HackTricks
Search…
Pentesting
3260 - Pentesting ISCSI

Basic Information

In computing, iSCSI is an acronym for Internet Small Computer Systems Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.
The protocol allows clients (called initiators) to send SCSI commands (CDBs) to storage devices (targets) on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage into storage arrays while providing clients (such as database and web servers) with the illusion of locally attached SCSI disks. It mainly competes with Fibre Channel, but unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure.
Default port: 3260
1
PORT STATE SERVICE VERSION
2
3260/tcp open iscsi?
Copied!

Enumeration

1
nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
Copied!
This script will indicate if authentication is required.
Note: You may find that when your targets are discovered, they are listed under a different IP address. This tends to happen if the iSCSI service is exposed via NAT or a virtual IP. In cases like these, iscsiadmin will fail to connect. This requires two tweaks: one to the directory name of the node automatically created by your discovery activities, and one to the default file contained within this directory.
For example, you are trying to connect to an iSCSI target on 123.123.123.123 at port 3260. The server exposing the iSCSI target is actually at 192.168.1.2 but exposed via NAT. isciadm will register the internal address rather than the public address:
1
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
2
192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
3
[...]
Copied!
This command will create a directory in your filesystem like this:
1
/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/
Copied!
Within the directory, there is a default file with all the settings necessary to connect to the target.
  1. 1.
    Rename /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/ to /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/
  2. 2.
    Within /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default, change the node.conn[0].address setting to point to 123.123.123.123 instead of 192.168.1.2. This could be done with a command such as sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default
You may now mount the target as per the instructions in the link.

Manual enumeration

1
sudo apt-get install open-iscsi
Copied!
First of all you need to discover the targets name behind the IP:
1
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
2
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
3
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
4
[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382
Copied!
Note that it will show the IP and port of the interfaces where you can reach those targets. It can even show internal IPs or different IPs from the one you used.
Then you catch the 2nd part of the printed string of each line (iqn.1992-05.com.emc:fl1001433000190000-3-vnxe from the first line) and try to login:
1
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
2
Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
3
Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
Copied!
Then, you can logout using –logout
1
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
2
Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
3
Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
Copied!
We can find more information about it by just using without any --login/--logout parameter
1
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
2
# BEGIN RECORD 2.0-873
3
node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
4
node.tpgt = 1
5
node.startup = manual
6
node.leading_login = No
7
iface.hwaddress = <empty>
8
iface.ipaddress = <empty>
9
iface.iscsi_ifacename = default
10
iface.net_ifacename = <empty>
11
iface.transport_name = tcp
12
iface.initiatorname = <empty>
13
iface.bootproto = <empty>
14
iface.subnet_mask = <empty>
15
iface.gateway = <empty>
16
iface.ipv6_autocfg = <empty>
17
iface.linklocal_autocfg = <empty>
18
iface.router_autocfg = <empty>
19
iface.ipv6_linklocal = <empty>
20
iface.ipv6_router = <empty>
21
iface.state = <empty>
22
iface.vlan_id = 0
23
iface.vlan_priority = 0
24
iface.vlan_state = <empty>
25
iface.iface_num = 0
26
iface.mtu = 0
27
iface.port = 0
28
node.discovery_address = 192.168.xx.xx
29
node.discovery_port = 3260
30
node.discovery_type = send_targets
31
node.session.initial_cmdsn = 0
32
node.session.initial_login_retry_max = 8
33
node.session.xmit_thread_priority = -20
34
node.session.cmds_max = 128
35
node.session.queue_depth = 32
36
node.session.nr_sessions = 1
37
node.session.auth.authmethod = None
38
node.session.auth.username = <empty>
39
node.session.auth.password = <empty>
40
node.session.auth.username_in = <empty>
41
node.session.auth.password_in = <empty>
42
node.session.timeo.replacement_timeout = 120
43
node.session.err_timeo.abort_timeout = 15
44
node.session.err_timeo.lu_reset_timeout = 30
45
node.session.err_timeo.tgt_reset_timeout = 30
46
node.session.err_timeo.host_reset_timeout = 60
47
node.session.iscsi.FastAbort = Yes
48
node.session.iscsi.InitialR2T = No
49
node.session.iscsi.ImmediateData = Yes
50
node.session.iscsi.FirstBurstLength = 262144
51
node.session.iscsi.MaxBurstLength = 16776192
52
node.session.iscsi.DefaultTime2Retain = 0
53
node.session.iscsi.DefaultTime2Wait = 2
54
node.session.iscsi.MaxConnections = 1
55
node.session.iscsi.MaxOutstandingR2T = 1
56
node.session.iscsi.ERL = 0
57
node.conn[0].address = 192.168.xx.xx
58
node.conn[0].port = 3260
59
node.conn[0].startup = manual
60
node.conn[0].tcp.window_size = 524288
61
node.conn[0].tcp.type_of_service = 0
62
node.conn[0].timeo.logout_timeout = 15
63
node.conn[0].timeo.login_timeout = 15
64
node.conn[0].timeo.auth_timeout = 45
65
node.conn[0].timeo.noop_out_interval = 5
66
node.conn[0].timeo.noop_out_timeout = 5
67
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
68
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
69
node.conn[0].iscsi.HeaderDigest = None
70
node.conn[0].iscsi.DataDigest = None
71
node.conn[0].iscsi.IFMarker = No
72
node.conn[0].iscsi.OFMarker = No
73
# END RECORD
Copied!
There is a script to automate basic subnet enumeration process available at iscsiadm****

Shodan

  • port:3260 AuthMethod

References

Infrastructure PenTest Series : Part 2 - Vulnerability Analysis — tech.bitvijays.com
Last modified 1yr ago