🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CEH-Practical
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CEH-Practical EC-Council Coming Soon

ECCouncil CEH® Practical (CEH-Practical)

The EC‑Council CEH Practical exam trains professionals to conduct reconnaissance, vulnerability analysis, system and web exploitation, and network security defenses in a real‑time, six‑hour proctored lab.

360
Minutes
20
Questions
70/100
Passing Score
$550
Exam Cost

Who Should Take This

It is intended for security analysts, penetration testers, and IT engineers with at least two years of hands‑on experience who seek to validate their exploitation skills and meet industry‑recognized certification standards. They aim to deepen practical knowledge, demonstrate real‑world attack capabilities, and advance career prospects in cyber security consulting, incident response, or security architecture.

What's Covered

1 Reconnaissance and Information Gathering
2 Vulnerability Analysis
3 System Exploitation
4 Web Application Exploitation
5 Network Security
6 Cloud and Cryptography
7 Reporting and Documentation

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 Reconnaissance and Information Gathering
2 topics

Host and network discovery

  • Apply Nmap host discovery using ping sweep ARP scan TCP SYN ping and UDP probe to identify live systems on target network ranges.
  • Apply Nmap port scanning with service version detection OS fingerprinting and aggressive mode to enumerate services on discovered hosts.
  • Apply Nmap scripting engine NSE scripts for vulnerability checks default credential testing and service-specific enumeration on target hosts.
  • Apply DNS enumeration using dig nslookup DNSRecon and fierce to discover subdomains zone transfer vulnerabilities and infrastructure mapping.
  • Apply Masscan and Rustscan for rapid large-scale port discovery to complement Nmap detailed scanning across extensive target ranges.
  • Analyze reconnaissance results to construct target profiles mapping services to hosts and prioritizing attack vectors by exploitability.

Service enumeration

  • Apply SMB enumeration using enum4linux smbclient CrackMapExec and smbmap to extract user lists share permissions and domain information.
  • Apply SNMP enumeration using snmpwalk onesixtyone and snmp-check to extract system information network interfaces and routing tables.
  • Apply LDAP enumeration using ldapsearch and windapsearch to extract AD objects user attributes group memberships and trust relationships.
  • Apply NFS RPC FTP and SMTP enumeration to identify exported shares remote endpoints anonymous access and valid email addresses.
  • Apply OSINT tools including theHarvester Recon-ng and SpiderFoot to gather email addresses employee names and public-facing infrastructure.
2 Vulnerability Analysis
1 topic

Automated and manual scanning

  • Apply Nessus vulnerability scanning in credentialed and uncredentialed modes to identify CVEs misconfigurations and missing patches.
  • Apply Nikto OWASP ZAP and WPScan to discover web application vulnerabilities injection flaws and CMS-specific weaknesses.
  • Apply searchsploit ExploitDB and CVE database queries to identify exploit code and proof-of-concept scripts for discovered service versions.
  • Analyze vulnerability scan output to differentiate true positives from false positives and prioritize findings by CVSS score and exploitability.
  • Design phased exploitation plans starting with highest-confidence attack vectors and structuring approaches for time-constrained practical exams.
3 System Exploitation
3 topics

Initial access techniques

  • Apply Metasploit Framework to select exploits configure reverse and bind shell payloads and gain initial access on vulnerable Windows targets.
  • Apply Metasploit exploitation against Linux targets using service-specific modules web application exploits and custom payload configurations.
  • Apply password cracking using Hydra Medusa and CrackMapExec to brute-force SSH RDP FTP SMB and web authentication services.
  • Apply offline password cracking using John the Ripper and Hashcat with wordlists rules and mask attacks against captured password hashes.
  • Apply manual exploitation using public exploit code custom scripts and one-liner payloads when automated frameworks lack working modules.

Privilege escalation

  • Apply Linux privilege escalation using kernel exploits SUID binaries cron job abuse writable PATH and sudo misconfigurations to obtain root.
  • Apply Windows privilege escalation using token impersonation SeImpersonatePrivilege abuse unquoted service paths and DLL hijacking for SYSTEM.
  • Apply LinPEAS WinPEAS PowerUp and BeRoot automated enumeration to rapidly identify privilege escalation vectors on compromised hosts.
  • Apply Windows UAC bypass techniques and registry-based escalation methods to elevate from standard user to administrator privileges.

Post-exploitation and lateral movement

  • Apply lateral movement using pass-the-hash PSExec WMI execution and CrackMapExec to expand access across Windows domain environments.
  • Apply SSH pivoting and SOCKS proxy tunneling using Chisel ligolo-ng and SSH port forwarding to access internal network segments.
  • Apply credential harvesting using Mimikatz LaZagne browser credential extraction and SAM/NTDS.dit dumping for additional access.
  • Apply data exfiltration using DNS tunneling HTTP channels netcat and encrypted transfers to extract sensitive data from targets.
  • Apply persistence using cron jobs registry keys startup scripts web shells and backdoor accounts to maintain access on hosts.
  • Analyze post-exploitation findings to document compromised systems extracted data lateral movement paths and overall network exposure.
4 Web Application Exploitation
2 topics

Injection attacks

  • Apply SQL injection using SQLMap with tamper scripts to extract database contents bypass authentication and read server files.
  • Apply manual SQL injection including union-based error-based blind boolean and time-based techniques when automated tools are insufficient.
  • Apply XSS attacks including reflected stored and DOM-based cross-site scripting to steal session cookies and demonstrate impact.
  • Apply command injection and server-side template injection to achieve remote code execution through input validation weaknesses.
  • Apply LFI RFI and path traversal combined with log poisoning PHP wrapper abuse and null byte injection for code execution.
  • Apply file upload exploitation bypassing extension filters content-type checks and WAF rules to deploy and execute web shells.

Authentication and access attacks

  • Apply Burp Suite request interception modification and replay for parameter tampering hidden field manipulation and authentication bypass.
  • Apply brute-force and credential stuffing against web login forms using Burp Intruder with CSRF token extraction and rate limit evasion.
  • Apply IDOR attacks to access unauthorized user data administrative functions and internal resources by manipulating object references.
  • Apply CSRF SSRF and JWT token manipulation to forge requests access internal services and bypass authentication mechanisms.
  • Analyze web application security to chain multiple vulnerabilities into complete attack paths from initial access to full compromise.
5 Network Security
2 topics

Network attacks and pivoting

  • Apply Wireshark packet capture and protocol analysis to extract credentials reconstruct sessions and identify network attack patterns.
  • Apply ARP spoofing using arpspoof or Ettercap to perform MITM attacks and intercept plaintext credentials on switched networks.
  • Apply IDS and firewall evasion using fragmentation decoy scanning encoding and timing manipulation during exploitation activities.
  • Apply Responder and mitm6 to capture NTLMv2 hashes through LLMNR NBT-NS and DHCPv6 poisoning on Windows networks.

Wireless exploitation

  • Apply aircrack-ng to capture WPA2 handshakes perform deauthentication attacks and crack wireless passwords using dictionary methods.
  • Apply evil twin AP creation using hostapd and dnsmasq to intercept wireless traffic and perform credential capture via captive portals.
  • Analyze wireless security assessment results to identify vulnerable APs weak configurations and recommend remediation measures.
  • Apply Bluetooth and BLE scanning using bettercap and hcitool to discover nearby devices enumerate services and identify insecure pairing configurations.
6 Cloud and Cryptography
2 topics

Cloud exploitation

  • Apply cloud enumeration to discover misconfigured S3 buckets exposed Azure blobs open GCP resources and public cloud databases.
  • Apply SSRF metadata service abuse and IAM privilege escalation techniques on cloud-hosted targets to access internal resources.
  • Analyze cloud security posture to identify permissive IAM policies exposed secrets and lateral movement opportunities across services.
  • Apply container escape techniques and Kubernetes exploitation to break out of containerized environments and access underlying host infrastructure.

Cryptography and steganography

  • Apply hash identification and cracking for MD5 SHA-1 SHA-256 NTLM and bcrypt using rainbow tables wordlists and rule-based attacks.
  • Apply SSL/TLS vulnerability testing to identify weak ciphers expired certificates protocol downgrades and Heartbleed on target services.
  • Apply steganography detection using StegSolve StegHide binwalk and zsteg to discover hidden data in images audio and binary formats.
7 Reporting and Documentation
1 topic

Evidence and reporting

  • Apply systematic evidence collection including screenshots command outputs timestamps and proof-of-concept artifacts for each exploitation step.
  • Design structured penetration test reports with risk ratings impact analysis exploitation evidence and prioritized remediation recommendations.
  • Analyze complete attack chains from reconnaissance through exploitation to recommend detection rules defensive controls and architecture improvements.

Scope

Included Topics

  • All hands-on challenges in the 6-hour CEH Practical exam on live target environments.
  • Network reconnaissance scanning service enumeration and vulnerability assessment using real tools.
  • System exploitation privilege escalation lateral movement persistence and credential harvesting.
  • Web application attacks including SQL injection XSS command injection file inclusion and session manipulation.
  • Wireless attacks cloud exploitation cryptographic hash cracking steganography and network pivoting.
  • Evidence documentation attack chain analysis and penetration test report writing.

Not Covered

  • Theoretical multiple choice questions covered by CEH 312-50.
  • Advanced multi-network pivoting and 24-hour testing covered by CPENT and LPT.
  • Digital forensics evidence handling and chain of custody covered by CHFI.
  • Secure development and source code review covered by CASE and ECSP.
  • SOC monitoring SIEM operations and continuous threat detection covered by CSA.

Official Exam Page

Learn more at EC-Council

Visit

CEH-Practical is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

EC-Council®, CEH®, and all EC-Council certification marks are registered trademarks of the International Council of Electronic Commerce Consultants. EC-Council does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.