5 exercises — CEH vs. CEH Practical exam formats, the Five Phases of Hacking, reconnaissance vs. enumeration vs. footprinting, white/black/grey hat classification, and privilege escalation vs. lateral movement. EC-Council CEH-specific offensive-security vocabulary.
Why precise CEH vocabulary matters
CEH vs. CEH Practical — knowledge-based multiple choice vs. live hands-on exploitation
Five Phases of Hacking — Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks
Reconnaissance vs. enumeration — passive information gathering vs. active service data extraction
White/black/grey hat — authorisation and intent define the legal and ethical boundary
Privilege escalation vs. lateral movement — same-system 'go up' vs. cross-system 'go across'
0 / 5 completed
1 / 5
EC-Council offers both a "CEH" exam and a separate "CEH (Practical)" exam. How do these two credentials differ, and why would a candidate pursue both?
The distinction between CEH (knowledge-based, multiple-choice) and CEH (Practical) (hands-on, live exploitation) is a frequent point of confusion for candidates researching the certification, since job postings sometimes list "CEH" ambiguously without specifying which. Earning both is marketed by EC-Council as achieving "CEH Master" status.
CEH exam-format vocabulary:
Standard CEH: 125 questions, 4 hours, multiple-choice, passing score varies by form (typically 60–85%, since EC-Council uses different exam forms with different difficulty weightings)
CEH Practical: 6 hours, 20 real-world hands-on challenges in a live lab environment, requiring the candidate to actually compromise systems, not just describe how to
Eligibility requires either completing official EC-Council training, or 2 years of documented information-security work experience submitted for approval
Recognising this two-tier structure matters when reading a résumé or job requirement — "CEH" alone signals theoretical knowledge, while "CEH Master" or "CEH Practical" signals demonstrated hands-on capability.
2 / 5
CEH structures its entire methodology around a defined sequence called the "Five Phases of Hacking." An exam question describes an attacker using whois lookups and reviewing a target company's public job postings to learn about their technology stack, without ever directly touching the target's network. Which phase is this?
CEH's Five Phases of Hacking are: (1) Reconnaissance, (2) Scanning, (3) Gaining Access, (4) Maintaining Access, (5) Covering Tracks — a memorised sequence tested repeatedly across the exam. The whois/job-postings example is passive reconnaissance specifically: information gathering with zero direct interaction with the target's systems, so there is nothing for the target to detect.
Full five-phase vocabulary and how each is distinguished:
Reconnaissance — passive (public sources, OSINT) vs. active (direct but low-noise probing, e.g. social engineering calls) information gathering
Scanning — actively probing with tools (Nmap, Nessus) to identify live hosts, open ports, and running services — this crosses into active, detectable interaction
Gaining Access — exploiting an identified vulnerability to obtain system access
Maintaining Access — establishing persistence (backdoors, rootkits) so access survives a reboot or session end
Covering Tracks — clearing logs and hiding evidence of the intrusion
Exam questions frequently give a short attacker-behaviour scenario and ask which phase it belongs to — the reconnaissance-vs-scanning boundary (passive/no-interaction vs. active/direct-interaction) is the single most common distinction tested.
3 / 5
A CEH question describes a penetration tester connecting to an open service (e.g. SMB or SNMP) on a target system specifically to extract usernames, share names, and system details that the service willingly reveals to any connected client. What term does CEH use for this activity, and how is it distinct from "scanning"?
CEH draws a precise sequential boundary: scanning answers "which ports/services are open?", while enumeration answers "now that I'm connected to that open service, what specific information does it hand over?" — usernames via SMB null sessions, community strings via SNMP, share names, DNS zone transfers, etc. Enumeration typically requires an active, often authenticated or semi-authenticated connection, one step beyond simply detecting that a port is open.
Related vocabulary tested in the same CEH domain:
Banner grabbing — connecting to a service and reading the response text it returns (e.g. an FTP server announcing its exact software version), used to identify exploitable software versions
NetBIOS/SMB enumeration — extracting Windows share and user information via null sessions
SNMP enumeration — extracting network device configuration data via default/guessable community strings
Footprinting — CEH sometimes uses this as a broader umbrella term covering both passive reconnaissance and some enumeration activity, so exam questions test whether you know it is the more general term, while "reconnaissance" and "enumeration" are its more specific sub-phases
Getting scanning/enumeration/footprinting boundaries right is a recurring CEH terminology test.
4 / 5
CEH materials classify attackers by ethics and authorisation. A tester who has explicit written permission from an organisation to attempt to breach its systems, strictly within an agreed scope, is called a _____ hat hacker — the category the CEH credential itself certifies candidates to operate as.
A white hat hacker operates with explicit, documented authorisation and stays within an agreed scope — this is precisely the professional role the CEH certification exists to formalise and legitimise (an "ethical hacker" performing authorised penetration testing).
The full hat-colour vocabulary CEH tests:
White hat — authorised, ethical, operates within a defined scope of engagement
Black hat — unauthorised, malicious intent, no permission sought
Grey hat — operates without explicit authorisation but without malicious intent (e.g. finding and reporting a vulnerability without being asked) — technically unauthorised and legally risky despite good intentions, a nuance CEH exam questions specifically test
Separately, CEH also tests the phrase "rules of engagement" — the formal document defining exactly what a white-hat tester is and is not permitted to do (which systems, what techniques, what time windows), and "scope creep" — when testing activity accidentally or deliberately extends beyond that agreed scope, a serious professional and legal violation even for an otherwise-authorised white-hat engagement.
5 / 5
A CEH exam question describes an attacker who has already gained a low-privilege foothold on a system and is now attempting to exploit a misconfigured scheduled task running as SYSTEM to gain administrator-level control. What is this technique called, and how does it differ from "lateral movement"?
Privilege escalation is a same-system, "go up" concept (low-privilege user → administrator/SYSTEM), typically exploiting misconfigurations, unpatched local vulnerabilities, or weak permissions on services/scheduled tasks. Lateral movement is a different-system, "go across" concept — using access or credentials gained on one machine to reach another machine on the network. CEH tests both as distinct, sequential post-exploitation techniques within the "Maintaining Access" phase.
Related post-exploitation vocabulary tested on CEH:
Vertical privilege escalation — explicitly the "low-privilege to admin" direction described above
Horizontal privilege escalation — gaining access to another account at the same privilege level (e.g. one regular user account accessing another regular user's data), distinct from vertical escalation
Pass-the-hash — a specific lateral movement technique using a captured password hash to authenticate to another system without ever cracking the actual plaintext password
Pivoting — using a compromised system as a relay point to reach otherwise-unreachable internal network segments, closely related to but not identical to lateral movement
Distinguishing "escalation" (same system, more power) from "lateral movement" (different system, using existing access) is one of the most consistently tested vocabulary pairs on the exam.
What will I practice in "Certified Ethical Hacker (CEH) Vocabulary — EC-Council Exam Language"?
This is a Certification Prep exercise set. It walks through 5 scenario-based multiple-choice questions built around real usage of Certification Prep terminology that IT professionals encounter on the job.
Is this exercise free to use?
Yes. Every exercise on CoderSlingo, including this one, is free to complete with no account, sign-up, or paywall.
How many questions are in this exercise?
This set contains 5 questions. Each one shows immediate feedback and a detailed explanation after you answer, so you learn the correct usage right away rather than waiting for a final score.
Do I need prior experience to complete this exercise?
No prior experience is required. Each question includes a full explanation covering the reasoning behind the correct answer, so the exercise itself teaches the Certification Prep vocabulary as you go.
Can I retry the exercise if I get questions wrong?
Yes — use the "Try again" button on the results screen to reset your answers and go through all the questions again. There is no limit on attempts.
Is my progress saved?
Your answers and score for the current session are tracked in the browser as you go. No account or login is needed, and there is nothing to install.
What if I don't understand a term used in a question?
Read the explanation shown after you answer each question — it breaks down the correct term in plain English with a real-world example. You can also check the site Glossary for quick definitions.
How is this different from reading a blog article on the topic?
Exercises like this one are interactive drills that test and reinforce specific vocabulary through multiple-choice questions, while blog articles explain concepts in prose. Practising here after reading builds active recall, not just passive recognition.
Where can I find more Certification Prep exercises?
See the Certification Prep exercises hub for the full set of related pages, or browse all exercise categories from the main Exercises index.
Can I use this exercise to prepare for a technical interview?
Yes — Certification Prep vocabulary comes up often in technical discussions and interviews. Pair this exercise with our dedicated Interview Preparation section for role-specific practice.