How I Cracked CEH Practical with 18/20 score

7 min readFeb 25, 2024

https://www.linkedin.com/in/vikaschahal01

Hello Hackers, In this blog I will be sharing my secret strategy on how I cleared my CEH (Certified Ethical Hacker) Practical exam in the first attempt. In the next 10 minutes, you will have a whole roadmap in front of you on what is CEH (Practical), who can take this exam and what are the things required to clear this exam along with my strategy.

I would like to begin with a brief explanation of what the exam is.

CEH Practical gives you 2 machines with several technical tasks given on a side panel attached with the machines on the exam portal. One machine has the Parrot OS and the other has Windows 2016 server. The parrot OS does not have access to internet and you have to connect to the windows server through Remmina which will have access to internet.

In my case, there were two windows server available which I found after scanning the subnet with nmap and connected through Reminna to the other IP. You are required to use both machines as the questions will be related to both of them. During the exam, no one should be in your room and you need to keep your camera, microphone turned on and share your screen with them. They record the entire session.

Also, this exam is proctored and you have 6 hours to solve 20 task. You are allowed to take a break of 15 minutes during the exam which I did. The minimum score to pass this exam is 70% which is 14 out of 20 tasks. The exam is completely on iLABs environment and if you have watched the iLabs videos or have purchased the course, you will be familiar with it. I myself did not purchase the course as I felt I can find enough resources for free.

My recommendations.

I would like to recommend that you choose a suitable place to sit to give the exam and have at least 30mbps of bandwidth internet.
Keep a bottle of water and a snack with you if you’re an anxious eater like me during the exam.

Exam Details

Exam Title: Certified Ethical Hacker (Practical)
Number of Practical Challenges: 20
Exam Duration: 6 hours
Exam Infrastructure: iLabs (browser-based)
Exam Format: iLabs Cyber Range
Passing Score: 70% (14 Questions out of 20)
Certificate validity: 3 years

How to enroll for CEH Practical?

Go to the EC-Council official website and read through everything you need to know https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-practical/

Create Account: Create an account on EC-Council’s Aspen portal.

Fill the form and then an official will contact you you can ask them for voucher and they will explain you everything

Tools were used in the exam.

Nmap
2) Snow — Stegnography
3) Open Stego
3) Wpscan
4) WireShark
5) SqlMap
6) OWASP ZAP
7) Hashcat
8) John
9) Hydra
10) Veracrypt
11) Crypttool
12) Hash Calculator
13) MD5 Calculator
14) PhoneSploit
15) MetaSploit
16) BCTextEncoder

Sample Questions

Find the IP address of the machine which is running the RDP?
Identify Domain Controller .
Exploit the service on this subnet(Subnet or IP given in Exam).
Find severity score of this vulnerability you found.
Use Openstego to get the data from a file.
Exploit SQLi on this website.
Given a malware find its entry point.
Bruteforce this service and find username and password.
Given a hash crack it.
Find the IP that attacker used to DDoS the server.

Windows

There were more windows based questions so you have to practice on windows GUI tools like mentioned below.
1) “Open Stego” for Stegnography
https://www.openstego.com/

2) “WireShark” for Pcap analysis
https://www.wireshark.org/download.html

3) “ZAP” for SQLInjecion exploit
https://www.zaproxy.org/download/

4) “Veracrypt” for Disk Decryption
https://www.veracrypt.fr/en/Downloads.html

5) “Hash calculator” to find the hash of the file
https://www.slavasoft.com/hashcalc/

6) “MD5 Calculator” to compare the hashes
http://www.md5calculator.com/

7) “Cryptool” and “BCTextEncoder” to Crack the encoded files
https://www.jetico.com/free-security-tools/encrypt-text-bctextencoder

Windows based Commands which will help you to find the answers.
1) net user — For Domain Users Enumeration
2) snow.exe -C -p “password” stegfile.txt
3) type C:\path.txt — It displays the content of the path.txt file.
4) dir
5) cd
6) hostname
7) whoami
8) PWd

Before giving the exam its very important to practice on these tools because the whole exam is based on the tools you should definitely know about these tools.

Linux

Linux based tools
1) Nmap
2) wpscan
3) sqlmap
4) hashcat
5) john
6) Hydra
7) PhoneSploit
8) Metasploit

Commands were used during the exam

1) Nmap
nmap -sn 170.16.0.1/24 -oN nmap.txt
nmap -O 170.16.0.1/24 -oN namp-OS.txt
namp -sC -sV -sS 170.16.0.20 -oN namp-all.txt

2) wpscan
wpscan -u james -P /password.txt — url http://172.16.0.27:8080/CEH/

3) sqlmap
I didn’t used “sqlmap” for any sqlinjection related question, incase if you get any questions related to sqlinjection use github repo you will find some usefull commands.
https://github.com/cmuppin/CEH/blob/main/SQL%20Injection

4) “hashcat” and “john”
If you get questions related to Hash caracking use this github repo you will find some usefull commands.
https://github.com/cmuppin/CEH/blob/main/Cryptography

6) Hydra
hydra -L /user.txt -P /password.txt ftp://172.0.16.21

7) Phonesploit
To exploit the Android device and get the reverse shell, these commands will help you and the phonesploit will be installed in the root folder, if you don’t find the phonesploit use the command like “find phonesploit”.
https://github.com/cmuppin/CEH/blob/main/Android

8) Metasploit
If you get any questions related to netbios, SMB use metasploit.

Resources

Damn Vulnerable Web Application (DVWA)

DVWA is a PHP/MYSQL vulnerable website that’s made to be easy to hack. It’s used to practice common web problems. It has different levels of difficulty. DVWA is important for the CEH (Practical) exam. It’s a good idea to practice on DVWA because the exam might have similar challenges.

You can refer to the link https://bughacking.com/dvwa-ultimate-guide-first-steps-and-walkthrough/ for a full guide on the setup and use of DVWA.

Hack The Box (Challenges Steganography and Web) (https://www.hackthebox.eu/)
Vulnhub (Machines Easy to Medium) (https://www.vulnhub.com/)

TryHackMe (https://tryhackme.com/)

I enjoyed this platform a lot! It is an online platform for learning cybersecurity using hands-on exercises and labs. You can use a free version, but you can even use a paid one for a better experience.

There are many rooms but below I listed the ones I think are helpful for the exam along with the topics.

Linux fundamentals: https://tryhackme.com/module/linux-fundamentals.
Hashing: https://tryhackme.com/room/hashingcrypto101 https://tryhackme.com/room/crackthehash
John The Ripperhttps://tryhackme.com/room/johntheripper0
Hydra:https://tryhackme.com/room/hydra
Burp Suite: https://tryhackme.com/room/rpburpsuite
Network Services: https://tryhackme.com/room/networkservices https://tryhackme.com/room/networkservices2
Metasploit: https://tryhackme.com/room/rpmetasploit
Nmaphttps://tryhackme.com/room/furthernmap
Wireshark:https://tryhackme.com/room/wireshark
SQL Injection:https://tryhackme.com/room/sqlibasics
Other:https://tryhackme.com/room/owasptop10 https://tryhackme.com/room/adventofcyber3 !!! — recommendedhttps://tryhackme.com/room/ccpentesting !!! — recommendedhttps://tryhackme.com/room/zthweb2
CTFs that combine all the knowledge you got from other rooms:https://tryhackme.com/room/picklerick https://tryhackme.com/room/owaspjuiceshop https://tryhackme.com/room/brooklynninenine https://tryhackme.com/room/lianyu https://tryhackme.com/room/anthem https://tryhackme.com/room/agentsudoctf https://tryhackme.com/room/easyctf https://tryhackme.com/room/attackerkb https://tryhackme.com/room/kenobi https://tryhackme.com/room/avengers https://tryhackme.com/room/toolsrus https://tryhackme.com/room/jurassicpark https://tryhackme.com/room/blue
nmap smb scripts-

nmap — script smb-os-discovery.nse -p445 <ip> (enumerate os, domain name,etc)

nmap — script smb-enum-users.nse -p445 <ip> (used to enumerate all users on remote Windows system using SAMR enumeration and LSA bruteforcing)

nmap -p 445 — script=smb-enum-shares.nse, smb-enum-users.nse 10.10.19.21 (smb users and shares)

smbclient //10.10.19.21/anonymous (accessing smb shares)

smbget -R smb://10.10.19.21/anonymous (downloading smb files)

enum4linux

enum4linux -u martin -p apple -U 10.10.10.12 | — u user -p pass -U get user list

enum4linux -u martin -p apple -o 10.10.10.12 | -o get OS info

enum4linux -u martin -p apple -P 10.10.10.12 | -P get password policy info

enum4linux -u martin -p apple -G 10.10.10.12 | -G get groups and members info

enum4linux -u martin -p apple -S 10.10.10.12 | -S get share list info

enum4linux -u martin -p apple -a 10.10.10.12 | -a get all simple enumeration data [-U -S -G -P -r -o -n -i]

Wpscan

wpscan — url http://[IP Address]:8080/CEH — enumerate u (enumerate the usernames stored in the website’s database)

Vulnerability analysis

nikto -h http://testphp.vulnweb.com/login.php -Tuning 1

Bruteforce-

Hydra -L username -P /usr/share/wordlists/rockyou.txt ftp://xiotz.com

Cryptography-

Hashcalc — Md5 calculator

Cryptool — decode .hex file

Bctextencoder — decrypt text using secret key

Veracrypt — anything related to volume

Crack hashes- hashes.com, cyberchef
Steganography-
Steghide embed -ef <filename> -cf <image> -p <passphrase>
Steghide extract -sf <image> (extract hidden data from image)
Stegcracker <image> /usr/share/wordlists/rockyou.txt (crack the passphrase of image)
https://futureboy.us/stegano/decinput.html (online steganography tool)
sha256sum <filename> (find hash of the file)