CyberCode Academy

Course 16 - Red Team Ethical Hacking Beginner Course | Episode 3: Essential Windows Domain and Host Enumeration

Listen Later
In this lesson, you’ll learn about:
  • The purpose and importance of network enumeration in red teaming
  • Windows Domain Enumeration techniques for situational awareness
  • Host Enumeration methods for analyzing a specific target system
  • How user sessions, services, and processes influence attack paths
  • Why continuous enumeration is critical in dynamic enterprise networks
Overview This lesson provides a comprehensive guide to essential red team enumeration techniques used to gather intelligence within a Windows enterprise environment. Enumeration is a critical phase of any red team operation, as it allows security professionals to understand the structure, users, systems, and behavior of a network without relying on exploits. The lesson is divided into two main areas:
  1. Domain Enumeration – gathering network-wide intelligence
  2. Host Enumeration – collecting detailed information from a specific system
Domain Enumeration Domain enumeration focuses on identifying high-level Active Directory information that helps red teamers understand how the environment is structured and where valuable targets exist. Identifying Domain Information
  • Discovering the current domain name (e.g., fun.com)
  • Identifying the Domain Controller (DC) and its IP address
  • Confirming domain role ownership and authentication authority
Domain Policy and Infrastructure
  • Retrieving domain policies to understand:
    • Password requirements
    • Lockout thresholds
    • Security enforcement levels
  • Enumerating domain-joined computer hostnames
User Session Enumeration One of the most critical objectives of domain enumeration is identifying logged-in users, since credentials and tokens may reside in memory. Techniques demonstrated include:
  • Listing users logged into all domain computers
  • Identifying privileged accounts logged into sensitive systems (e.g., administrators on the domain controller)
  • Detecting regular users logged into workstations
  • Narrowing enumeration to a specific target host to identify active sessions
This information is highly time-sensitive, as logged-in users can change frequently. Host Enumeration Host enumeration focuses on gathering deep, system-level intelligence from a specific target machine once access has been obtained. Basic System Information
  • Hostname
  • Operating system version (e.g., Windows 10 Enterprise)
  • System architecture (x64 / x86)
  • Domain membership
  • Installed hotfixes and patch levels
Current User Intelligence
  • Logged-in username
  • User Security Identifier (SID)
    • Important for advanced techniques such as ticket-based attacks
  • Group memberships
  • Assigned user privileges
Local Privilege Analysis
  • Enumerating members of the local administrators group
  • Identifying misconfigurations or excessive privileges
Service and Process Enumeration Understanding what is running on a system reveals potential attack surfaces and persistence opportunities. Services
  • Listing running services
  • Identifying startup services
  • Analyzing service state and startup mode
  • Detecting services running with elevated privileges
Ports and Processes
  • Enumerating open and listening ports
  • Identifying processes bound to specific ports
  • Mapping processes to:
    • Process IDs
    • Executable names
    • Full file system paths
This helps determine whether a service is custom, outdated, or potentially vulnerable. Application and File System Enumeration Installed Applications
  • Listing installed software (e.g., packet analyzers like Wireshark)
  • Identifying tools that may indicate:
    • Developer systems
    • Admin workstations
    • Security monitoring presence
File System Analysis
  • Recursively searching the file system for files containing specific text
  • Locating files by name (e.g., flags or configuration files)
  • Identifying hidden files and directories
These techniques help uncover credentials, scripts, backups, or sensitive data. Why Enumeration Is Critical
  • Network environments are dynamic
  • Logged-in users change constantly
  • Services may restart or move
  • New systems may appear or disappear
Because of this, enumeration is not a one-time activity—it must be continuous throughout a red team operation. Key Educational Takeaways
  • Enumeration builds context, not exploits
  • Logged-in users often matter more than vulnerabilities
  • Privileges and services define real attack paths
  • Native system tools provide powerful visibility
  • Effective red teaming depends on accurate, up-to-date intelligence


You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
...more
View all episodesView all episodes
Download on the App Store
CyberCode AcademyBy CyberCode Academy