How to Pass Certified Ethical Hacker (CEH v13)

Career Development How to Pass Certified Ethical Hacker (CEH v13)
Career Development Cybersecurity EC-Council

How to Pass Certified Ethical Hacker (CEH v13)

18 August 2025

Why CEH v13 Is Worth Your Time

Cybersecurity is no longer an optional skill set — it’s a career necessity. Businesses across the globe are under constant attack from cybercriminals, and the skills to identify, exploit, and patch vulnerabilities are in high demand. That’s where the Certified Ethical Hacker (CEH v13) certification, offered by the EC-Council, comes in.

The CEH v13 is one of the most recognised credentials in the cybersecurity world. It’s a stepping stone to penetration testing, vulnerability assessment, security analysis, and even red team operations. Unlike many certifications that only test theoretical knowledge, CEH v13 focuses heavily on real-world attack simulation — teaching you to think like a hacker to defend like a pro.

Whether you’re looking to switch into cybersecurity from another industry, or you’re already in IT and want to expand your skills, the CEH v13 offers:

  • Global recognition — respected by employers worldwide

  • Practical labs — hands-on hacking in a safe, legal environment

  • Career flexibility — applicable across sectors from finance to defence

  • A clear skills roadmap — from reconnaissance to countermeasures

In this guide, we’ll cover everything from what’s on the exam, to the best resources, to a proven study plan, plus exam-day strategies that can help you pass on your first attempt.

For a full career overview, check our How to Become a Certified Ethical Hacker Pathway.

1. Understanding CEH v13 in Depth

The CEH certification has been around for nearly two decades, but the v13 update reflects modern cyberattack trends. Here’s why it’s different from previous versions and how it maps to your career ambitions.

1.1 What’s New in v13

  • Updated tools — now aligned with the latest penetration testing toolsets

  • Cloud security coverage — including AWS, Azure, and hybrid systems

  • OT (Operational Technology) and IoT — securing industrial systems and smart devices

  • Increased focus on blue-team countermeasures — not just attacks

  • More PBQs (Performance-Based Questions) — testing hands-on skills, not just recall

The full EC-Council CEH v13 course at Robust IT Training includes these updates, along with virtual labs and expert tutor support.

1.2 The Nine CEH Domains

The CEH exam is split across nine major knowledge domains, each representing a critical stage in the ethical hacking process. We’ll cover each in detail later, but here’s the high-level view:

  1. Footprinting & Reconnaissance

  2. Scanning & Enumeration

  3. Vulnerability Analysis

  4. System Hacking

  5. Web, Application, Cloud, and OT Security

  6. Wireless & IoT Security

  7. Cryptography

  8. Malware & IDS/IPS Evasion

  9. Blue-Team Countermeasures

If you’re already familiar with the MITRE ATT&CK framework, you’ll notice significant overlap in tactics and techniques covered in CEH.

2.3 CEH vs Other Security Certs — Which One, When, and Why

Choosing between CEH and adjacent certifications depends on your starting point, target role, and timeline. Use this matrix to decide, then dive into the detailed guidance below.

At‑a‑glance matrix

Goal Best first step When to choose CEH v13 What to stack after
Break into hands‑on ethical hacking CompTIA Security+ You want structured coverage of the five attack phases with both red‑team tactics and blue‑team countermeasures CompTIA PenTest+, CND
Move into penetration testing from IT support Security+ → CEH v13 You need broad tooling knowledge, PBQ practice, and exam‑ready workflows PenTest+, project portfolio, bug bounty write‑ups
Pivot from SOC to red team CySA+ → CEH You want to formalise your offensive skill set while retaining your defender mindset CEH → PenTest+ → advanced cloud security (e.g., SC‑900)
Aim for management/architecture CEH or Security+ → CISSP CEH adds credibility that you’ve “been on the tools”, useful for leaders managing offensive programmes CCSP, Cloud fundamentals (AZ‑900)
Start in blue team / SOC Security+ → Cisco CyberOps Associate Choose CEH if you want to become a purple‑team analyst who thinks like an attacker CySA+, CEH, threat hunting projects

CEH v13 vs Security+ (SY0‑701)

  • Difficulty & scope: Security+ is your foundational security breadth—controls, risk, architecture. CEH is applied offensive breadth—recon → scanning → exploitation → persistence → countermeasures.

  • Exam style: Security+ is concept‑heavy MCQs; CEH v13 blends MCQs with Performance‑Based Questions (PBQs) where you interpret tool output (e.g., Nmap, Hydra, Burp).

  • Who should do CEH after Security+: Anyone targeting pen testing, red teaming, or security roles where adversary simulation and exploit understanding matter.

  • Pair them deliberately: start with Security+, then take CEH while your fundamentals are fresh.

CEH v13 vs PenTest+

  • Overlap: Both target pen testing workflows; PenTest+ skews towards methodology and reporting (rules of engagement, scoping, communications). CEH gives you a broader tool catalogue and attack surface (IoT, OT, cloud) plus blue‑team countermeasures.

  • Hiring perspective: Many job descriptions accept either. A strong combo is CEH first (breadth + tooling), then PenTest+ (methodology + deliverables).

  • Exam nuance: CEH PBQs frequently test output interpretation; PenTest+ often tests process fidelity (e.g., when to stop a test, evidence handling).

CEH v13 vs CySA+

  • Focus difference: CEH = attack emulation; CySA+ = defence and detection (SIEM, threat hunting, response).

  • Career lanes: Red team vs blue team. If you want to be purple (bridge both), do Security+ → CEH → CySA+ and pair with SOC ticket write‑ups and purple‑team tabletop exercises.

CEH v13 vs CND

  • CND is EC‑Council’s defender track—hardening, monitoring, incident response. CEH + CND makes you extremely employable on small teams where one person does both—hack the network in the lab, then harden it on Monday morning.

CEH v13 vs CISSP

  • CISSP is about governance, architecture, and leadership, not hands‑on exploitation. If you’re targeting lead roles, CISSP is gold. But if your next 12–18 months are hands‑on, do CEH first. (Plenty of managers with CISSP appreciate engineers who’ve actually run Burp.)

CEH v13 vs CCSP & Cloud Fundamentals

  • Cloud breaches often start with basic misconfigurations. Pair CEH with cloud literacy: AZ‑900 for Azure fundamentals and CCSP for cloud security architecture. CEH teaches you how an attacker thinks; cloud certs help you find the weak seams in identity, storage, and network controls.

Bottom line by pathway

  • New to security: Security+ → CEH v13 → PenTest+ (add CySA+ if blue‑leaning).

  • SOC to red team: CySA+ → CEH → PenTest+.

  • Future leadership: CEH (credibility) → CISSP → CCSP.

  • Keep your learning practical by joining our student community and sharing weekly lab write‑ups: Student Community and Discord.

3. Deep Dive into the CEH v13 Exam Domains

Below is a practical tour of the nine domains with: what you must know, tools that appear in PBQs, typical pitfalls, and mini‑labs you can run safely in your own environment.

3.1 Footprinting & Reconnaissance

What it is: Quietly building a picture of the target’s assets, people, and tech stack without touching production systems (mainly OSINT).
Know cold: DNS records, WHOIS, subdomain enumeration, tech fingerprinting, breach discovery.
PBQ‑style knowledge: Given a whois or nslookup output, identify registrar, name servers, contact email, and potential entry points.
Tools: whois, nslookup/dig, theHarvester, Sublist3r, Shodan, Censys, FOCA, crt.sh.
Mini‑lab:

  1. Pick a test domain you control.

  2. Enumerate subdomains with Sublist3r.

  3. Cross‑check findings in Shodan/Censys for exposed services.
    Pitfalls: Confusing registrant contact with valid social‑engineering targets; under‑using public breach data.
    Skill bridge: Pair with a quick refresher on cloud discovery via AZ‑900 to recognise Azure‑hosted footprints.

3.2 Scanning & Enumeration

What it is: Moving from “what exists” to “what’s alive and how it speaks.”
Know cold: TCP/UDP basics, common ports/services, banner grabbing, service versioning.
Tools: Nmap (-sS, -sV, -A, -O), Netcat, Telnet, SMBclient, enum4linux, SNMPwalk.
PBQ‑style: Interpret Nmap output to spot out‑of‑date services, weak ciphers, and attack pivot points.
Mini‑lab:

  • Scan a lab VM: nmap -sC -sV -O <target> → identify the weakest‑looking service, then validate with banner grabs.
    Pitfalls: Treating every open port as exploitable; not correlating service versions with known CVEs.
    Reinforce with: PenTest+ for formal reporting of findings.

3.3 Vulnerability Analysis

What it is: Converting scan data into prioritised risk.
Know cold: CVSS scoring, false positives, authenticated vs unauthenticated scans, exploit availability.
Tools: Nessus/OpenVAS, Nmap scripts, searchsploit, Vulners, Exploit‑DB.
PBQ‑style: Given a scanner report, choose the most impactful, fastest‑to‑validate item first.
Mini‑lab:

  • Run an OpenVAS/Nessus scan on a vulnerable VM; confirm a single high‑impact finding manually with an Nmap NSE script.
    Pitfalls: Blindly trusting scanner output; ignoring compensating controls that reduce exploitability.

3.4 System Hacking

What it is: Getting a foothold, escalating privileges, maintaining access, covering tracks—ethically in lab.
Know cold: Local file inclusion → RCE chains, weak service permissions, token abuse, scheduled tasks, registry hijacks.
Tools: Metasploit, Mimikatz, PowerShell Empire, LinPEAS/WinPEAS, BloodHound.
PBQ‑style: Identify the right post‑exploitation module given goal + OS + privileges.
Mini‑lab:

  • On a Windows lab VM, practice LSA secrets extraction and describe your defensive countermeasure (LSA protection, Credential Guard).
    Pitfalls: Treating post‑exploitation as a scavenger hunt; not documenting IOCs for blue teams.
    Blue‑team tie‑in: Knowing how to detect yourself is the CEH v13 edge—review our Exam Day Tips checklists to rehearse concise notes.

3.5 Web, Application, Cloud & OT Security

What it is: The modern attack surface: web apps, APIs, serverless, and occasionally operational tech.
Know cold: OWASP Top 10, auth/IDOR, SSRF, deserialisation, S3/Azure Storage leaks, CI/CD secrets.
Tools: Burp Suite (intruder, repeater, decoder), sqlmap, wfuzz, Wappalyzer, Cloud sploit checks.
PBQ‑style: Given Burp output, identify which parameter is vulnerable and what safest fix looks like.
Mini‑lab:

  • Stand up a DVWA or Juice Shop; capture a login POST in Burp; modify a parameter to trigger SQLi; then note preventive controls.
    Pitfalls: Hunting for “trick payloads” instead of reasoning about trust boundaries.
    Skill bridge: Pair with SC‑900 to speak the language of cloud identity and policy.

3.6 Wireless & IoT

What it is: Airspace and device layers that often lag in hardening.
Know cold: WPA2/3 handshakes, rogue APs, segmentation, BLE basics, firmware supply chain.
Tools: Aircrack‑ng, Kismet, hcxdumptool/hcxtools, Wireshark, Bettercap.
PBQ‑style: Pick the least noisy technique for a given wireless scenario.
Mini‑lab:

  • Capture a personal AP handshake in a test environment; run a dictionary vs rule‑based crack; document mitigations (WPA3, strong passphrases, client isolation).
    Pitfalls: Treating wireless audits as a password‑cracking exercise only; ignoring Rogue AP detection.

3.7 Cryptography

What it is: Enabling confidentiality, integrity, non‑repudiation—and knowing where people go wrong.
Know cold: Symmetric vs asymmetric, TLS handshakes, hashing vs encryption, key management.
Tools: OpenSSL, gpg, Wireshark TLS dissector, hashcat.
PBQ‑style: Identify why a TLS config is weak (e.g., RC4, SSLv3, export ciphers) and the correct hardened profile.
Mini‑lab:

  • Use OpenSSL to inspect a site’s certificate chain; flag weak ciphers; propose a hardened suite.
    Pitfalls: Confusing hashing and encryption; overlooking key rotation and storage.

3.8 Malware & IDS/IPS Evasion

What it is: Recognising behaviour (persistence, C2, packing) and how attackers dodge detection.
Know cold: LOLBins, obfuscation basics, sandbox evasion, signature vs behaviour‑based detection.
Tools: ProcMon, Autoruns, PEiD, strings, YARA.
PBQ‑style: From a process tree, pick the likely malicious child and explain your reasoning.
Mini‑lab:

  • In a safe VM, analyse a benign signed process spawning PowerShell with base64 blob—practice explaining TTPs with MITRE IDs.
    Pitfalls: Equating “signed = safe”; ignoring living‑off‑the‑land patterns.

3.9 Blue‑Team Countermeasures

What it is: CEH v13’s “secret weapon”—you don’t just pop boxes; you protect them.
Know cold: Hardening baselines, EDR/AV tuning, logging/telemetry, network segmentation, patch cadence.
Tools: Sysmon + Sigma, Windows Event Forwarding, Suricata, Zeek.
PBQ‑style: Given an IOC list, select the highest‑signal detection + the safest remediation order.
Mini‑lab:

  • Enable Sysmon on a lab host; trigger known benign events; write a Sigma rule; validate visibility.
    Tie‑ins: Keep your defender chops growing with CyberOps Associate and revisit our Exam Preparation page to structure your revision cadence.

4. Building a Study Plan That Works

Below are two plans: a comprehensive 12‑week marathon and a 3‑week sprint. Both integrate your resources and communities so you don’t study in isolation.

4.1 The 12‑Week CEH v13 Plan (2–3 hrs/day, 5–6 days/week)

Week 1 – Orientation & Recon

  • Read CEH exam outline; skim OWASP Top 10.

  • Lab: WHOIS, DNS, Sublist3r on a domain you own.

  • Log progress in your Learning Dashboard (see: Using the Learning Dashboard).

Week 2 – Scanning & Enumeration

  • Nmap scans (-sC -sV -O) with output interpretation; banner grabbing.

  • Lab report posted to Student Community for feedback.

Week 3 – Vulnerability Analysis

  • Nessus/OpenVAS; triage false positives; map to CVSS.

  • Skill tie‑in: tracking evidence for reports (use PenTest+ styles).

Week 4 – System Hacking

  • Windows/Linux privilege escalation checklists; Mimikatz fundamentals (lab only).

  • Blue angle: capture IOCs and write hardening notes.

Week 5 – Web & App Security (I)

  • Burp Suite basics; auth/session problems; IDOR; SQLi with sqlmap.

  • Watch Recorded Sessions for tricky labs: Recorded Sessions.

Week 6 – Web & App Security (II) + Cloud

  • SSRF, deserialisation, API auth failures; cloud storage exposures.

  • Complement with cloud literacy: AZ‑900 / SC‑900.

Week 7 – Wireless & IoT

  • WPA2/3 handshake capture (your own AP), cracking strategies, BLE basics.

  • Document mitigations—turn red findings into blue‑team guidance.

Week 8 – Cryptography

  • TLS inspection with OpenSSL, key management pitfalls, hash vs encryption.

  • Build flashcards for terms: HMAC, AEAD, PFS, stapling.

Week 9 – Malware & Evasion

  • ProcMon/Autoruns triage; YARA basics; LOLBins.

  • Write a one‑page threat narrative with MITRE mapping.

Week 10 – Countermeasures & Hardening

  • Sysmon + Sigma lab; prioritise detections; segment lab network.

  • Cross‑train with CyberOps Associate topics.

Week 11 – PBQs & Mocks

  • Two full mocks; PBQ drills (tool output interpretation).

  • Review only wrong answers until stable at 80%+.

  • Check Exam Vouchers & logistics: Exam Vouchers, Exam Booking Process.

Week 12 – Final Review & Taper

Keep momentum by scheduling two study huddles in the Discord each week.

4.2 The 3‑Week Crash Plan (90 minutes AM + 90 minutes PM)

  • Week 1: Recon → Scanning → Enumeration (+ daily 30‑min PBQ drills).

  • Week 2: Web/App/Cloud → Wireless/IoT → Crypto (+ 1 mock end‑of‑week).

  • Week 3: 3 full mocks → review only wrongs until you’re 80%+ twice in a row. Book your slot via the Exam Booking Process.

Practice infrastructure & guides:

5. Tools You Must Know for CEH (How to Think, Not Just Click)

Mindset first: CEH rewards recognition and reasoning. For every tool, learn: What signal does it reveal? When am I likely to see it? What’s the cleanest countermeasure?

Nmap (Discovery & Service Mapping)

  • Why it matters: Many PBQs show Nmap output; you must spot old versions and weak configs quickly.

  • Fast patterns:

    • Host discovery: -sn (ping sweep)

    • Service/version: -sV

    • Default scripts: -sC

    • Aggressive OS & details: -A

  • Interpretation tips: Look for default creds surfaces (Telnet/FTP/SMB), outdated web servers, and legacy SSL.

  • Level‑up: tie to PenTest+ reporting.

Burp Suite (Web/App)

  • Core flows: Proxy → Repeater → Intruder; parameter tampering; session handling.

  • PBQ angle: Given a request/response, identify the vulnerable parameter and likely fix.

Metasploit (Exploitation & Post‑Exploitation)

  • Use wisely: Don’t “spray‑and‑pray.” Match module to service to version, confirm with check.

  • Blue countermeasure: Compensating controls and EDR detections.

Wireshark (Packets Don’t Lie)

  • Go‑to views: Follow TCP stream; filter by protocol; TLS handshake inspection.

  • PBQ angle: Spot plaintext creds or downgrade attempts.

Hydra (Brute‑force where permitted)

  • Safe demo: Only in lab systems you control; build rate‑limit awareness and lockout risks.

  • Defensive note: MFA, IP throttling, alerting on repeated failures.

Aircrack‑ng (Wireless)

  • Core sequence: Capture handshake → convert → crack; discuss why WPA3 + strong passphrases defeat common attacks.

  • Ethics: Only your own AP in a lab.

Pro tip: Group tools into categories (discovery, enumeration, exploitation, post‑exploitation, reporting) instead of memorising flags. That’s how CEH PBQs are written.

6. Practice & Mock Exam Strategy

Your aim: Reach automaticity on interpretations and calm accuracy on MCQs.

  1. Two‑phase mocks:

    • Phase A (diagnostic): Take a mock cold; tag weak domains.

    • Phase B (targeted): Drill only the tagged items until you can explain why distractors are wrong.

  2. PBQ circuit training:

    • 10 minutes/day reading tool outputs (Nmap, Burp, Wireshark, OpenSSL).

    • Write a one‑sentence defensive fix each time—locks in blue‑team thinking.

  3. Flashcards the right way:

    • Not “what switch is X”—instead “Given this output, what is the fastest safe next step?”

  4. Schedule logistics early:

  5. Study support & accountability:

  6. Renewal mindset:

7. Exam‑Day Execution (PBQs First, Calm Throughout)

The 90‑minute rule‑of‑thumb (adjust to your timebox):

  • 0–25 min: PBQs first. They’re high‑yield and you’re freshest now. For each, write a 1‑line note (“Nmap shows outdated OpenSSH 7.2 → privilege escalation risk”).

  • 25–85 min: MCQs in two passes.

    • Pass 1: Answer easy wins + obvious eliminations; flag the rest.

    • Pass 2: Tackle flagged items; think “What would a defender want to happen next?”

  • Last 5 min: Sanity check PBQs and any blanks. Never leave answers empty.

Common traps and how to beat them

  • Two “right” answers: Pick the least risky, defence‑aligned option.

  • Output wall‑of‑text: Skim for service/version and obvious misconfigs; ignore noise.

  • Tool worship: CEH rewards reasoning, not memorising 50 switches.

Practical checklist:

  • Read Exam Day Tips.

  • Check your test centre rules the night before; sleep; hydrate; eat.

  • If anxiety spikes, box‑breathe 20 seconds—then move on.

8. Post‑Certification Steps (Turning CEH into a Job)

1) Build a tangible portfolio

  • Publish 3–5 lab write‑ups: recon → exploit → countermeasure. Don’t share exploitables from real orgs—use lab/CTF only.

  • Create a “Before/After Hardening” case on your home lab (screenshots + Sysmon/Sigma logs).

2) Enter capture‑the‑flag (CTF) culture

  • Try beginner tracks on TryHackMe or Hack The Box; summarise each box with MITRE technique IDs.

  • Share write‑ups privately with mentors in the Discord.

3) Choose your next credential

4) Keep momentum

Conclusion & Next Steps

If you learn how attackers think and immediately translate that into clean countermeasures, you’ll not only pass CEH v13—you’ll be valuable on day one.

Do this now:

Tags: 561561561561561