeration, system hacking)
Weeks 4–6: Modules 8–13 (Sniffing, social engineering, DoS, session hijacking, web servers)
Weeks 7–9: Modules 14–18 (Web apps, SQL injection, wireless, mobile, IoT)
Weeks 10–11: Modules 19–20 (Cloud, cryptography) + hands-on labs
Week 12: Full practice exams, weak area review, final cramming
Study Tips
-
Memorize tool-to-technique mappings — the exam asks “which tool is used for X” constantly. Make flashcards for: Nmap, Wireshark, Metasploit, Aircrack-ng, sqlmap, Burp Suite, John, Hashcat, Nikto, SET.
-
Learn the phases — CEH loves testing the hacking phases (footprinting → scanning → enumeration → system hacking → covering tracks). Know them cold.
-
Practice questions daily — do 20–30 practice questions every day from week 2 onward. Identify weak domains and revisit them.
-
Hands-on labs matter — set up a home lab with Kali Linux and DVWA, Metasploitable, or TryHackMe. Muscle memory on tools reinforces conceptual knowledge.
-
Read carefully — many CEH questions are deliberately worded to trick you. “Which attack does NOT require network access?” requires elimination thinking.
-
Focus on v13 additions — AI-driven attacks, cloud security, and OT/ICS content is new in v13 and likely to be represented heavily. Don’t skip these.
Exam Day Tips
- Flag and return — if unsure, flag the question and come back. Don’t spend more than 90 seconds on any single question.
- 4 hours is enough time — 125 questions in 240 minutes is under 2 minutes per question. You have buffer.
- Eliminate obviously wrong answers — even if unsure, you can usually narrow to 2 choices.
- “Most likely” questions — for scenario questions, pick the most professional, most comprehensive answer.
After Passing: Maintaining CEH
CEH requires 120 EC-Council Continuing Education (ECE) credits over 3 years to maintain certification. Credits are earned by:
- Taking EC-Council or approved training courses
- Attending security conferences (DEF CON, Black Hat)
- Writing security articles or blog posts
- Completing certifications (each exam = ECE credits)
Summary
CEH v13 is a broad, vendor-neutral certification that gives you a structured framework for understanding ethical hacking methodology across 20 domains. It is not as hands-on as OSCP and will not replace practical experience, but it opens doors in corporate security roles and government positions that specifically list it as a requirement. Study the domains systematically, practice daily with hands-on labs and practice exams, and you will be well-positioned to pass in 2026.