EC-Council CEH

CEH v4 Domain #2: Reconnaissance Techniques

Greg Belding
November 23, 2021 by
Greg Belding

Organizations that want to maximize the chances of not being another statistic of malicious hacking can hire a certified ethical hacker. These "white hat" hackers test an organization's systems, networks, and overall information security. The Certified Ethical Hacker, or CEH, certification is a well-renowned cert that verifies the knowledge and skills of these "white hat" heroes.

The CEH certification is currently on Exam Blueprint v4.0, which has changed how the domains of knowledge are presented. This article will detail Domain #2 of CEH Exam Blueprint v4.0, reconnaissance techniques. It will explore what the CEH certification is, changes since the last exam version, the target audience, and the content that domain #2 of the CEH certification will cover.

Earn your CEH, guaranteed!

Earn your CEH, guaranteed!

Get hands-on hacking experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

What is the CEH certification?

The CEH certification verifies that the holder has a practical understanding of the phases of ethical hacking, the various attack vectors, and the preventative countermeasures used by ethical hackers. It certifies that the holder knows how to think and act like a malicious hacker to better position your organization's information security measures and better defend against real-world attacks. It is premised on the idea that if you understand vulnerabilities and system weaknesses your organization faces, you can better strengthen system security controls in the face of malicious activity and attacks.

Who is the target audience for CEH?

From a high-level view, any information security professional wants their organization to be better positioned in the face of attacks and malicious activity. Below is a list of roles that typically earn this certification:

  • Information Security Analyst
  • Information Assurance Security Officer
  • Information Security Manager/Specialist
  • Information Systems Security Engineer/Manager
  • Information Security Professionals/Officers
  • Risk/Threat/Vulnerability Analyst
  • Information Security/IT Auditors

What has changed since CEH Exam Blueprint v3?

Bluntly speaking, a lot has changed since v3. No other domain has had as much of a change as CEH Domain #1. Normally, I offer a side-by-side comparison of the old and new exam versions, but in the case of CEH, so much has changed we will keep it brief. Domain #2 of CEH Exam Blueprint v3.0 was entitled "Analysis and Assessment" and consisted of two subdomains, making up 12.73% of CEH exam content and accounting for 16 CEH certification exam questions.

In comparison, CEH Exam Blueprint v4.0 is now "Reconnaissance Techniques" and has grown to 21% of CEH exam content and accounting for 26 exam questions. The subdomains of domain #2 are as follows:

  • Footprinting and reconnaissance
  • Scanning networks
  • Enumeration

Let's explore this content below.

Footprinting and reconnaissance

  • Footprinting concepts
    • Pseudonymous footprinting
    • Internet footprinting
    • Objectives of footprinting
      • To know security posture
      • To reduce the focus area
      • To identify vulnerabilities
      • To draw a network map
  • Footprinting methodology
  • Footprinting through search engines
  • Footprinting through web services
    • Location information
    • Online people search services
    • Job sites
    • Monitoring a target using alerts
    • Groups, forums and blogs
  • Footprinting through social networking sites
  • Website Footprinting
  • Email footprinting
  • Whois footprinting
  • DNS footprinting
  • Network footprinting
  • Footprinting through social engineering
  • Footprinting tools
  • Footprinting countermeasures

Scanning networks

  • Network scanning concepts
  • Objectives of network scanning
    • The objectives are to identify:
      • Live hosts on a network
      • Open and closed ports
      • Operating system information
      • Services running on a network
      • Processes running on a network
      • The presence of security devices like firewalls
      • System architecture
      • Running services
      • Vulnerabilities
  • Scanning tools
  • Host Discovery
  • Port and service discovery
  • OS discovery (banner grabbing/OS fingerprinting)
  • Scanning beyond IDS and firewall
  • Draw network diagrams


  • Enumeration concepts
    • What is enumerated in this phase?
      • Routing information
      • SNMP information
      • DNS information
      • Machine name
      • User information
      • Group information
      • Application and banners
      • Network sharing information
      • Network resources

    • Techniques of enumeration
      • Using an email ID
      • Using default password
      • Using SNMP
      • Brute force attack on active directory
      • Enumeration through DNS zone transfer

  • NetBIOS enumeration
    • Ports used in NetBIOS enumeration
      • UDP port 137 (name services)
      • UDP port 138 (diagram services)
      • TCP port 139 (session services)

    • NetBIOS enumeration tool
      • Nbtstat command

  • SMB enumeration
    • SBM enumeration tools
      • Enum 4 Linux
      • SMBClient
      • SMBMap
      • NSE Scripts

  • SNMP enumeration
    • SNMP enumeration tool
      • OpUtils
      • SolarWinds engineer's toolset
  • LDAP enumeration
  • NTP and NFS enumeration
    • Network time protocol (NTP)
    • NTP authentication
    • NFS enumeration

  • SMTP and DNS enumeration
    • Simple Mail Transfer Protocol (SMTP)
    • SMTP enumeration tool
      • NetScan tool
      • SMTP-user-enum
      • Telnet
    • DNS Zone Transfer Enumeration
  • Other Enumeration Techniques (IPsec, VoIP, RPC, Unix/Linux, Telnet, FTP, TFTP, SMB, IPv6, and BGP enumeration)
  • Enumeration Countermeasures
    • Use advanced security techniques
    • Install advanced security software
    • Use updated versions of protocols
    • Implement strong security policies
    • Use unique and difficult passwords
    • Ensure strong encrypted communication between client and server
    • Disable unnecessary ports, protocols, sharing, and default-enabled services

Earn your CEH, guaranteed!

Earn your CEH, guaranteed!

Get hands-on hacking experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

CEH domain 2

Certified Ethical Hacker, or CEH, is a certification intended for information security professionals who want to bring ethical hacking benefits to their organization. To earn this certification, you have to pass the CEH certification exam, which is now operating under the v4.0 Exam Blueprint, which has significantly changed the material covered in CEH Domain #2, reconnaissance techniques. Use this article as your roadmap to this domain of the CEH exam that you will have to master to earn this ethical hacking certification. 



Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.