Scenario 01: AI Service Reachability Survey¶
Difficulty: Beginner Time: ~10 minutes Prerequisites: None Target: All lab hosts (172.16.50.10, .20, .30, .40)
Background¶
Before exploiting AI/ML services, an operator needs to map what's running. Enterprise AI infrastructure often sprawls across multiple hosts — model servers, vector databases, experiment trackers, LLM gateways. Many are deployed without network segmentation or authentication.
Objective¶
Discover all AI/ML endpoints across the lab network and identify which services are running on which hosts.
Commands¶
# Network-wide service discovery
aipostex discover network --target 172.16.50.10,172.16.50.20,172.16.50.30,172.16.50.40
# Fingerprint specific hosts for deeper identification
aipostex discover network --target 172.16.50.20 --discovery-only
aipostex discover network --target 172.16.50.10 --discovery-only
Expected Finding¶
The discover network output should identify 29+ AI/ML endpoints across 4 hosts:
- ailab-dev (172.16.50.10): Ollama, Jupyter, MCP Server, Gradio, MCP Inspector
- ailab-ml (172.16.50.20): ChromaDB, MLflow backend, LiteLLM, Ray, HF TEI, vLLM, BentoML, TorchServe, Triton, W&B, Kubeflow, TF Serving
- ailab-ds (172.16.50.30): Weaviate, Qdrant, Jupyter, Ollama
- ailab-app (172.16.50.40): LangServe, Streamlit, HF TGI gateway, A2A Agents (×3)
Scoring objective: The finding JSON includes service tags like "tags": ["ollama", "chromadb", "ray", ...] for each host.
Real-World Impact¶
Unauthenticated AI service discovery is the first step in any AI infrastructure assessment. Many organizations don't realize how many ML endpoints are exposed on their internal networks — model serving APIs, experiment trackers, vector databases, and LLM proxies often lack basic access controls.
Follow-On¶
- Scenario 02: Explore the LLM gateway found on ailab-ml
- Scenario 03: Fingerprint the HuggingFace inference servers