3260 - Pentesting ISCSI
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
From Wikipedia:
In computing, iSCSI is an acronym for Internet Small Computer Systems Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.
The protocol allows clients (called initiators) to send SCSI commands (CDBs) to storage devices (targets) on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage into storage arrays while providing clients (such as database and web servers) with the illusion of locally attached SCSI disks. It mainly competes with Fibre Channel, but unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure.
Default port: 3260
This script will indicate if authentication is required.
Note: You may find that when your targets are discovered, they are listed under a different IP address. This tends to happen if the iSCSI service is exposed via NAT or a virtual IP. In cases like these, iscsiadmin
will fail to connect. This requires two tweaks: one to the directory name of the node automatically created by your discovery activities, and one to the default
file contained within this directory.
For example, you are trying to connect to an iSCSI target on 123.123.123.123 at port 3260. The server exposing the iSCSI target is actually at 192.168.1.2 but exposed via NAT. isciadm will register the internal address rather than the public address:
This command will create a directory in your filesystem like this:
Within the directory, there is a default file with all the settings necessary to connect to the target.
Rename /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/
to /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/
Within /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default
, change the node.conn[0].address
setting to point to 123.123.123.123 instead of 192.168.1.2. This could be done with a command such as sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default
You may now mount the target as per the instructions in the link.
Example from iscsiadm docs:
First of all you need to discover the targets name behind the IP:
Note that it will show the IP and port of the interfaces where you can reach those targets. It can even show internal IPs or different IPs from the one you used.
Then you catch the 2nd part of the printed string of each line (iqn.1992-05.com.emc:fl1001433000190000-3-vnxe from the first line) and try to login:
Then, you can logout using –logout
We can find more information about it by just using without any --login
/--logout
parameter
There is a script to automate basic subnet enumeration process available at iscsiadm
port:3260 AuthMethod
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)