0

What techniques do you typically use, when you start a gig at a complex environment and no one can tell you what servers are out there, and documentation doesn't exist? I typically start off with getting access to one system, and a few URLs, then drill down and start manually enumerating the networks using nmap, and a fair amount of manual searching. How do the rest of you handle this challenge?

MichelZ
  • 11,068
  • 4
  • 32
  • 59
sed_and_done
  • 183
  • 8
  • 2
    That's about right. – ewwhite Sep 20 '14 at 16:38
  • There isn't something more clever than what I am doing? That's rarely the case! :) – sed_and_done Sep 20 '14 at 16:42
  • On Windows, use Active Directory to find out what Windows Servers are out there. – MichelZ Sep 20 '14 at 16:45
  • Good point michel, also, if you have Puppet or Chef, or even Nagios, you can probably get a good idea of some things from those logs, especially Nagios, if it monitoring services. – sed_and_done Sep 20 '14 at 16:47
  • @sed_and_done yes, but that usually means the environment is using some kind of documentation if they are on that level :) – MichelZ Sep 20 '14 at 16:49
  • I guess it all just depends. There's usually a reason for such disorganization, so that typically dictates the approach I'd use for discovery. – ewwhite Sep 20 '14 at 17:39

2 Answers2

0

I find myself in this situation a lot, but I don't have a check list of what I do.

Basically, this is how I go about it:

  • Identify the system (the whole system/environment not just a single server). The environment is probably providing some sort of a service to some consumers. So, I start at these public end points.

  • From the entry point, I try to follow the "Service trail". If this is a web server, does it have an app server, a database backend ? If this is a load balancer, where are the backends, what runs on them? This should provide a high level map of the main system components and how they fit together.

  • Check the configuration of each of these services. Find out what/who do they talk to. Map these information.

  • Now, I go deeper, on every server, I check what services are running, who/what are they connecting to. netstat is your friend here. This should add more details to the map and reveal services that are not in the "service trail".

  • Last part, I check installed applications, running processes and installed active cron jobs on each machine. Add to the map.

At this point, you should have a ton of details about the environment. And this is starting from a minimal set of information such as access info public service end points. Having access to a monitoring system would be a great help if you look at things this way.

melsayed
  • 1,122
  • 1
  • 6
  • 12
  • This is very similar to what I do, I guess there really isn't any simpler, automated way. – sed_and_done Sep 20 '14 at 19:44
  • I looked for something, closest thing I found was this: http://devstructure.com/blueprint/. But I didn't get a chance to try it in the wild. – melsayed Sep 20 '14 at 19:49
0

I'm not sure of its status, but The Assimilation Project was being developed to solve this issue (as well as a few others).

Looks like it's still very much pre-release.

assimmon.org

Andy
  • 1,111
  • 1
  • 7
  • 10