If you’re in need of a quick reference for the EC-Council Certified Ethical Hacker exam, we’ve got you covered.
With nine knowledge domains covering the “latest commercial-grade hacking tools, techniques, and methodologies used by hackers and information security professionals to lawfully hack an organization,” there is no shortage of things you have to remember for this exam.
Use this CEH cheat sheet to supplement our hacking and CEH exam courses, and as a quick reference for terminology, definitions, port numbers, methodology, and various important commands.
We hope this helps you boost your career by becoming a Certified Ethical Hacker. You can download the PDF version of this cheat sheet here.
CEH Cheat Sheet Search
Search our CEH cheat sheet to find the right cheat for the term you're looking for. Simply enter the term in the search bar and you'll receive the matching cheats available.
Insider Affiliates: Insiders by virtue of Affiliation that spoof the identity of the Insider
Outsider Affiliates: Non-trusted outsider that use an access point that was left open
Physical Security
3 MAJOR CATEGORIES OF PHYSICAL SECURITY MEASURES
Physical measures:Things you taste, touch, smell
Technical measures:smart cards, biometrics
Operational measures:policies and procedures
Web-Based Hacking
CSRF – CROSS SITE REQUEST FORGERY
DOT-DOT-SLASH ATTACK
Variant of Unicode or un-validated input attack
SQL INJECTION ATTACK TYPES
Union Query: Use the UNION command to return the union of target Db with a crafted Db
Tautology: Term used to describe behavior of a Db when deciding if a statement is true.
Blind SQL Injection: Trial and Error with no responses or prompts.
Error based SQL Injection: Enumeration technique. Inject poorly constructed commands to have Db respond with table names and other information
BUFFER OVERFLOW
A condition that occurs when more data is written to a buffer than it has space to store and results in data corruption. Caused by insufficient bounds checking, a bug, or poor configuration in the program code.
Stack: Premise is all program calls are kept in a stack and performed in order. Try to change a function pointer or variable to allow code exe
Heap: Takes advantage of memory “on top of” the application (dynamically allocated). Use program to overwrite function pointers
NOP Sled: Takes advantage of instruction called “no-op”. Sends a large # of NOP instructions into buffer. Most IDS protect from this attack.
Dangerous SQL functions
The following do not check size of destination buffers: gets() strcpy() stract() printf()
Wireless Network Hacking
WIRELESS SNIFFING
Compatible wireless adapter with promiscuous mode is required, but otherwise pretty much the same as sniffing wired.
802.11 SPECIFICATIONS
WEP: RC4 with 24bit vector. Kers are 40 or 104bit
WAP: RC4 supports longer keys; 48bit IV
WPA/TKIP: Changes IV each frame and key mixing
WPA2: AES + TKIP features; 48bit IV
Spec
Dist
Speed
Freq
802.11a
30m
54 Mbps
5GHz
802.11b
100m
11 Mbps
2.4 GHz
802.11g
100m
54 Mbps
2.4 GHz
802.11n
125m
100 Mbps+
2.4/5GHz
BLUETOOTH ATTACKS
Bluesmacking: DoS against a device
Bluejacking: Sending messages to/from devices
Bluesniffing: Sniffs for Bluetooth
Bluesnarfing: actual theft of data from a device
Trojans and Other Attacks
VIRUS TYPES
Boot: Moves boot sector to another location. Almost impossible to remove.
Camo: Disguise as legit files.
Cavity: Hides in empty areas in exe.
Marco: Written in MS Office Macro Language
Multipartite: Attempts to infect files and boot sector at same time.
Metamorphic virus: Rewrites itself when it infects a new file.
Network: Spreads via network shares.
Polymorphic virus: Constantly changing signature makes it hard to detect.
Shell virus: Like boot sector but wrapped around application code, and run on application start.
Stealth: Hides in files, copies itself to deliver payload.
DOS TYPES
SYN Attack:
Send thousands of SYN packets with a false IP address. Target will attempt SYN/ACK response. All machine resources will be engaged.
SYN Flood:
Send thousands of SYN Packets but never respond to any of the returned SYN/ACK packets. Target will run out of available connections.
ICMP Flood:
Send ICMP Echo packets with a fake source address. Target attempts to respond but reaches a limit of packets sent per second.
Application level:
Send “legitimate” traffic to a web application than it can handle.
Smurf:
Send large number of pings to the broadcast address of the subnet with source IP spoofed to target. Subnet will send ping responses to target.
Fraggle Attack:
Similar to Smurf but uses UDP.
Ping of Death:
Attacker fragments ICMP message to send to target. When the fragments are reassembled, the resultant ICMP packet is larger than max size and crashes the system
Linux Commands
LINUX FILE SYSTEM
/
-Root
/var
-Variable Data / Log Files
/bin
-Biniaries / User Commands
/sbin
-Sys Binaries / Admin Commands
/root
-Home dir for root user
/boot
-Store kernel
/proc
-Direct access to kernel
/dev
-Hardware storage devices
/mnt
-Mount devices
IDENTIFYING USERS AND PROCESSES
INIT process ID 1
Root UID, GID 0
Accounts of Services 1-999
All other users Above 1000
PERMISSIONS
4 – Read
2 – Write
1 – Execute
User/Group/Others
764 – User>RWX, Grp>RW, Other>R
SNORT
action protocol address port -> address port (option:value;option:value)
The information in this cheat sheet is not only useful for passing the Certified Ethical Hacker Exam, but can act as a useful reference for penetration testers and those pursuing other security certifications.
However you choose to use it, we hope you’ve found it a helpful resource to keep around.
Frequently Asked Questions
Is the CEH exam hard to pass?
When compared to a similar certification, such as the Pentest+, CEH is widely considered the easier exam to pass due to the strict multiple-choice format, narrower scope, and longer sit time.
What is the pass rate for CEH?
EC-Council does not publish any statistics on pass/fail rates for the CEH exam.
Can I self study for CEH?
Yes, however if you choose not to do an EC-Council’s official CEH training course, you will need to submit an eligibility application form stating you have two years of work experience and pay a non-refundable fee.
How easy is the CEH?
It is not an “easy” exam, but it is easier than many other ethical hacking industry certifications, such as the Pentest+ or OSCP.
How long does it take to learn CEH?
EC-Council training consists of a five day bootcamp which they claim will prepare you for the exam. However, you will require a strong foundation in essential IT and enterprise networking to be prepared for the bootcamp. This includes knowledge of operating systems, TCP/IP, OSI Reference Model, etc. You can gain this knowledge quickly and affordably with a StationX Membership.
How many questions do you need to pass CEH?
Certified Ethical Hacker (CEH) consists of 125 multiple choice questions. The passing score is dependent on the question bank you get and can range anywhere from 65% to 80%.
Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.
Please log in again.
The login page will open in a new tab. After logging in you can close it and return to this page.
StationX Accelerator Pro
Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Pro Program. Stay tuned for more!
StationX Accelerator Premium
Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Premium Program. Stay tuned for more!
StationX Master's Program
Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Master’s Program. Stay tuned for more!
I’ve tried downloading study sheets twice, but don’t receive the email. Not in spam folder. It’s been between 1 and 2 hours since first attempt.