xIoTz | Managed Cyber Assurance Platform

CEH Practical Exam: Full Guide (All you need to know)

August 30, 2023

Table of Contents

How I cleared my CEH Practical exam in first attempt : Full Guide (All you need to know)

Hello Hackers! In this blog I will be sharing my secret strategy on how I cleared my CEH (Certified Ethical Hacker) Practical exam in the first attempt. In the next 10 minutes, you will have a whole roadmap in front of you on what is CEH (Practical), who can take this exam and what are the things required to clear this exam along with my strategy.

Let’s start

The Certified Ethical Hacker (Practical) exam is a tough test that lasts for six hours. During this exam, you need to show how you can use ethical hacking methods to solve security problems within a limited time, just like in real situations. A group of experts, including people with a lot of experience, created this exam. They made 20 situations based on real life and asked questions about them. These questions check if you have the important skills needed for ethical hacking, like the ones you learn in the C|EH program. This exam isn’t a pretend one – it’s like a real company’s computer network. They use virtual machines, networks, and programs that work live to test your ethical hacking skills.

Exam Details

  • Exam Title: Certified Ethical Hacker (Practical)
  • Number of Practical Challenges: 20
  • Exam Duration: 6 hours
  • Exam Infrastructure:  iLabs (browser-based)
  • Exam Format: iLabs Cyber Range
  • Passing Score: 70% (14 Questions out of 20)
  • Certificate validity: 3 years

Course Content 

  • Unit 1: Introduction to Ethical Hacking
  • Unit 2: FootPrinting and Reconnaissance
  • Unit 3: Scanning Networks
  • Unit 4: Enumeration
  • Unit 5: Vulnerability Analysis
  • Unit 6: System Hacking
  • Unit 7: Malware Threats
  • Unit 8: Sniffing using Wireshark
  • Unit 9: Social Engineering
  • Unit 10: Denial-of-Service
  • Unit 12: Session Hijacking
  • Unit 13: Evading IDS, Firewalls, and Honeypots
  • Unit 14: Hacking Web Servers
  • Unit 15: Hacking Web Applications
  • Unit 16: SQL Injection
  • Unit 17: Hacking Wireless Networks
  • Unit 18: Hacking Mobile Platforms
  • Unit 19: IoT and OT Hacking
  • Unit 20: Cloud Computing
  • Unit 21: Cryptography

How to enroll for CEH Practical ?

  1. Go to EC-Council official website and read through everything you need to know https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-practical/
  2. Create Account: Create an account on EC-Council’s Aspen portal.
  3. Purchase Voucher: Buy a CEH Practical exam voucher from EC-Council or authorized centers. You can either buy the voucher from official store i.e. https://store.eccouncil.org/product/ceh-practical-exam/    
  4. Or you can fill the form from official website and you will get the whole guide via call or text (I personally prefer this way as you can ask your doubts and they help us understand)
  5. Schedule Exam: Log in to Aspen, select an exam date, and schedule the exam.

Exam Experience:

I know this is the most awaited part. The exam is watched over by a person called a proctor. They use GoToMeeting, a program that sees and hears you through your computer. They’ll also record what’s on your screen during the whole exam. After your identity is verified, your exam starts.

The exam is on a website called iLab. You don’t need to worry about taking pictures of your virtual machines (VMs).

You’ll get two Operating systems to test things on. One is Parrot OS, and the other is Windows 7. No more Kali this time.

You can DO use the internet for the exam. You can look things up, take notes on your computer, watch videos, and read blogs.

But DON”T write notes by hand, talk to people, or make calls.

Your exam computers won’t have regular internet access. You need to use your web browser to access the internet.

  • Start with the scanning part (NMAP Scan), since the scanning part takes some time, I moved on to other hacking questions.
  • Scan all ports on IPs because default scripts might not catch smart configurations.
  • Use custom word lists for each module. For brute-forcing, try “Hydra & Medusa.”
  • Practice hacking on an Android-based Hack The Box (HTB) box, as the coursework covers mobile hacking.
  • If a challenge is too hard or time-consuming, move on and return later.
  • Don’t skip cryptography and steganography modules. Learn the basics.
  • Reconnaissance and enumeration are crucial. Gather lots of details.
  • Submit answers exactly as requested; prepopulated answers matter.
  • Google is helpful, but avoid prying into personal matters!

Study Guide 

This is the main picture. I know you guys are excited about this. In my case, I had prior knowledge of basic linux OS and some tools but don’t worry about it. This exam portion starts from basic and trains you till your potential to clear this exam.

If you got money, you can afford iLabs because the challenges are based on the iLab environment and you will get hands-on practice to clear this exam.

If you can’t afford iLab, there are many platforms in which you can practice the listed tools. I personally prefer TryHackMe and HackTheBox. This Exam is all about how much knowledge you have on tools.


  1. Nmap
  2. Hydra
  3. Sqlmap
  4. Wpscan
  5. Nikto
  6. John
  7. Hashcat
  8. Metasploit
  9. Responder LLMNR
  10. Wireshark / Tcpdump
  11. Steghide
  12. OpenStego
  13. QuickStego
  14. Dirb
  15. Searchsploit
  16. Crunch
  17. Cewl
  18. Veracrypt
  19. Hashcalc
  20. Rainbow Crack


Damn Vulnerable Web Application (DVWA)

DVWA is a PHP/MYSQL vulnerable website that’s made to be easy to hack. It’s used to practice common web problems. It has different levels of difficulty. DVWA is important for the CEH (Practical) exam. It’s a good idea to practice on DVWA because the exam might have similar challenges. 

You can refer to the link https://bughacking.com/dvwa-ultimate-guide-first-steps-and-walkthrough/ for full guide on setup and use of DVWA.

TryHackMe (https://tryhackme.com/

I enjoyed this platform a lot! It is an online platform for learning cybersecurity using hands-on exercises and labs. You can use a free version, but you can even use a paid one for a better experience.

There are many rooms but below I listed the ones I think are helpful for the exam along with the topics.

All the commands that you need to know:

  1. How many machines are active in a network – netdiscover -i
  2. Connect to rdp via cmd – mstsc 

Find DNS records – https://www.nslookup.io/

Scan the whole website- (skipfish -o /root/test -S /usr/share/skipfish/dictionaries/complete.wl

  • -o output
  • -S wordlist 

To bruteforce directories or files-

gobuster dir  -u  -w /usr/share/dirb/wordlists/common.txt  -x  .txt


uniscan -u -q   (for directories)

uniscan –u -we (enable file check like robots.txt and sitemap.xml)

To get file from server- wget 

FTP Login – ftp <ip>

get <file name>   (to get file from ftp login)

SSH Login – ssh username@

nmap scan

  • nmap  -A  (aggressive scan- Traceroute, T4, OS)
  • nmap  -sC  (service scan)
  • nmap -sV  (version scan)
  • nmap  -sP  (how many host are up in whole network)/ping scan
  • nmap  -sL  (hostnames)
  • nmap  -oN <filename>  (to save output in a file)
  • nmap  -F  (fast scan)
  • nmap  -O  (os scan)

 Crack the hashes-

  • hashid  -m <hash>  (to identify the type of hash, its mode etc)
  • hashcat  -m <mode>  -a 0  <hashhhhhhhh> /usr/share/wordlist/rockyou.txt
  • crackstation
  • hashes.com
  • Cyberchef


  • Global network inventory
  • Netbios enumerator
  • Hyena
  • Superscan
  • Advanced ip scanner

 nmap smb scripts-

  • nmap –script smb-os-discovery.nse -p445 <ip>  (enumerate os, domain name,etc)
  • nmap –script smb-enum-users.nse -p445 <ip>  (used to enumerate all users on remote Windows system using SAMR enumeration and LSA bruteforcing)
  • nmap -p 445 –script=smb-enum-shares.nse, smb-enum-users.nse (smb users and shares)
  • smbclient //  (accessing smb shares)
  • smbget -R smb://   (downloading smb files)


  • enum4linux -u martin -p apple -U | – u user -p pass -U get user list
  • enum4linux -u martin -p apple -o | -o get OS info
  • enum4linux -u martin -p apple -P | -P get password policy info
  • enum4linux -u martin -p apple -G | -G get groups and members info
  • enum4linux -u martin -p apple -S | -S get share list info
  • enum4linux -u martin -p apple -a | -a get all simple enumeration data [-U -S -G -P -r -o -n -i]


  • wpscan –url http://[IP Address]:8080/CEH –enumerate u  (enumerate the usernames stored in the website’s database)

Vulnerability analysis


  • Hydra  -L username  -P /usr/share/wordlists/rockyou.txt  ftp://xiotz.com


  • Hashcalc
  • Md5 calculator
  • Cryptool – decode .hex file
  • Bctextencoder – decrypt text using secret key
  • Veracrypt – anything related to volume
  • Crack hashes- hashes.com , cyberchef 


  1.       Steghide  embed  -ef  <filename>  -cf  <image>  -p  <passphrase>
  2.       Steghide  extract  -sf  <image>       (extract hidden data from image)
  3.       Stegcracker  <image>  /usr/share/wordlists/rockyou.txt(crack the passphrase of image)
  4.     https://futureboy.us/stegano/decinput.html   (online steganography tool)
  5.       sha256sum <filename>   (find hash of the file)

Android Hacking-

  • via USB
  • ./adb tcpip 5555
  • ./adb connect
  • ./adb devices
  • ./adb  -d shell (Direct an adb command to the only attached USB device)
  • ls
  • cd sdcard
  • ls
  • cd dcim
  • cd camera
  • ls
  • ./adb   push                C:\platform-tools\ota.zip                    /sdcard/Download           (from pc to android)

                                   <            pc location   >                  <android location>

  • ./adb   pull     /sdcard/Download/magisk_patched.img       C:\platform-tools            (from android to pc)

                         <            android location   >                      <pc location>


site:http://testphp.vulnweb.com/ php?= (for finding vulnerable site)

(for cookies- console->document.cookie)

(dump individual  column data)

  • sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1  -D acuart -T users -C uname  –dump  
  • sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1  -D acuart -T users -C pass  –dump

Thank you for reading this blog. I hope this blog finds you helpful. Visit our other blogs to know more about cyber security and the future of cyber security and how you can make your career in cyber security.

Posted in ExperienceTags: