Course 16 - Red Team Ethical Hacking Beginner Course | Episode 3: Essential Windows Domain and Host Enumeration

In this lesson, you’ll learn about:The purpose and importance of network enumeration in red teamingWindows Domain Enumeration techniques for situational awarenessHost Enumeration methods for analyzing a specific target systemHow user sessions, services, and processes influence attack pathsWhy continuous enumeration is critical in dynamic enterprise networksOverview This lesson provides a comprehensive guide to essential red team enumeration techniques used to gather intelligence within a Windows enterprise environment. Enumeration is a critical phase of any red team operation, as it allows security professionals to understand the structure, users, systems, and behavior of a network without relying on exploits. The lesson is divided into two main areas:Domain Enumeration – gathering network-wide intelligenceHost Enumeration – collecting detailed information from a specific systemDomain Enumeration Domain enumeration focuses on identifying high-level Active Directory information that helps red teamers understand how the environment is structured and where valuable targets exist. Identifying Domain InformationDiscovering the current domain name (e.g., fun.com)Identifying the Domain Controller (DC) and its IP addressConfirming domain role ownership and authentication authorityDomain Policy and InfrastructureRetrieving domain policies to understand:Password requirementsLockout thresholdsSecurity enforcement levelsEnumerating domain-joined computer hostnamesUser Session Enumeration One of the most critical objectives of domain enumeration is identifying logged-in users, since credentials and tokens may reside in memory. Techniques demonstrated include:Listing users logged into all domain computersIdentifying privileged accounts logged into sensitive systems (e.g., administrators on the domain controller)Detecting regular users logged into workstationsNarrowing enumeration to a specific target host to identify active sessionsThis information is highly time-sensitive, as logged-in users can change frequently. Host Enumeration Host enumeration focuses on gathering deep, system-level intelligence from a specific target machine once access has been obtained. Basic System InformationHostnameOperating system version (e.g., Windows 10 Enterprise)System architecture (x64 / x86)Domain membershipInstalled hotfixes and patch levelsCurrent User IntelligenceLogged-in usernameUser Security Identifier (SID)Important for advanced techniques such as ticket-based attacksGroup membershipsAssigned user privilegesLocal Privilege AnalysisEnumerating members of the local administrators groupIdentifying misconfigurations or excessive privilegesService and Process Enumeration Understanding what is running on a system reveals potential attack surfaces and persistence opportunities. ServicesListing running servicesIdentifying startup servicesAnalyzing service state and startup modeDetecting services running with elevated privilegesPorts and ProcessesEnumerating open and listening portsIdentifying processes bound to specific portsMapping processes to:Process IDsExecutable namesFull file system pathsThis helps determine whether a service is custom, outdated, or potentially vulnerable. Application and File System Enumeration Installed ApplicationsListing installed software (e.g., packet analyzers like Wireshark)Identifying tools that may indicate:Developer systemsAdmin workstationsSecurity monitoring presenceFile System AnalysisRecursively searching the file system for files containing specific textLocating files by name (e.g., flags or configuration files)Identifying hidden files and directoriesThese techniques help uncover credentials, scripts, backups, or sensitive data. Why Enumeration Is CriticalNetwork environments are dynamicLogged-in users change constantlyServices may restart or moveNew systems may appear or disappearBecause of this, enumeration is not a one-time activity—it must be continuous throughout a red team operation. Key Educational TakeawaysEnumeration builds context, not exploitsLogged-in users often matter more than vulnerabilitiesPrivileges and services define real attack pathsNative system tools provide powerful visibilityEffective red teaming depends on accurate, up-to-date intelligenceYou can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy