Learning the Hard Way: My CEH Experience

J

So, I’m finally done with CEH. After countless hours of studying and working through labs for both the theory and practical exams, I wanted to take a moment to share my journey — the highs, the lows, and what I learned along the way.

Theory Exam

To earn the CEH Master title, you first need to pass the theory exam. I kicked things off with a 5-day course, which turned out to be super valuable. The instructor gave a lot of useful tips about the exam and how to approach it. I didn’t want to lose momentum, so I scheduled my exam for three weeks after the course ended.

In those three weeks, I read all 3,000+ pages of the official course material and took extensive notes. I wasn’t just trying to memorize terms — I really aimed to understand the protocols and concepts in depth. On top of that, I dedicated about 3 hours a day to study and knocked out around 10 ECC labs to get more comfortable with the tools.

For practice, I used a variety of resources:

  • ceh.cagy.org
  • The CEH Practice Exam Book by Matt Walker
  • Memotrainer, which was provided by my learning institution

All this prep had me feeling pretty confident going into my first attempt. On exam day, I showed up 30 minutes early, did a quick warm-up quiz, and headed in. The guy next to me had like 40 flagged questions, which made me go, “Uh… should I be worried?” Turns out that just means he marked them for review. The exam itself felt more like an English comprehension test than a hacking exam — not surprising, since I’m not a native English speaker. Every question took extra effort to fully understand. And honestly, the real exam questions were nothing like the practice ones (which I get, but still — bit of a curveball).

Even so, I felt alright during the test. I understood most of the questions and finished in about two hours. I didn’t bother rereading all 125 questions — just revisited the ones I doubted and hit submit. When I saw 125/78, I thought, “Hey, 78% — not bad!” But nope — 78 correct out of 125, which meant 63%. Ouch.

I didn’t want to rush into a retake, so I scheduled it for five weeks later, giving myself time to rest and then dive back in with a fresh mindset. I reread the book twice, and used Memotrainer daily — sometimes deliberately answering questions wrong just to see the explanations and understand the logic behind each answer. At this point, I was pushing myself hard. Maybe too hard. My brain felt overloaded by exam week. On the day of the retake, I again arrived early and jumped right into it.

This time, it actually felt better — I could dissect the questions more easily and understood the logic behind nearly every option. After 2.5 hours, I submitted. Result: 125/83. Just four questions short of passing. That one stung. I was genuinely crushed. I started thinking that not getting CEH Master might stop me from getting into the pentesting field. I took a day off to reset and get my head right. But then I reminded myself — the CEH Practical was still ahead, and that would be my shot to really prove my skills. by not getting CEH master, I needed 1 day to reset my mind from this. But I was to still show of my skill in CEH practical

Practical Exam

The preparation for the CEH Practical was pretty straightforward. I focused mainly on the ECC labs provided by EC-Council. Most of them were quick to complete — some took as little as 20 minutes — and I concentrated on documenting the commands used. Since the exam questions are often a blend of topics from different modules, having organized notes made a big difference.

Example scenario from the exam:

Find a Linux host in subnet X, exploit a vulnerability, receive file X and decrypt it to retrieve the flag.

So a big part of the challenge was understanding the question, identifying the correct vulnerable machine, and figuring out the steps to obtain the flag. Taking notes helped build a fast and structured attack path — or so I thought (more on that later).

I scheduled the exam three weeks in advance, giving myself time to prepare properly. Instead of doing too many TryHackMe learning paths (which don’t align closely with CEH), I practiced with VulnHub machines like the DC series to simulate unknown environments. I also re-did the CEH Engage modules to sharpen my workflow and focused on the questions I struggled with earlier.

Day of the exam

The exam was scheduled from 13:00 to 19:00 (Amsterdam time). In the morning, I warmed up with one CEH Engage module and watched a bit of Netflix to relax — I was nervous, especially after failing the theory twice.

When it was time, I joined the GoToMeeting session, but the proctor couldn’t see me. That was stressful because you have a 15-minute grace period before they cancel your session. Luckily, the proctor emailed me an invitation code which worked (shout-out to Proctor 6). After verifying my room, ID, and removing unsupported software (note: TeamViewer is not allowed), I was cleared to begin.

During the exam

I used the first few minutes to gather info about the subnets involved and saved that into a file, to avoid repeating slow scans later. I ran the classic: nmap -sCV -A <ip> -a ip_subnet.txt for all three subnets. Then I scanned through the 20 questions, filtering them by perceived difficulty. Sample question types (without breaking NDA):

  • Identify a service version on a given machine.
  • Perform a vulnerability scan and provide the CVE.
  • Exploit a vulnerability, obtain a file, and decrypt it.
  • Identify SQL injection on a web domain and extract a password.
  • Perform Wireshark analysis.
  • Malware identification.
  • Wireless password cracking.

I learned you get three attempts per question, which gave me more confidence. I started with the easiest questions. For longer tasks (like vulnerability scans), I launched them and worked on other questions while waiting. Multitasking is crucial — it’s easy to waste time in rabbit holes.

To manage that, I used a self-imposed 15-minute timer per question. If I was still stuck, I moved on. Six hours sounds like a lot, but it goes by fast. After three hours, I already had 14 correct — just enough to pass. That gave me a boost. I went on for another hour and reached 16. Then I took a short break to grab a snack and chat with my girlfriend.

In the final stretch, I managed to solve one more, ending with 18 out of 20. The last two were difficult:

  1. A Drupal site with no clear attack vector: I tried droopescan, Drupalgeddon 1 & 2, scanned for known CVEs based on the enumerated version, looked for hidden directories using gobuster, and probed other open ports — no luck.
  2. A vulnerability scan question: I couldn’t get the CVE to appear, even after digging into the vulnerability for 45 minutes.

With an hour left and 18/20 already confirmed, I decided to submit.

Post-Exam Reflections

Now that I’ve had time to reflect, I want to share some insights. Many online say the CEH Practical is “easy.” I partially agree — if you either:

  • Drilled the ECC labs for two months, or
  • Have solid CTF/real-world experience.

But if something doesn’t go as expected — for example, an exploit doesn’t work — then your troubleshooting skills really matter. That’s where CTF experience shines. For instance, I had to perform a path traversal attack on a DVWA instance. Sounds easy, right? But:

  • The DVWA had to be set to low security, and
  • It was hosted on a Windows server, so /etc/passwd was useless.

Instead of using the file inclusion tab, I used the RCE module and started enumerating files with dir and type. This kind of pivoting isn’t something you just memorize — it comes from practice. So no, it’s not that easy for beginners. I’d rate it somewhere between beginner and intermediate.

Badge completion

Final verdict

Even though I didn’t pass the theory (and thus missed CEH Master), I still feel very proud of this achievement. Pentesting is hard. Failing the theory twice was frustrating, especially knowing I understood the material — I just don’t perform well under multiple-choice pressure. But the practical let me prove my skill, and I’m glad I pushed through. There’s a lot of criticism about CEH out there, and I get some of it. But honestly:

  • The book was solid.
  • The ECC labs were stable and helpful.
  • The Engage modules were a good playground (even after breaking a few machines myself 😅).

I’m not done — maybe someday I’ll try CPENT — but that’s for later. Lastly, I’ll share my CEH notes in my GitBook. Even if no one reads them, I want them to be out there. Everyone deserves to learn from someone else’s struggle.

Related Posts