The Certified Ethical Hacker (CEH) credential organizes offensive security work into a structured five-phase methodology that mirrors how real-world penetration tests are planned and executed. Understanding this framework is essential both for passing the exam and for applying ethical hacking skills professionally [1].
The Five Phases of the CEH Methodology
EC-Council structures the CEH body of knowledge around a linear methodology that progresses from passive intelligence gathering through active exploitation and post-attack analysis. The framework is designed to be repeatable, documented, and defensible—qualities that distinguish ethical hacking from unauthorized access [3]. Each phase builds on the output of the previous one, creating a logical chain from initial target selection to final reporting.
Phase 1: Reconnaissance
Reconnaissance is the information-gathering stage and is typically the most time-consuming phase. The CEH curriculum divides it into passive and active sub-types. Passive reconnaissance involves collecting publicly available data—OSINT, DNS records, WHOIS lookups, social media profiling, and search engine dorking—without directly interacting with the target. Active reconnaissance involves direct contact, such as port scanning or banner grabbing, which may be logged by the target’s defenses. The goal is to build a comprehensive profile of the target’s infrastructure, technology stack, and potential entry points before any attempt to exploit a system [2].
Phases 2 and 3: Scanning and Enumeration
Scanning takes the intelligence from reconnaissance and uses it to actively probe the target for live hosts, open ports, running services, and known vulnerabilities. Tools covered at this stage include Nmap, Nessus, and NetBIOS scanners. Enumeration follows scanning and focuses on extracting actionable details from discovered services—usernames, group memberships, shared resources, network topology, and application versions. The distinction matters: scanning identifies what is running; enumeration identifies specific details about what is running. Together, these two phases produce the attack surface map that feeds directly into exploitation decisions [4].
Phase 4: Gaining Access
This phase involves actively exploiting identified vulnerabilities to gain unauthorized access to systems or data. The CEH exam covers a broad range of attack vectors at this stage: system-level exploits, web application attacks (SQL injection, XSS, CSRF), network protocol attacks, wireless exploitation, and cloud-specific attack paths. Candidates are expected to understand not only how exploits work but also the underlying vulnerability classes—such as buffer overflows, authentication bypasses, and misconfigurations—that make them possible. The emphasis is on demonstrating the practical impact of each vulnerability in a controlled, authorized context [5].
Phase 5: Maintaining Access and Covering Tracks
After gaining access, the methodology addresses persistence and operational security. Maintaining access covers techniques like backdoors, rootkits, trojans, and scheduled tasks that allow an attacker to retain footholds even if the initial entry point is closed. Covering tracks involves log manipulation, file timestamp alteration, and steganography to obscure evidence of the compromise. In an ethical hacking engagement, these phases are critical because they demonstrate the full risk profile—if an attacker can persist undetected, the remediation requirements change significantly compared to a single-point breach [6].
How the Methodology Maps to the CEH Exam
The 125-question, multiple-choice CEH exam tests knowledge across all five phases, though questions are not presented in sequential order. The following table summarizes the core focus areas within each phase as they appear on the exam:
| Phase | Core Exam Topics | Key Tools Referenced |
|---|---|---|
| Reconnaissance | OSINT, footprinting, Google dorking, DNS/WHOIS | Maltego, Shodan, theHarvester |
| Scanning | Port scanning, vulnerability assessment, IDS evasion | Nmap, Nessus, Nikto |
| Enumeration | NetBIOS, SNMP, LDAP, SMB extraction | enum4linux, SNMPwalk |
| Gaining Access | System, web app, wireless, cloud exploits | Metasploit, Burp Suite, SQLmap |
| Maintaining Access / Covering Tracks | Rootkits, backdoors, log clearing, steganography | Netcat, CrypTool, log cleaners |
FAQ
Is the CEH methodology linear or can phases overlap?
The framework is presented linearly for instructional clarity, but in practice phases frequently overlap. Enumeration often loops back into additional scanning when new subnets or services are discovered, and gaining access on one system may trigger new reconnaissance against lateral targets.
Does the CEH exam test hands-on tool usage or conceptual knowledge?
The standard CEH (Knowledge) exam is a multiple-choice test that validates conceptual understanding of tools, techniques, and methodology rather than live tool operation. EC-Council offers a separate practical (CEH Practical) exam for hands-on validation [4].
Sources
[1] NICCS – Certified Ethical Hacker (CEH) from Global Information Technology
[2] EC-Council University – Ethical Hacking & Countermeasures
[3] EC-Council – Certified Ethical Hacker (CEH)
[4] CybersecurityGuide – CEH Certification Guide
[6] Ethical Hacking Institute – Ethical Hacking Basics for CEH Beginners