Network enumeration maps the target environment after initial access: live hosts, network topology, OS types, services, domain structure, DNS, routing. Builds the target model for attack path planning.
Internal enumeration workflow: Nmap live host scan → service version scan → AD enumeration (BloodHound) → share enumeration → identify high-value targets (DC, SQL servers, admin workstations). Document every finding — topology maps are crucial for reporting and explaining attack paths to clients.