Maybe not 100% Swimlane related - but maybe there is a need

I have a need in some of my consulting only clients to go in and map applications, ports they use and what servers they talk to. Basically discovery of as much as I can to put the information towards a roadmap to segment the network. There are not really any tools out there that I can easily find and cost effective for these projects.

I was wondering if there was some good python scripts that would help map this out. I know doing a nmap scan I can figure out what is open on what servers, but it really doesn’t tell me who is talking to who and which applications are listening on those ports.

Then I was thinking if this could be something that could be implemented into Swimlane and offer a network topology / if anything has changed. I could see it being utilized in a couple of ways…one as a consultant trying to get in the door at a company for segmentation projects, then as a security operations of what is really going on in my network.

Any thoughts or ideas? Like I said, kind of need a solution for a project but maybe it turns into a much better idea.

Hey @Norm, let me check with some of our Professional Services team members and i’ll get back to you. Also, I will start looking – I don’t have any direct experience with this.

I did come across this recently: which may help but I will get you a more complete answer soon!


Hey @Norm ,

@joshswimlane and I have been talking about your idea and I wanted to follow up with some of the things that have been suggested and contemplated. First of all, we love the creativity of your idea and there certainly is a possibility for using an automation platform like Swimlane to help gather and compile the data you are looking for. One of the biggest challenges is determining how the collection will take place. Making sure some type of sensor or collector is in the right place at the right time on any network is key to getting a realistic picture of what actually moves across the network. Since the switches only forward traffic they are instructed to, being able to capture everything on your network requires collecting data from all of the switches or installing agents on every segment and ensuring the agent is on a SPAN port. Alternatively, one could install an agent on every device or probe every device.

If we consider that modern networks often have many devices other than servers and workstations (tablets, smart TVs, projectors, mobile phones, etc) the possibility of probing every device or adding an agent to every device becomes more of a challenge. To me that says the overall level of success lies in what tool is used to collect the data and what method it uses to build the collection.

That leaves you several different options from open source tools to third-party tools. I even tested the idea myself with a 30-day trial of a third-party tool that has a REST API and within less than an hour I had a device list in Swimlane. It would also be possible to build this within Swimlane itself using a custom integration or with your own Python code. I’ll admit that I’m not quite that proficient at writing the bundles or the Python code but in talking to members of that Swimlane team I was assured a basic scan capability would not be terribly difficult to achieve. In fact, I was told that we already have some cards in the worklist to add something just like that with nmap or something similar.

A quick search for Python scripts to create a network topology turns up a couple of options but I have not tried any of them and don’t have a particular one to suggest. I’ll leave it to those who speak Python better than I do to add to the conversation here. Here is one example that I was looking into recently:

Thanks for the suggestion and please keep the ideas flowing. We are always looking for new ways to expand what Swimlane can do.

Hey @joshswimlane

Sorry been busy and not enough time to reply.

I was thinking of something like Network Detective (RapidFire Tools) but a little bit better. Basically have some sort of authenticated scan (WMI on Windows) go out and collect the applications, open ports, etc… and do the same on linux boxes.

If there is a SNMP trap or something like that on the network to get flows…take the flow data and the data the scripts pulled and somehow pull those together. The report could be a csv file and possibly a mapping where it shows the communication of each application via ports. So basically you can say the webapp X communicates to the outside on port 443 – and then internally webapp X communicates to the DBserver over port 1452 and also communicates to AD over 389 and sharepoint site over XYZ ports.

Then if you get it down to that…you could basically baseline the communications and when something communicates differently then ALERT!!

@Norm Thanks for the response!

After talking with @mike.mitchell he pointed me to a blog post he wrote that could be of some help. This is directly related to using PowerShell Empire and DFIR but I think you could use some of it for what you are wanting to do.

Additionally, he provided me with some previous PowerShell Core tasks that our TAMs wrote which will give you a good starting point.

This task script is used to remote into a machine and get NetStat info for running processes and services.

param([string]$pass, [string]$user, [string]$host1)
$password = $pass | ConvertTo-SecureString -AsPlainText -Force
$username = $user
$hostname = $host1
$newCred = New-Object System.Management.Automation.PsCredential($username, $password)
$s = new-pssession -computer $hostname -credential $newCred
$output = Invoke-Command -session $s -script {
$Header = @"
	TABLE {border-width: 1px; border-style: solid; border-color: grey; border-collapse: collapse;}
	TH {border-width: 1px; padding: 3px; border-style: solid; border-color: grey; background-color: #6495ED;}
	TD {border-width: 1px; padding: 3px; border-style: solid; border-color: grey;}
        $properties = 'Protocol','LocalAddress','LocalPort' 
        $properties += 'RemoteAddress','RemotePort','State','ProcessName','PID'

        netstat -ano | Select-String -Pattern '\s+(TCP|UDP)' | ForEach-Object {

            $item = $_.line.split(" ",[System.StringSplitOptions]::RemoveEmptyEntries)

            if($item[1] -notmatch '^\[::') 
                if (($la = $item[1] -as [ipaddress]).AddressFamily -eq 'InterNetworkV6') 
                    $localAddress = $la.IPAddressToString 
                    $localPort = $item[1].split('\]:')[-1] 
                    $localAddress = $item[1].split(':')[0] 
                    $localPort = $item[1].split(':')[-1] 

                if (($ra = $item[2] -as [ipaddress]).AddressFamily -eq 'InterNetworkV6') 
                    $remoteAddress = $ra.IPAddressToString 
                    $remotePort = $item[2].split('\]:')[-1] 
                    $remoteAddress = $item[2].split(':')[0] 
                    $remotePort = $item[2].split(':')[-1] 

                $netstat = New-Object PSObject -Property @{ 
                    PID = $item[-1] 
                    ProcessName = (Get-Process -Id $item[-1] -ErrorAction SilentlyContinue).Name 
                    Protocol = $item[0] 
                    LocalAddress = $localAddress 
                    LocalPort = $localPort 
                    RemoteAddress =$remoteAddress 
                    RemotePort = $remotePort 
                    State = if($item[0] -eq 'tcp') {$item[3]} else {$null} 
                if($netstat.State -eq 'ESTABLISHED' ){
                    $netstat | ConvertTo-HTML -Head $Header

$s | Remove-PSSession

I hope this helps, if you need further examples, let us know! Thanks!