EC-Council · CEH
Validates proficiency in ethical hacking techniques and tools across 20 security domains, including reconnaissance, network scanning, vulnerability analysis, system hacking, malware threats, social engineering, web application attacks, SQL injection, cryptography, and cloud and IoT security.
Questions
594
Duration
240 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
This Certified Ethical Hacker practice test helps you review reconnaissance, scanning, enumeration, exploitation concepts, web application attacks, malware, wireless security, cloud security, and defensive countermeasures. The goal is to improve your ability to identify the right technique or tool from a scenario, not simply remember labels.
Use the free questions to benchmark your starting point, then practice in focused sessions by reviewing every explanation after submission. CEH preparation benefits from repetition because many answer choices are close; understanding why the wrong options fail is essential for raising your score.
The Certified Ethical Hacker (CEH), now in its 13th version (CEH v13), is EC-Council's flagship offensive security certification that validates a professional's ability to identify, exploit, and remediate vulnerabilities using the same tools and techniques as malicious hackers — but within a lawful, authorized context. Spanning 20 security domains and over 550 attack techniques, CEH v13 covers the full spectrum of ethical hacking methodology: from footprinting and reconnaissance through system hacking, malware analysis, social engineering, web application attacks, SQL injection, wireless network exploitation, and cloud and IoT security. The curriculum also integrates AI-driven hacking techniques, making CEH v13 the first ethical hacking certification to incorporate AI and machine learning as core competencies. Launched in September 2024, CEH v13 reflects the evolving threat landscape with updated modules on cloud environments (AWS, Azure), OT/ICS systems, and AI-powered offensive tools. The certification is globally recognized, listed on the U.S. Department of Defense (DoD) Approved Baseline Certifications list (DoD 8570/8140), and is administered through EC-Council's exam code 312-50.
CEH is designed for mid-career IT and security professionals who want to formalize and validate their offensive security knowledge. Primary target roles include penetration testers, security analysts, SOC analysts, network security engineers, security auditors, security consultants, and IT managers responsible for defensive strategy. Candidates typically have a background in networking, operating systems, or system administration and are looking to transition into or advance within offensive and red-team security roles. The certification is also widely pursued by professionals in government, defense contracting, and financial services who need credentials recognized by the DoD or regulated-industry compliance frameworks.
EC-Council does not enforce a formal degree requirement, but candidates must satisfy one of two eligibility paths. The first path requires completing an official EC-Council-accredited CEH training course, after which the candidate is automatically eligible to sit the exam. The second path allows self-study candidates with at least two years of verifiable information security work experience to apply directly by submitting an eligibility application form and paying a $100 non-refundable fee for EC-Council review. Regardless of path, candidates are strongly expected to have working knowledge of TCP/IP networking, Windows and Linux operating systems, and foundational security concepts. Familiarity with tools such as Nmap, Wireshark, and Metasploit is practically necessary to succeed on both the knowledge exam and the optional practical exam.
The CEH knowledge exam (exam code 312-50) consists of 125 multiple-choice questions to be completed in 240 minutes (4 hours). Questions are a mix of knowledge-based and scenario-based multiple-choice items. The exam is delivered either online via remote proctoring through EC-Council's portal or in person at Pearson VUE testing centers worldwide. Scoring uses a scaled model, meaning the exact passing threshold varies by exam form difficulty — typically falling between 60% and 85%, with approximately 70% as a general benchmark. The certification is valid for three years, after which holders must earn 120 EC-Council Continuing Education (ECE) credits or retake the exam. Separately, EC-Council offers the CEH Practical, a 6-hour, 20-challenge hands-on exam conducted in a live cyber range; passing both the knowledge exam and the practical earns the CEH Master designation.
The CEH certification is one of the most widely recognized offensive security credentials globally, directly qualifying holders for roles such as penetration tester, security analyst, cybersecurity engineer, SOC analyst, security consultant, and information security manager. Salary data from PayScale and Glassdoor indicates CEH-certified professionals earn an average base salary ranging from approximately $86,000 to over $147,000 in the United States, with penetration testers typically earning $95,000–$145,000 and information security managers reaching $90,000–$175,000. CEH holders who transition from network administration roles report salary increases of up to 54% according to EC-Council data. The certification's inclusion on the U.S. Department of Defense Approved Baseline Certifications list (DoD 8570/8140) makes it a mandatory or strongly preferred credential for government, military, and defense contractor positions — an advantage not shared by many competing certifications. Compared to alternatives like CompTIA PenTest+ (entry-level) or OSCP (more hands-on/advanced), CEH occupies a well-recognized middle ground that balances breadth of knowledge with industry name recognition, making it particularly effective for professionals entering or advancing within offensive security who need a credential that resonates with HR and hiring managers across both the public and private sectors.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 594 questions.
Preview — answers shown1. A web application penetration test reveals that the application uses the following XML processing without validation: <?xml version='1.0'?><!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><root>&xxe;</root>. When submitted, the application returns the contents of /etc/passwd in the response. Which vulnerability class is present, and what is the attack vector? (Select one!)
Explanation
XML External Entity (XXE) injection occurs when XML parsers process external entity references without proper validation. The DOCTYPE declaration defines an entity 'xxe' that references the file:// URI scheme to access local files. When the parser processes &xxe; entity reference, it replaces it with the content of /etc/passwd. XXE attacks enable local file disclosure, Server-Side Request Forgery (SSRF) to internal systems via http:// URIs, denial of service through billion laughs attacks, and remote code execution in some configurations. Out-of-band XXE uses protocols like ftp:// to exfiltrate data when responses are not displayed. SQL injection targets database queries, not XML parsing. LDAP injection manipulates LDAP queries through input fields but is unrelated to XML entity processing. Server-Side Template Injection (SSTI) exploits template engines like Jinja2 or Freemarker, not XML parsers. Proper defenses include disabling external entity processing, using simple data formats like JSON instead of XML, input validation, and applying least-privilege file system permissions.
2. An organization implements 3DES encryption for legacy system compatibility. What is the effective key strength when using 3DES with three independent keys? (Select one!)
Explanation
Despite 3DES using three 56-bit keys for a total of 168 bits, the effective security strength is only 112 bits due to meet-in-the-middle attacks. This is why 3DES is deprecated in modern security standards despite having a larger nominal key size than some current algorithms. The 56-bit strength represents single DES which is completely broken. While the total key material is 168 bits, this does not represent actual security strength. 256 bits represents AES-256, a completely different algorithm.
3. An attacker uses Nmap to scan a network and receives RST (reset) packets for every ACK probe sent to a target system regardless of port state. What information does this ACK scan reveal about the network security infrastructure? (Select one!)
Explanation
Nmap ACK scan (-sA) is specifically designed for firewall rule mapping, not port state detection. ACK scans send TCP packets with only the ACK flag set, which should normally be part of an established connection. When unfiltered hosts receive unexpected ACK packets, they respond with RST regardless of whether ports are open or closed, indicating no firewall is filtering the packets. Stateless firewalls may allow ACK packets through while blocking SYN packets, allowing attackers to map firewall rules. If a stateful firewall tracks connection state, it will drop ACK packets that are not part of established connections, resulting in no response (filtered state). The scan does not definitively determine if ports are open or closed, only filtered versus unfiltered. This technique helps identify firewall configurations and which ports are allowed through security devices. Window scan (-sW) provides similar functionality but analyzes TCP window size in RST responses. Proper stateful firewall configuration prevents ACK scan effectiveness.
4. During a Meterpreter session, an attacker wants to extract all credentials including plaintext passwords, hashes, and Kerberos tickets from a Windows system. Which Meterpreter commands should be executed? (Select two!)
Multiple correct answersExplanation
Loading the kiwi extension (Mimikatz integration) with load kiwi and then executing creds_all extracts all types of credentials including plaintext passwords from memory, NTLM hashes, and Kerberos tickets. This combination provides comprehensive credential harvesting. The hashdump command only extracts password hashes from SAM, not plaintext passwords or Kerberos tickets. The getsystem command escalates privileges but does not extract credentials. The clearev command clears event logs for anti-forensics.
5. An ethical hacker performs a TCP SYN scan using Nmap with the -sS flag against a target host. Port 80 responds with a SYN/ACK packet. How does Nmap complete the scan for this port? (Select one!)
Explanation
TCP SYN scan (stealth scan) is called half-open scanning because it never completes the three-way handshake. When Nmap receives a SYN/ACK response indicating an open port, it immediately sends a RST (reset) packet to tear down the connection before it is fully established. This prevents the connection from being logged by many application-level logging mechanisms and reduces detection. Completing the handshake with an ACK packet would make it a TCP Connect scan (-sT), not a SYN scan. FIN packets are used to gracefully close established connections, not during SYN scans. NULL packets with no flags set are a different scan type (-sN) used for firewall evasion.
Certified Threat Intelligence Analyst (CTIA)
CTIA · 740 questions
Certified Cybersecurity Technician (CCT)
CCT · 630 questions
Certified Secure Computer User (CSCU)
CSCU · 630 questions
EC-Council Certified Encryption Specialist (ECES)
ECES · 627 questions
Ethical Hacking Essentials (EHE)
EHE · 627 questions
ICS/SCADA Cybersecurity
ICS-SCADA · 627 questions
$17.99
One-time access to this exam