Enumeration is the process of extracting detailed information from a target after its existence has already been established.
If scanning answers the question:
What exists?
Enumeration answers:
What can I learn about it?
The objective is to gather information that may later assist with exploitation, authentication, privilege escalation or lateral movement.
Unlike scanning, enumeration is often highly dependent on the technology being investigated. Enumerating a web application looks very different from enumerating SMB, Active Directory, SSH or a database.
For example:
10.10.10.201
└── 445/tcp Open
Scanning tells us that SMB exists.
Enumeration may reveal:
SMB
├── Shares
├── Users
├── Groups
├── Permissions
├── Hostname
└── Operating System
Similarly:
10.10.10.201
└── 80/tcp Open
may become:
HTTP
├── Directories
├── Files
├── Technologies
├── Authentication
├── Source Code
└── Hidden Functionality
The key idea is that enumeration transforms a service from a simple observation into actionable information.
Many real-world compromises are not the result of discovering a service, but rather discovering something valuable within that service.
Enumeration Example
If you don't yet know what SMB is, you can think of it as a way to share files over a network. In reality, SMB is a very significant protocol used throughout Windows environments for file sharing, authentication, remote administration and many other functions. For now, however, it is sufficient to think of it as a mechanism that allows users to share folders and files with other systems on the network.
For this example, I will first expose a network share on the Windows machine:

As you can see, I am a lazy administrator and have placed confidential information inside a shared folder, because it's Friday afternoon and my colleague needs it for whatever reasons.
Now imagine that a different user on the network has already been compromised and is being used by an attacker to facilitate further access into the environment. The attacker may then:
- Identify that SMB is running on a particular host
- Discover that an accessible share exists
- Enumerate the contents of the share
- Discover sensitive information
Notice how this differs from scanning.
Scanning may reveal:
10.10.10.201
└── 445/tcp Open
Enumeration reveals:
10.10.10.201
└── Public Share
└── Confidential Data.xlsx
This is the key distinction. Scanning tells us that a service exists. Enumeration tells us whether that service contains something useful.
In the example, I'm still using our only current user student:student for convenience, but you get the idea - since we explicitly set the folder to be fully accessible by "Everyone":

Commands breakdown:
# List the shares on the target using the specified username
smbclient -L \\\\target -U username
# Connect to a specific share using the supplied credentials
smbclient \\\\target\\share -U username
Once connected, you will be presented with a small interactive shell. Although it resembles a command prompt, it is limited to SMB operations such as listing directories, downloading files and uploading files. It does not provide the ability to execute operating system commands on the target.
Enumeration as an Operator
Enumeration is arguably the most important skill in offensive security.
Many beginners assume that exploitation is the difficult part of an engagement. In reality, the difficult part is often identifying what should be exploited in the first place.
Experienced operators spend a significant amount of time enumerating their environment. Every new host, account, application or privilege level creates a new scope that must be understood.
This is why the process often looks like:
Enumerate
↓
Identify Opportunity
↓
Exploit
↓
Gain New Access
↓
Enumerate Again
As an engagement progresses, the scope expands and the cycle repeats. In many cases, enumeration consumes more time than exploitation itself.
A common saying in offensive security is:
Enumerate until something breaks.
And my personal favorite is:
If you get stuck - enumerate harder.
While simplistic, it captures an important reality: successful operators are often distinguished less by their exploits and more by their ability to discover opportunities that others overlook.