Certified Ethical Hacker (CEH) Study Guide (Matt Walker) (Z-Library)

Certified Ethical Hacker (CEH) Study Guide In-Depth Guidance and Practice Matt Walker

Certified Ethical Hacker (CEH) Study Guide by Matt Walker Copyright © 2025 Matthew Walker. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800- 998-9938 or corporate@oreilly.com. Acquisitions Editor: Simina Calin Development Editor: Sarah Grey Production Editor: Katherine Tozer Copyeditor: Arthur Johnson Proofreader: Krsta Technology Solutions Indexer: Potomac Indexing, LLC Interior Designer: David Futato Cover Designer: Susan Brown Interior Illustrator: Kate Dullea Cover Illustrator: José Marzan Jr. July 2025: First Edition

Revision History for the First Edition 2025-07-07: First Release See http://oreilly.com/catalog/errata.csp? isbn=9781098174774 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Certified Ethical Hacker (CEH) Study Guide, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-098-17477-4 [LSI]

Preface Welcome, dear reader! I sincerely hope you’ve found your way to this introduction happy, healthy, and brimming with confidence—or, at the very least, with curiosity. I can see you there, standing in your bookstore and flipping through the book, or sitting in your living room while clicking through virtual pages at some online retailer. And you’re trying to decide whether you’ll buy it—whether this is the book you need for your study guide. You probably have perused the outline, checked the chapter titles—heck, you may have even read the author bio they forced me to write. And now you’ve found your way to this, the preface. Sure, this preface is supposed to be designed to explain the ins and outs of the book—to lay out its beauty and crafty witticisms in such a way that you just can’t resist buying it. But I’m also going to take a moment to explain the realities of the situation and let you know what you’re really getting yourself into. This exam isn’t a walk in the park. The Certified Ethical Hacker (CEH) certification didn’t gain the reputation and value it has by being easy to attain. It requires clearing a challenging examination that tests more than just simple memorization. Its worth has elevated it to one of the top certifications a technician can attain, and it remains part of DoD 8570’s call for certification on DoD networks. In short, this certification actually means something to employers because they know the effort it takes to attain it. If you’re not willing to put in the effort, maybe you should pick up another line of study.

If you’re new to the career field or you’re curious and want to expand your knowledge, you may be standing there with the glow of innocent expectation on your face, wondering whether this is the book for you. To help you decide, let’s take a virtual walk over to our entrance sign and have a look. Come on, you’ve seen one of these signs before—it’s just like the one in front of the roller coaster that reads, “You must be this tall to enter the ride.” However, the prerequisites for this ride are just a little different. Instead of your height, I’m interested in your knowledge, and I have a question or two for you. Do you know the OSI reference model? What port does SMTP use by default? How about Telnet? What transport protocol (TCP or UDP) do they use, and why? Can you possibly run something else over those ports? What’s an RFC? Why am I asking these questions? Well, my new virtual friend, I’m trying to save you some agony. Just as you wouldn’t be allowed on a roller coaster that could potentially fling you off into certain agony and/or death, I’m not going to stand by and let you waltz into something you’re not ready for. If any of the questions I asked seem otherworldly to you, you need to spend some time studying the mechanics and inner workings of networking before attempting this certification. As brilliantly written as this little tome is, it is not—nor is any other book—a magic bullet, and if you’re looking for something you can read in one night and become Super-Hacker by daybreak, you’re never going to find it. Don’t get me wrong—go ahead and buy this book. You’ll want it later, and I could use the sales numbers. All I’m saying is, you need to learn the basics before stepping up to this plate. I didn’t bother to drill down into the basics in this book, because it would have been 20,000 pages long

and would have scared you off right there at the bookrack without you even picking it up. Instead, I want you to go learn the “101” stuff first so that you can be successful with this book. Learning it won’t take long—it’s not rocket science. I was educated in the public school system of Alabama and didn’t know what cable TV or VCRs were until I was nearly a teenager, and I figured it out. How tough can it be for you? There is plenty in here for the beginner, though—trust me. I wrote it in the same manner I learned it: simple, easy, and (ideally) fun. This stuff isn’t necessarily hard; you just need to get the basics out of the way first. Then, I think, you’ll find this book perfect for your goals. For those of you who have already put your time in and know the basics, you’ll find this book pleasantly surprising. You’re obviously aware by now that technology isn’t magic, nor is it necessarily difficult or hard to comprehend—it’s just learning how something works so that you can use it to your advantage. I’ve tried to attack ethical hacking in this manner, making things as light as possible and laughing a little along the way. But please be forewarned: you cannot, should not, and will not pass the CEH exam just by reading this book. Any book that promises that is lying to you. Combine this study guide with some hands-on practice, a lot of practice exams, and a whole lot of additional study, and I don’t think you’ll have any trouble at all with the exam. Read it as a one-stop shop for obtaining certification, though, and you’ll be leaving the exam room wondering what happened to you. This book has, of course, one primary goal and focus—to help you achieve the title of Certified Ethical Hacker by passing the exam. I believe it provides you with everything you’ll need to pass the test. However, I’d like to think there’s more to the book than that. I hope I’ve also

succeeded in another goal that’s just as important: helping you to become an employed ethical hacker. No, there is no way someone can simply read a book and magically become a seasoned IT security professional, but I sincerely hope I’ve provided enough real-world insight that you can safely rely on this book along your journey out in the real world. Finally, I want to address a few specifics regarding the content itself. I’ve pulled information from a wide range of study materials and tried to do my best to cover things I’m almost certain you’ll see on your exam. However, there are no doubt some specifics covered herein that you won’t see at all on the exam (not to mention that, without fail, you’ll probably see topics on your exam I somehow missed—it is a dynamic, constantly moving target, after all). Take, for example, the chapter on artificial intelligence (AI). I’m not certain AI has made its way into the exam question pool yet, but it’s a really important topic that should and will make appearances soon. I covered it as best I could given the source materials I used for study purposes, combing the interwebs for the latest information available, attending conferences and webinars, and interviewing/speaking to a lot of folks in the profession. Will AI show up on your exam? I don’t know and can’t confirm. But will knowledge of AI be valuable to you as an ethical hacker? You bet your bits it will. How to Use This Book This study guide covers everything you’ll need to know for the EC-Council (ECC) Certified Ethical Hacker examination as it stands right now, as I write this in mid-2024. CEH topics expand seemingly by the day, and I’m certain you will see the latest hot topic referenced somewhere in your

exam. Hence, I’ve taken great pains throughout the entirety of this writing to remind you over and over again to do your own research and keep up with current news. However, based on information derived from the multiple study sources, discussions with working pen testers and security professionals, and research by your humble author, I’m pretty confident I have everything locked down as best I can. Each chapter covers specific objectives and details for the exam, as defined by ECC. I’ve done my best to arrange them in a manner that makes sense, and I hope you see it the same way. Each chapter has several components designed to effectively communicate the information you’ll need for the exam: Tips point out areas you need to concentrate on for the exam. No, they are not explicit test answers. Yes, they will help you focus your study. Sidebars are included in some chapters and are designed to point out information, tips, and stories that will be helpful in your day-to-day responsibilities (and to be fun to read). Please note that although these entries provide interesting real- world information, I sometimes use them to reinforce testable material, so don’t just discount them as “neat”—some of the circumstances and tools described in these sidebars may prove to make the difference in whether you answer a question or two on the exam correctly. Specially called-out notes are part of each chapter, too. These are interesting tidbits of extra information that are relevant to the discussion. As with the sidebars, don’t discount them.

Getting Ready: Preparing and Registering for the Exam Before I get to anything else, let me be crystal clear: I believe this book will help you pass your test and become a better security professional in the field. I’ve put in a lot of reading and research time to ensure that this book covers everything ECC has asked you to know before taking the exam, and I think it’s all covered pretty darn well. However, I again feel the need to caution you: do not use this book as your sole source of study. This advice goes for any book on any certification. You need practice. You need hands-on experience, and you need to practice some more. And any publisher, author, or friendly salesclerk partway through a long shift at the local bookstore who says otherwise is lying through their teeth. Preparing for the Exam As far as preparing for your exam, I highly recommend the ECC official training course. I know that may seem counterintuitive coming from a guy selling an exam preparation book, but it shouldn’t surprise you that the provider of the certification has the latest, most current material relevant to the examination. I can say from experience, having attended multiple ECC courses, that their trainers do an excellent job of whittling down volumes of material to get at the most salient points. Whether you choose to attend or go your own way, just know that your best chances for success probably rest in the official training. Immediately after stating that, I want to once again point out that I’m fully confident this book is a great place to start, a good way to guide your study, and a perfect

addition to the official courseware and training. The exam changes often, as it should, and new material pops up out of thin air as the days go by, but the volume of information here, organized in the manner I’ve placed it, will help you. So avail yourself of everything you can get your hands on, including the official training and courseware. And for goodness’ sake, build a home lab and start getting some (a lot of) hands-on practice with the tools. There is simply no substitute for experience, and I promise you, come test time, you’ll be glad you put in the effort. One more quick note on training: it’s a lot better than it used to be. ECC-certified classes and instructors are top- notch, and the new curriculum isn’t just about sitting in a classroom while someone reads you slides and provides test questions to practice on. Today, the class itself requires you to complete multiple “Break the Code” challenges, ranging across “4 levels of complexity that cover 18 attack vectors, including the OWASP Top 10.” So, coming out of the classroom, not only will you have seen what you’re supposed to know, but you’ll have done it! I also highly recommend you take multiple preparation exams before test time. There are many options available; look for what fits your needs best. My advice is to search out ECC official trainers and their exam preparation offerings and go from there. Some of the “practice exam bundles” you’ll find on the internet are shady, to put it mildly, and won’t do a thing to help you prepare. Last in our preparation discussion is the topic of timing: just how long should you study and prepare? The answer to this question depends on your specific talents, time, and commitment. If, for example, you’re already well-versed in all the background information and have a good grasp of CEH principles, you won’t need as much time as someone

who just learned to spell Nmap (a scanning and enumeration tool we’ll get to later). If you’re just getting started, you’ll need some time to iron out the basics before diving into the nitty-gritty. The official training course lasts one week, and there’s generally another week of preparation time before the exam. However, ECC provides you an entire year to play with its labs, so obviously the timing for individuals varies wildly. The official course through ECC usually includes the exam with your registration and will sometimes even schedule it for you. However, if you’re studying on your own or your training leaves scheduling up to you, heed my advice here: schedule your exam now. Many people make the mistake of saying, “I’ll schedule it when I’m done studying and I’m ready.” Trust me, this will only serve to delay your exam and will not help you. Of course, you need to be prepared, but if you don’t have a goal, a deadline to work toward, you won’t do well. Schedule the exam and get it on your calendar—doing so will force you to prepare. Assuming you know the basics already, have a firm grasp on the bedrock material, and have an exam scheduled, you should give yourself a month to prepare. As you read this book, create flashcards or notes on items of interest—exam tips, for example, and things you’ve read that you didn’t know already—and use those during prep. (Spending study time on things you already know is preposterous and wasteful!) Practice in the labs right up until test time. Two weeks before the exam, start more intensive training— set aside uninterrupted time daily for memorization drills, practice exams, flashcards, online prep slides, and so on. And if possible, a week out, avail yourself of a certified ECC trainer offering exam prep. Do all of this, and I’m certain you’ll pass with ease.

Registering for the Exam At some point, whether you decide to take the official training course or jump out on your own and self-study, you’ll have to contact ECC to register. After filling out the online form and providing all your information, you’ll be assigned a point of contact to assist you in getting signed up, receiving course materials, and the like. I highly advise you to stay in touch with your assigned contact. They are responsible for answering your questions and ensuring you receive all materials. Don’t be bashful—if you’re concerned about anything, don’t wait to contact them. Should there be an issue with your assigned contact person, you can fill out a complaint form on ECC’s site; however, it will be a few days before you get a response. Once you indicate you want to take the exam on ECC’s site, your point of contact will provide you with a few links to use in scheduling it (those links are not included here, for obvious reasons) and send you an invoice for payment. Within those linked pages, you’ll be provided with a PDF document with detailed instructions for Aspen, the exam scheduling site, and so on. Follow these instructions exactly as written and do not skip a step. This will set up your online ID, test availability, study materials, and access to labs. There are multiple options available to you when scheduling the actual exam. You are certainly welcome to go to a Pearson VUE testing center and take the exam there, as has historically been done. However, you can now take your exam at home, right in your own comfy study area. ECC provides an online proctor to watch you take the exam, which I highly recommend. It’s not that there’s anything wrong with a testing center, but anything you can

do to be more comfortable and reduce distractions is a good thing. You’ll log into the exam site before your exam and await the proctor. Once they sign in, they’ll ask to install a small piece of monitoring software, which they’ll use to make sure you’re not screen recording and don’t have any other windows open for cheating. They’ll go over the exam rules and tell you what is allowed. Two blank sheets of paper for note-taking and a pen or pencil are all you can have at hand —everything else must go. You’ll be asked to show them a 360-degree view of the room and the desk or table at which you are working so that they can ensure you don’t have notes taped to the walls. Once they deem all to be well, you click Begin, and the exam starts. You are allowed to take notes on your note sheets, but be advised: you are being watched closely at all times. Any movement, eye shift, or other indication that you are reading from a cheat sheet of some kind will cause the proctor to pause the exam and ask for an explanation. For example, during my exam, I was doing some math on my blank note sheet. The exam paused as the proctor asked me to show what I was looking at and requested another shot of my desktop. Just know that, even if you take the exam in the comfort of your home, you won’t be able to cheat the system. The Certification: More Than Just a Test Certified Ethical Hacker is a great certification to achieve, and you do so by taking and passing a written exam. But, dear reader and future ethical hacker, CEH is only the beginning.

A couple of years ago, ECC listened to feedback from the community on the difference between book knowledge and real-world experience. It responded by creating the next logical step for those holding the written test certification— a means to prove your skills and abilities in a practical exam setting, known as the CEH Practical. Per the ECC website, the ANSI Accredited Certified Ethical Hacker (CEH) multiple choice exam “is meant to be the foundation for anyone seeking to be an Ethical Hacker. The CEH Practical Exam was developed to give ethical hackers the chance to prove their ethical hacking skills and abilities.” The CEH Practical is a six-hour examination (using Aspen iLabs Cyber Range) following 20 practical challenges for candidates to attempt. A passing score is listed at 70%. However, the actual scoring of the challenge labs (that is, how one attains 70%) isn’t noted anywhere I can find as of this writing. You can take on the CEH Practical after you complete the written exam. Registration is the same as with the exam itself, but preparation is different. This exam uses lab- based scenarios to test your actual ability to perform as an ethical hacker. It mirrors the lab environment used to prepare for the exam and in the official training courses. Completing the tasks can be tricky because, while in the real world there might be multiple ways to accomplish a task, a lab-based assessment looks for one specific way the challenge should be solved. In other words, you’ll have to know precisely which tool to use and how to use it in the expected manner. So how in the world do you prepare for this practical assessment? Sign up for ECC’s lab environment and practice, practice, practice. The labs are designed with step-by-step instructions for you to follow—“type this here

and press enter,” “click this and log in with these credentials.” Practicing these steps over and over will give you a good idea of what the environment is looking for when it asks you to perform a task. Once you’ve completed both the exam and the practical assessment, you are bestowed with the title “CEH Master.” That’s three additions to your resume—CEH, CEH Practical, and CEH Master. If you are working with the US federal government, you may also apply for an additional certification, known as Certified Network Defense Architect (CNDA), with no additional testing or requirements. Oh, and one more fun nugget that should appeal to fans of the Ernest Cline book Ready Player One: the top 10 performers in both the CEH and CEH Practical exams are showcased on the CEH Master Global Ethical Hacking Leaderboard. Taking the Exam Before we get to the meat of what the exam is like, I feel the need to tell you again what should be blatantly obvious: neither I nor anyone at O’Reilly Media has any intention of telling you exactly what’s on the exam. I won’t be providing cheats of any kind, and if you’re looking for a quick-shot, memorize-and-go study guide, this isn’t for you. I would not dream of cheapening the certification by doing so, and I hope you, dear reader, feel the same. Work hard, study well, and earn your own certification. The CEH written exam consists of 125 multiple-choice questions and lasts four hours. A passing score is, well, different for each exam. Despite listing the passing score as 70%, during beta testing, ECC assigns a “cut score” to

mark each question’s level of difficulty. Should your test include multiple hard questions, your passing “cut score” may be as low as 60%. If you get the easier questions, you may have to score upward of 78% to pass. Neat, right? There are two more issues that you, as a candidate for this certification, need to be aware of. First, if you apply your real-world knowledge and experience to the exam, you’re going to greatly hinder your ability to pass. As I’ll note throughout this book, your real-world experience will often run counter to specific information in the courseware. This isn’t a knock on ECC; it’s simply the necessary result of creating a written examination to test a dynamically changing environment. Personally, I think ECC has done pretty well in trying to walk that tightrope, but it is nevertheless an important thing for you to know before attempting the exam. Learn the material the way the courseware teaches it and answer accordingly. Second, as for the exam format itself, things have changed quite a bit. In past exam versions, there were multiple drag-and-drop questions as well as many straightforward multiple-choice definition-style questions. This is no longer the case. Today, almost every question you see on your exam will be written in a scenario-type format. For example, you won’t see simple questions asking which tool is appropriate for scanning a network; instead, you’ll be presented with a scenario and asked which tool best fits the situation. While there may not seem to be much distinction between those two—a straightforward definition question versus a scenario for which you’d need to know the exact same information—it can get very confusing very quickly. As you can imagine, the scenarios are wordy in trying to describe a specific circumstance, and it can be difficult under stress

and in a time crunch to weed through the fluff and get to what is actually being asked. My advice is to read the answers first and then go read the question. This approach will provide you with at least some idea of what to look for. For example, if the answers all appear to be scanning tools, all the information in the scenario about who Joe works for and what role he plays on the team may be irrelevant. You’ll need to focus on the salient scanning tool information to make the right selection. Speaking of the questions, you are allowed to mark questions for later review and skip them. Go through the entire exam, answering the questions you know the answer to beyond a shadow of a doubt. On the ones you’re not sure about, choose an answer anyway and mark the question for further review. (You don’t want to fail the exam because you ran out of time and had a bunch of questions that didn’t even have an answer chosen!) At the end of each section, go back and look at the ones you’ve marked. Change your answer only if you are absolutely, 100% sure your original answer was wrong. You will, with absolute certainty, see a couple of question types that will blow your mind. One or two will come totally out of left field. I’ve taken the CEH exam multiple times— from version 5 to the current version (for which this book is written)—and every single time I’ve seen questions that seemed so far out of the loop that I wasn’t sure I was taking the right exam. When you see them, don’t panic. Use deductive reasoning and make your best guess. Almost every single question on this exam can be whittled down to at least 50/50 odds on a guess. The other questions you’ll see that will make you question reality are those that use horribly bad English grammar. Just remember that ECC is

an international organization, and sometimes things don’t translate easily. Finally, thank you for picking up this book. I have been blown away by the response to previous versions and am humbled beyond words by all of it. I sincerely hope your exam goes well, and I wish you the absolute best in your upcoming career. Here’s hoping I see you out there, somewhere and sometime! God bless. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords. Constant width italic Shows text that should be replaced with user-supplied values or by values determined by context. TIP This element signifies a tip or suggestion.

NOTE This element signifies a general note. This book uses ECC terminology that O’Reilly would normally avoid (e.g., black hat, white hat, master, and slave), because CEH exam takers will be tested on those terms. O’Reilly Online Learning NOTE For more than 40 years, O’Reilly Media has provided technology and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in- depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc.