CEH exam domains: Comprehensive guide to all 9 knowledge areas (v13)

Understanding how to get CEH certified begins with mastering the exam domains that form the foundation of ethical hacking expertise. The Certified Ethical Hacker (CEH) exam domains provide a structured framework for developing essential cybersecurity skills, and knowing these domains is crucial for anyone wondering how to get CEH certification successfully. 

EC-Council's CEH certification tests candidates across nine comprehensive knowledge areas that cover the five ethical hacking phases: Reconnaissance, Gaining Access, Enumeration, Maintaining Access and Covering Your Tracks. Each of these CEH exam domains equips security professionals with the thinking patterns and methodologies used by malicious hackers, but for legitimate defensive purposes. As EC-Council aptly states, "To catch a hacker, you need to think as one." The CEH certification empowers professionals to apply these insights lawfully while building robust security infrastructures that can withstand sophisticated attacks.

Editor's note: AI tools have altered the process of hacking forever. We made a FREE course and lab environment to help. Get it for free here: Learn how to hack and use AI.

View Free Course

Table of Contents:

• Major updates in CEH v13
• Domain 1: Information security and ethical hacking overview
• Domain 2: Reconnaissance techniques
• Domain 3: System hacking phases and attack techniques
• Domain 4: Network and perimeter hacking
• Domain 5: Web application hacking
• Domain 6: Wireless network hacking
• Domain 7: Mobile platform, IoT, and OT hacking
• Domain 8: Cloud computing
• Domain 9: Cryptography
• Next steps in your CEH journey

Major updates in CEH v13

EC-Council has recently updated the Certified Ethical Hacker exam blueprint from v4 to v5. While the core CEH domain breakdown remains consistent, their descriptions and weightings have been refined to reflect current cybersecurity attack vectors and defense strategies. For professionals learning how to get CEH certified, understanding these updates is essential for exam success.

The most significant advancement comes with the launch of CEH v13, which introduces an AI-powered framework integrated throughout the existing CEH exam content outline. This enhancement provides professionals with comprehensive knowledge of ethical hacking methodologies augmented by artificial intelligence techniques. The CEH v13 domains prepare candidates to leverage AI across all five ethical hacking phases: reconnaissance, scanning, gaining access, maintaining access and covering tracks.

This integration of AI throughout the CEH certification domains reflects how modern ethical hacking techniques have evolved to counter increasingly sophisticated threats in today's security landscape. For those pursuing CEH certification, these updates represent both new learning opportunities and additional areas to master.

Domain 1: Information security and ethical hacking overview

Weightage: 6%

Domain 1 establishes the foundational knowledge required for understanding ethical hacking knowledge areas. It covers:

• Basic information security and ethical hacking concepts
• Cyber kill chain methodology
• Information security controls and standards
• Key terminology (hack value, zero-day attack, daisy chaining)
• Elements of information security
• Legal and regulatory frameworks

The "Introduction to Ethical Hacking" subdomain explains why ethical hacking is necessary, outlines the phases of systematic penetration testing methodology and details both technical and non-technical skills required for successful security vulnerability assessment.

This domain sets the stage for understanding how ethical hacking techniques apply within legitimate security operations, providing context for the more technical domains that follow in your CEH certification journey.

Domain 2: Reconnaissance techniques

Weightage: 17%

Domain 2 focuses on the initial information gathering phase of ethical hacking, covering three critical subdomains that are essential for CEH exam success:

Footprinting and reconnaissance

The footprinting subdomain teaches how to gather intelligence on target systems. Candidates must understand various footprinting objectives:

• Assessing security posture
• Reducing attack surface focus areas
• Identifying potential vulnerabilities
• Creating comprehensive network maps

This section covers techniques for footprinting through search engines, web services, social networking sites and social engineering methods.

Scanning networks

Network scanning objectives include identifying:

• Live hosts on networks
• Open and closed ports
• Operating system information
• Services and processes running on networks
• Security devices like firewalls
• System architecture
• Potential vulnerabilities

Candidates learn various scanning techniques and tools essential for thorough network security examination.

Enumeration

The enumeration subdomain details how to extract specific information from discovered systems, including:

• Different types of enumeration: NetBIOS, SMB, SNMP, LDAP, NTP, NFS, SMTP and DNS
• Techniques for enumerating email IDs, default passwords and SNMP services
• Essential enumeration countermeasures to prevent information disclosure

These reconnaissance skills form the foundation of the ethical hacking process, enabling professionals to gather crucial intelligence before attempting more advanced penetration techniques. Mastering these concepts is crucial for anyone wondering how to get CEH certified effectively.

Domain 3: System hacking phases and attack techniques

Weightage: 15%

Domain 3 covers the methodology for identifying and exploiting system vulnerabilities. This domain explores:

Vulnerability analysis

This subdomain addresses various vulnerability assessment approaches essential for CEH professionals:

• Active vs. passive assessment
• External vs. internal assessment
• The vulnerability assessment lifecycle:
  • Creating a baseline
  • Vulnerability assessment
  • Risk assessment
  • Remediation
  • Verification
  • Continuous monitoring

Understanding these assessment methodologies helps ethical hackers identify security loopholes in an organization's infrastructure.

System hacking

The system hacking subdomain focuses on password cracking methods, including:

• Authentication factors
  • Something you know
  • Something you are
  • Something you possess/have
• Password attack types
  • Non-electronic attacks
  • Active online attacks
  • Passive online attacks
  • Default password exploitation
  • Offline attacks

This section also covers executing remote applications and techniques for hiding files and maintaining access.

Malware threats

The malware section explores various types of malicious software and their analysis:

Malware propagation methods:

• Free software downloads
• File-sharing services
• Removable media
• Email communications
• Inadequate security measures

Purpose of trojans:

• Creating backdoors
• Gaining unauthorized access
• Information theft
• Infecting connected devices
• Ransomware attacks
• Using victims for spamming

Types of trojans:

• Command shell trojans
• Defacement trojans
• HTTP/HTTPS trojans
• Botnet trojans
• Proxy server trojans
• Remote access trojans (RAT)

Goals of malware analysis:

• Assessing threat severity
• Identifying malware types
• Determining attack impact
• Building defensive measures
• Finding root causes
• Developing incident response actions
• Creating effective anti-malware solutions

Domain 3 equips ethical hackers with the knowledge to understand system vulnerabilities and the techniques attackers use to exploit them, enabling more effective hacking countermeasures.

Domain 4: Network and perimeter hacking

Weightage: 24%

With the highest weightage in the CEH exam subjects, Domain 4 covers several critical network attack vectors and defensive strategies:

Sniffing

Sniffing involves monitoring and capturing data packets traveling through networks. This section covers:

• Active vs. passive sniffing techniques
• Various attack methodologies:
  • MAC attacks
  • DHCP attacks
  • ARP poisoning
  • Spoofing attacks
  • DNS poisoning
• Countermeasures to protect against sniffing attempts

Social engineering

The social engineering subdomain examines human-focused attack methods:

• Vulnerabilities exploited in social engineering attacks
• The four phases of social engineering:
  • Research
  • Target selection
  • Relationship building
  • Exploitation
• Human-based, computer-based, and mobile-based techniques
• Preventative measures and awareness training

Denial-of-service

This section explores attacks that render web properties inaccessible:

• DoS concepts and tools
• Attack techniques including:
  • Volumetric attacks
  • Fragmentation attacks
  • TCP-state-exhaustion attacks
  • Application layer attacks
  • Bandwidth attacks
  • Service request floods
  • SYN flooding
  • ICMP flood attacks
  • Peer-to-peer attacks
  • Permanent denial-of-service
  • Application-level floods
  • Distributed reflection denial-of-service (DRDoS)
• Effective countermeasures for each attack type

Session hijacking

Session hijacking involves taking control of legitimate user sessions:

• Application-level session hijacking techniques
• Network-level session hijacking methods
• The process and tools used in session takeovers
• Detection and prevention strategies

Evading IDS, firewalls and honeypots

The final subdomain covers evasion techniques:

• IDS, IPS, firewall, and honeypot concepts
• Methods for bypassing security controls
• Evasion techniques for network access control (NAC) and endpoint security
• Countermeasures to prevent evasion attempts

Domain 4's comprehensive coverage of network attack vectors makes it a crucial component of the CEH exam, preparing professionals to defend against a wide range of threats.

Domain 5: Web application hacking

Weightage: 14%

Domain 5 explores the vulnerabilities and attack methodologies targeting web-based applications:

Hacking web servers

This subdomain covers various web server attack types:

• DoS/DDoS attacks
• DNS server hijacking
• DNS amplification
• Directory traversal
• Man-in-the-middle/sniffing
• Phishing attacks
• Website defacement
• Server misconfiguration
• HTTP response splitting
• Web cache poisoning
• SSH brute-force attacks

The web server attack methodology follows these steps:

• Information gathering
• Web server footprinting
• Vulnerability scanning
• Session hijacking
• Password cracking

Hacking web applications

This comprehensive section examines web application vulnerabilities, testing methodologies and attack vectors that threaten modern web properties.

SQL injection

SQL injection attacks use malicious code to manipulate database-driven applications:

• Impact parameters:
  • Authentication bypass
  • Sensitive information disclosure
  • Data integrity compromise
  • Database destruction
  • Remote code execution
• SQL injection types:
  • In-band SQLi
  • Inferential SQLi
  • Out-of-band SQLi
• Prevention techniques and secure coding practices

Web application security testing is a critical skill for ethical hackers as organizations increasingly rely on web-based services for their operations.

Domain 6: Wireless network hacking

Weightage: 5%

Domain 6 addresses vulnerabilities in wireless infrastructure, covering:

• Wireless network concepts and protocols
• Encryption standards and their weaknesses
• Common wireless threats and attack vectors
• Systematic wireless hacking methodology
• Specialized wireless hacking tools
• Bluetooth vulnerabilities and exploitation
• Wireless attack countermeasures
• Tools for securing wireless networks

As wireless connectivity becomes ubiquitous, understanding these vulnerabilities is essential for comprehensive network security.

Domain 7: Mobile platform, IoT, and OT hacking

Weightage: 10%

This domain examines threats to mobile devices, Internet of Things (IoT) and Operational Technology (OT) systems:

Hacking mobile platforms

The mobile section covers:

• Platform-specific attack vectors
• OWASP top 10 mobile threats
• Common vulnerabilities in mobile operating systems
• Detailed analysis of Android and iOS hacking techniques
• Overview of attacks against other mobile platforms
• Mobile device management and security controls

IoT and OT hacking

IoT and OT systems present unique security challenges:

• Fundamental concepts of IoT and OT environments
• Common attack methodologies targeting connected devices
• Vulnerabilities in industrial control systems
• Specialized hacking techniques for IoT devices
• Security frameworks and defensive strategies
• Risk assessment and mitigation approaches

This domain prepares ethical hackers to address security concerns in increasingly connected environments where traditional IT and operational technologies converge.

Domain 8: Cloud computing

Weightage: 5%

Domain 8 focuses on cloud technologies and their security implications, important for modern CEH professionals:

• Core cloud computing concepts:
  • On-demand self-service
  • Distributed storage
  • Rapid elasticity
  • Measured services
  • Automated management
  • Virtualization
• Cloud service models:
  • Infrastructure-as-a-Service (IaaS)
  • Platform-as-a-Service (PaaS)
  • Software-as-a-Service (SaaS)
• Container technologies and microservices
• Serverless computing architectures
• Common cloud threats:
  • Data breaches and losses
  • Abuse of cloud services
  • Insecure interfaces and APIs
• Cloud security control layers
• Shared security responsibility models

As organizations migrate to cloud environments, understanding these concepts becomes increasingly important for security professionals.

Domain 9: Cryptography

Weightage: 5%

The final CEH exam domain addresses cryptographic principles and techniques:

• Ciphertext concepts and applications
• Symmetric vs. asymmetric cryptography
• Various encryption algorithms and their strengths
• Common cryptographic tools and their usage
• Public Key Infrastructure (PKI) implementation
• Certificate management and digital signatures
• Cryptanalysis methods for identifying weaknesses
• Techniques for strengthening cryptographic systems

Understanding hacking cryptography methods helps ethical hackers evaluate the effectiveness of encryption implementations and recommend appropriate security controls for protecting sensitive information.

How to get CEH certified: Your next steps

The Certified Ethical Hacker exam provides an excellent pathway for security professionals to demonstrate their knowledge of penetration testing methodologies and ethical hacking techniques. Understanding how to get CEH certification involves mastering all nine domains while meeting the necessary prerequisites.

The CEH certification is particularly valuable for:

• Security officers and analysts
• IT auditors and compliance specialists
• Network administrators
• Penetration testers
• Security consultants
• Anyone responsible for network security

CEH certification requirements

When considering how to get CEH certified, it's important to understand the eligibility requirements:

• Option 1: Attend official EC-Council training
• Option 2: Have at least two years of work experience in information security (with EC-Council application approval)
• Option 3: Have a related academic degree or relevant security certifications

With the demand for ethical hackers continuing to rise, obtaining the CEH credential can lead to enhanced job prospects and potentially higher compensation. Whether you're aiming to join a red team, work as a penetration tester, or provide freelance security consulting, the CEH certification validates your skills in this high-demand field.

To prepare for the exam, explore our comprehensive CEH study resources that align with all nine CEH certification domains. For strategies to maximize your chances of success, check out our CEH exam tips. Before applying, make sure you understand the CEH exam eligibility requirements to ensure a smooth application process.

EC-Council offers its own preparatory courses, but Infosec Institute provides tailored training options that match different learning styles and needs, helping you master the ethical hacking knowledge areas required for certification success.