CEH Reconnaissance Phase: What to Learn for the Exam

The CEH exam dedicates a significant portion of its questions to the footprinting and reconnaissance phase. This stage of the kill chain is where attackers gather intelligence before any active scanning begins. For certification candidates, knowing which topics carry weight—and which tools to practice—makes the difference between a pass and a fail.

Core Knowledge Areas in the CEH Reconnaissance Phase

EC-Council structures the CEH around a five-phase kill chain, with footprinting and reconnaissance as the first phase [4]. The exam tests both passive and active reconnaissance methods. Passive reconnaissance involves gathering data without directly interacting with the target—searching public registries, DNS records, WHOIS databases, and search engine caches. Active reconnaissance involves direct interaction, such as pinging or making HTTP requests, which risks detection. Candidates must understand the legal boundaries of each approach and identify which technique applies to a given scenario. The exam also covers competitive intelligence gathering, social engineering precursors, and OSINT frameworks.

Essential Tools to Practice

Tool knowledge is heavily tested in CEH, and the reconnaissance phase has a defined toolkit. The following table lists the primary tools candidates should configure in a lab environment and understand at a functional level:

ToolPurposeExam Relevance
NmapNetwork discovery and port scanningHigh — used in active reconnaissance for host and service detection
MaltegoOSINT and link analysisHigh — passive footprinting via entity relationship mapping
WHOIS lookup toolsDomain registration dataMedium — extracting registrar, nameserver, and contact information
ShodanInternet-facing device searchMedium — identifying exposed services and infrastructure
theHarvesterEmail and subdomain enumerationMedium — aggregating data from public sources
Google DorkingAdvanced search operatorsHigh — extracting sensitive files and directories from indexed content

Coursera’s ethical hacking roadmap similarly prioritizes Nmap for reconnaissance as a foundational lab tool [3]. Practice these in isolated virtual environments to build hands-on familiarity, not just theoretical knowledge.

Techniques and Concepts Tested on the Exam

Beyond individual tools, the exam evaluates your understanding of reconnaissance methodologies. Expect scenario-based questions on DNS enumeration—specifically how to use NSLOOKUP, DIG, and zone transfer attempts to map subdomains. Email harvesting techniques, including extracting addresses from public forums and using SMTP VRFY commands, appear regularly. Web footprinting covers spidering, mirroring websites with tools like HTTrack, and extracting metadata from publicly available documents. Candidates should also understand network footprinting concepts such as traceroute analysis, BGP and AS number lookups, and how to correlate routing information to infer network topology. The distinction between footprinting an organization versus footprinting an individual is another frequently tested nuance.

Study Strategy for This Phase

Start with the official CEH courseware to understand the exam’s terminology and framing, then layer in hands-on practice. The CEH v13 curriculum explicitly covers the full kill chain from footprinting through covering tracks [4]. Build a small lab with two or three virtual machines and practice each tool against known targets. Document what each tool returns and why. For passive techniques, use your own domain or publicly available test ranges. Focus on understanding output interpretation—the exam frequently presents command output and asks you to identify the next logical step or the vulnerability indicated. Complement tool practice with foundational security reading; resources like the CERT.br security booklets provide structured reference material on internet security fundamentals that reinforce the “why” behind reconnaissance [1][2].

FAQ

Is reconnaissance the most heavily tested phase on the CEH?

It is one of the most heavily tested phases, along with scanning and system hacking. Reconnaissance questions appear throughout the exam, not just in a single section, because the intelligence gathered here informs every subsequent phase.

Do I need to memorize command-line flags for Nmap?

Yes, to a practical degree. You should recognize common flags such as -sS (SYN scan), -sV (version detection), -O (OS detection), and -sn (ping sweep). The exam presents output and expects you to identify which flags produced it or which flag is appropriate for a given requirement.

Sources

[1] Fascículos – Cartilha de Segurança para Internet – CERT.br

[2] CERT.br – Governo Digital

[3] Ethical Hacking Learning Roadmap: From Beginner to Expert (2026) | Coursera

[4] Certified Ethical Hacker (CEH) | EC-Council

Scroll to Top