Certified Ethical Hacker (CEH): What It Is, What It Isn’t, and Why It’s Important

January 18, 2017 | Jonathan Gibson

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

certified ethical hacker (CEH) is a key infosec certificateThe Certified Ethical Hacker CEH) certification is more than just another paper to add to your collection. While one could argue that it’s just another multiple choice exam, there is no mistaking the value of the knowledge you learn from studying for and then gaining this certification.

What is the CEH?

It’s a multiple choice exam which verifies your knowledge of the penetration testing structure and the tools used within that structure. It equips prospective job seekers in the information security industry with a solid start, making sure the holder of the certificate knows how to do the basics like:

  • information gathering
  • attacking computers or servers
  • wireless attacks and social engineering

The concept is great, teaching students the theory of how tools work and how to evaluate situations and look for weaknesses and vulnerabilities, which is a major part of studying for the CEH; one thing it does well is to bring in real world tools for each of these situations. By the end the journey to obtain your CEH, you’ll know what tools do what job, how to use the tools properly and how to conduct an ethical penetration test.

What the CEH Isn’t.
Here’s what it isn’t. The CEH is not your one stop shop for everything you need to learn. Rather, it is a great start into the realm of information security. As with technology, it’s always best to stay ahead and current; thus, the CEH should be looked at as a gateway to higher levels of knowledge as well as proof that you can administer a penetration test.

Why is it important?
While talent and ability aren’t established only by certifications, they do help when proving your knowledge and skill to others. Unlike other certifications, the CEH gives you the knowledge that will last outside of the exam by teaching you a methodology that will carry into your real world jobs and tools that you will use in real world engagements. Few certs have that to offer and the few that do are further down the road from the CEH.

What makes the CEH different?
There are many certifications one can get on their journey in the information security world, but few come to the level of training and understanding required to earn the CEH certification. The biggest factor of what makes the CEH such a unique certification is its method of teaching. Unlike other security certifications which teach defensive tactics such as firewall configuration or other forms of preemptive security, the CEH takes an alternative approach. Offenses are featured as your best defense - which is a major difference from certifications that only focus on defensive tactics. The CEH imparts offensive tactics supplemented with defensive countermeasures. This ensures that the CEH professional can have a more holistic security perspective of the organization.

What’s the CEH test like?
The test consists of:

  • 125 questions
  • You have 4 hours to complete the test at a certified testing center
  • You’ll know within five minutes if you have passed or failed the test and be given a report detailing the sections you did poorly on. It takes roughly a week to gain your digital certificate and a month to gain your physical certificate along with a welcome letter officially giving you the title of a Certified Ethical Hacker.

What can you expect on the test?

To give you an overview, I’ve placed some sample questions below.

1. You have been hired to test security for a business headquarters in Chile. Which regional registry would be the best place to go for the network range determination?


Answer: The correct choice is D) LACNIC or the Latin America and Caribbean Network Information Centre. There are five regional registries covering the globe that manage and control all public IPs.

2. An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports are being answered. Which type of Port scan is this?

A) Ping Sweep
C) Half-Open
D) Full

Answer: The correct choice is C) Half-Open. When an attacker or an ethical hacker is sending packets using the SYN flag it is known as a SYN scan which is also a Half-Open scan.

3. An IDS installed on the network perimeter sees a spike in traffic during off-duty hours and beings logging and alerting. Which type of IDS is in place?

A) Stateful
B) Signature-based
C) Anomaly-based
D) Packet-filtering

Answer: The correct choice is C) Anomaly-based. Intrusion detection systems can only be anomaly or signature based. Anomaly-based systems build a baseline of normal traffic patterns over time and anything that appears outside of that baseline is flagged. Signature-based works by scanning the network looking for already known malicious bytes of code or packets going through the network.

4. A junior security employee tells you a web application has halted. An examination of the syslog shows an entry from the web application indicating the canary word has been altered. What does this message indicate?

A) The NIDS has blocked an attempted attack
B) The firewall has failed in protecting the subnet
C) A buffer overflow attack has been successful
D) A buffer overflow was attempted but failed

Answer: The correct choice is D) A canary word is created specifically to look for and indicate buffer overflow attacks. The fact that the application stopped processing immediately indicates the attack was logged but was not successful

5. A WPA2 wireless network is discovered during a pentest. Which of the following methods is the best way to crack the network key?

A) Capture the WPA2 authentication traffic and crack the key
B) Capture a large amount of initialization vectors and crack the key inside
C) Use a sniffer to capture the SSID
D) WPA2 cannot be cracked

Answer: The correct choice is A) WPA2 is a strong encryption method, but almost anything can be hacked given time. Capturing the password pairwise master key (PMK) during the handshake is the only way to do it, and even then it’s virtually impossible if it’s a complicated password.

6.Which one of the following is a botnet command and control tool?

A) Netcat
B) Poison Ivy

Answer: The correct choice is B) Poison Ivy works as a botnet controller

How to get going on the CEH?
So where should you go to study? Unfortunately, it seems that a lot of the courses available are outdated; the information they provide is only enough to pass the test and nothing more. The reality is that it’s getting harder to find good sources of information. Given the circumstances, what would I recommend? It’s a mixture; I would recommend Matt Walker’s CEH book. His V9 edition came out in September:

If you are more into learning via videos, I recommend Cybrary. They have a great video course on penetration testing and ethical hacking, as well as courses on tools like Metasploit or using Python as a penetration tester. While these will take you beyond what you need when studying for the CEH, you will only benefit from having more relevant information. I am currently working on test prep videos for the CEH as well as other certifications which can be found here on YouTube:
or here on Patreon:

Please follow on Twitter: https://twitter.com/B3taW0lf

Jonathan Gibson

About the Author: Jonathan Gibson
Jonathan Gibson has a range of experience as a security consultant, network administrator, and web developer. He holds certifications in the security field and has a CEH, maintains a security blog and serves as CTO for a charitable foundation.
Read more posts from Jonathan Gibson ›


Watch a Demo ›