Skip to content

Scenario 01: AI Service Reachability Survey

Difficulty: Beginner Time: ~10 minutes Prerequisites: None Target: All lab hosts (172.16.50.10, .20, .30, .40)

Background

Before exploiting AI/ML services, an operator needs to map what's running. Enterprise AI infrastructure often sprawls across multiple hosts — model servers, vector databases, experiment trackers, LLM gateways. Many are deployed without network segmentation or authentication.

Objective

Discover all AI/ML endpoints across the lab network and identify which services are running on which hosts.

Commands

# Network-wide service discovery
aipostex discover network --target 172.16.50.10,172.16.50.20,172.16.50.30,172.16.50.40

# Fingerprint specific hosts for deeper identification
aipostex discover network --target 172.16.50.20 --discovery-only
aipostex discover network --target 172.16.50.10 --discovery-only

Expected Finding

The discover network output should identify 29+ AI/ML endpoints across 4 hosts:

  • ailab-dev (172.16.50.10): Ollama, Jupyter, MCP Server, Gradio, MCP Inspector
  • ailab-ml (172.16.50.20): ChromaDB, MLflow backend, LiteLLM, Ray, HF TEI, vLLM, BentoML, TorchServe, Triton, W&B, Kubeflow, TF Serving
  • ailab-ds (172.16.50.30): Weaviate, Qdrant, Jupyter, Ollama
  • ailab-app (172.16.50.40): LangServe, Streamlit, HF TGI gateway, A2A Agents (×3)

Scoring objective: The finding JSON includes service tags like "tags": ["ollama", "chromadb", "ray", ...] for each host.

Real-World Impact

Unauthenticated AI service discovery is the first step in any AI infrastructure assessment. Many organizations don't realize how many ML endpoints are exposed on their internal networks — model serving APIs, experiment trackers, vector databases, and LLM proxies often lack basic access controls.

Follow-On

  • Scenario 02: Explore the LLM gateway found on ailab-ml
  • Scenario 03: Fingerprint the HuggingFace inference servers