Please enable JavaScript.
Coggle requires JavaScript to display documents.
AI Asset & Shadow AI Scanner - Coggle Diagram
AI Asset & Shadow AI Scanner
Start: Target IP / Subnet
Run Nmap / Naabu
Sends SYN packets to each port
Responses: open / closed / filtered
Open Ports Discovered
22 · 80 · 3306 · 5000 · 8080
AI hint ports
11434 = Ollama
7860 = Gradio
8888 = Jupyter
5000 = Flask / FastAPI
httpx + Nuclei
httpx
Grabs tech stack and headers
Detects Flask / FastAPI / Gradio
No credentials needed
Nuclei templates
AI-specific YAML probes
Ollama: /api/tags lists models
Gradio: /info shows AI interface
Jupyter: check unauthenticated access
Packet Capture (30-60 sec snapshot)
Wireshark / tcpdump
Capture live traffic packets data by sitting on network and monitoring
Filter for AI domains
display filter: dns contains "openai"
display filter: dns contains "huggingface"
display filter: dns contains "anthropic"
What it reveals
Which internal IPs calling AI APIs
Frequency of AI API calls
Data volume sent to AI endpoints
Limitation: HTTPS encrypts payload
You see destination not content
Zeek (30-60 sec snapshot)
Generates structured logs automatically
Key log files
conn.log: all connections with IPs and ports
dns.log: every DNS query made
ssl.log: TLS connections with SNI field
http.log: HTTP requests and responses
What it reveals over Wireshark
Already parsed - no manual packet reading
dns.log directly shows AI domain lookups
ssl.log shows SNI = api.openai.com
conn.log shows volume and frequency
How to run snapshot
zeek -i eth0 -C -r capture.pcap
or capture 60 sec then feed pcap to Zeek
Log Analysis
Log Sources
nginx access.log
Which IP hit AI endpoint
POST /chat · POST /complete
auth.log
Which user owns AI deployment
DNS logs
api.openai.com lookups
huggingface.co queries
App logs
Custom AI app logging
LangChain trace logs
Permissions Needed
SSH credentials required
sudo for auth.log
Read access on /var/log/
Limitations
Logs may be rotated or empty
Shadow AI apps skip logging
Log path varies by distro