Certified Ethical Hacker Cheat Sheet 2026
The 30 highest-yield Certified Ethical Hacker facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
125 questions
240 min time limit
70.00% to pass
- An ethical hacker wants to detect a previously unknown malware sample by observing its runtime behavior in an isolated environment. This is called what? → Dynamic (sandbox) analysis
- A tester captures a service's response containing version and OS hints by connecting to an open port. This is called what? → Banner grabbing
- Which command-line tool is primarily used for querying DNS records such as MX records to identify a domain's mail servers? → nslookup
- In 2004, Johnny Long popularized a footprinting technique using the manipulation of a search string to identify vulnerabilities. → Google Hacking
- How does a signature-based IDS detect attacks? → By matching traffic against a database of known attack patterns
- Which testing approach examines a running application without source code access? → DAST
- Which security concept ensures that cloud provider employees cannot access customer data without authorization? → Separation of Duties
- Which tool is commonly used for session hijacking and man-in-the-middle attacks on a LAN? → Ettercap
- Which attack technique do attackers use to steal session cookies by injecting a script into a vulnerable web application? → Cross-Site Scripting (XSS)
- What is the purpose of 'fuzzing' in vulnerability research? → Sending malformed or random data to an application to discover crashes and bugs
- Which type of testing occurs when individuals know the entire layout of the network? → White box
- What information can an attacker extract by analyzing the headers of an email received from a target organization? → Internal IP addresses, mail server names, and email routing paths
- Which Nmap timing template is the most aggressive and fastest? → -T5 (insane)
- A user receives a fraudulent email impersonating their bank to steal credentials. This is an example of: → Phishing
- An attacker captures and retransmits a valid encrypted authentication token. What attack is this? → Replay attack
- Which technique uses an authoritative-looking but malicious phone charging station or cable to compromise mobile devices in public? → Juice jacking
- Which attack involves sending unsolicited messages to nearby Bluetooth devices? → Bluejacking
- Why is ECB mode generally discouraged for encrypting large amounts of data? → Identical plaintext blocks produce identical ciphertext
- What distinguishes an IPS from an IDS? → An IPS can actively block or drop malicious traffic
- What does the acronym DMZ stand for in network security? → Demilitarized Zone
- Stan wiretapped his ex-girlfriend's phone to monitor her current partner. What is an example of wiretapping? → Sniffing
- A penetration tester wants legal protection clarifying they are authorized to test. Which agreement is most relevant? → Get-out-of-jail-free / authorization letter
- A polymorphic virus evades antivirus primarily by doing what on each infection? → Changing its decryption routine/code signature
- Which exploitation countermeasure randomizes the memory layout of a process to prevent attackers from predicting where to redirect code execution? → ASLR (Address Space Layout Randomization)
- Which malware hides its presence and maintains privileged access at a deep system level? → Rootkit
- What is 'ARP spoofing' primarily used for in session hijacking attacks on a LAN? → Associating the attacker's MAC with a legitimate IP to intercept traffic
- Which phase of the CEH hacking methodology comes immediately after gaining access? → Maintaining access
- Which attack targets the human element rather than technical vulnerabilities? → Social engineering
- Which of the following BEST mitigates risk from lost or stolen laptops containing sensitive data? → Full-disk encryption
- An IoT device ships with the default credentials admin/admin and exposes Telnet. Which botnet famously exploited this pattern? → Mirai
Turn these facts into recall: