iScsi - Port 3260

What is iSCSI and Why is it Important?

iSCSI (Internet Small Computer Systems Interface) is a network protocol that allows clients (initiators) to send SCSI commands to storage devices (targets) over IP networks. It's commonly used in SAN (Storage Area Network) environments for centralized disk management and remote storage access.

Why iSCSI Matters in Security:

• High-value targets: iSCSI often connects to critical infrastructure like databases and VMs.

• Misconfigurations can lead to unauthenticated access or credential leaks.

• Exposed iSCSI services can reveal disk images, file systems, and even credentials.

How iSCSI Works on Port 3260

Port 3260 handles the iSCSI target communication, where:

• Initiators (clients) request access to storage blocks.

• Targets (servers) expose storage resources via Logical Unit Numbers (LUNs).

iSCSI Protocol Flow:

1. Session Initiation via iSCSI login.

2. Discovery Phase: Client requests list of available targets.

3. Authentication: Optional but often skipped or weakly implemented.

4. Data Transfer: SCSI commands are encapsulated in TCP/IP.

Top Vulnerabilities in iSCSI

Below are common attack vectors in iSCSI deployments:

Enumeration Techniques with Tools (Nmap, Netcat, etc.)

Using Nmap

• -p 3260: Scan the iSCSI port

• --script=iscsi-info: Attempts to extract target name and LUNs

Netcat for Banner Grabbing

• You may get a raw iSCSI response showing protocol version or session response.

iscsiadm (Linux)

• Lists available iSCSI targets.

• Works only if no auth is required or credentials are known.

Manual Exploitation: Hands-On Examples

Step 1: Target Discovery

Output:

Step 2: Login Without Authentication

If successful, the system will map the remote disk locally (e.g., /dev/sdb).

Step 3: Mount and Explore

Look for:

• /etc/shadow files

• Password backups

• SSH keys

• Configs containing internal IPs

Automated Exploitation with Tools

Metasploit iSCSI Modules

Metasploit has auxiliary modules for discovery:

Nikto (Limited)

While Nikto isn’t iSCSI-specific, you can use it to fingerprint misconfigured web GUIs tied to SAN devices.

Custom Python Script Example

Real-World CVEs and Notable Exploits

Privilege Escalation Opportunities via this Service

Once access is gained to an iSCSI volume:

• Look for saved credential files

  • .bash_history, .ssh/id_rsa, /etc/shadow

• Search for sudoers misconfigurations

• Enumerate LVM volumes for hidden partitions

If LUNs expose full disk images, mount them locally and search for:

• SAM/NTDS.dit (Windows)

• MySQL databases

• AWS credentials

Post-Exploitation Tips and Persistence

Techniques:

• Leave a backdoor in iSCSI shared volume

  • e.g., .bashrc modification

• Enable remote access via hidden SSH key

  • Inject key into /home/user/.ssh/authorized_keys

• Exfiltrate disk image for offline cracking

Defense, Mitigation, and Hardening Techniques

Best Practices:

• Always enable CHAP authentication

• Whitelist initiator IPs

• Limit access with firewall rules (block 3260 externally)

• Use VLANs or separate subnets for SAN traffic

• Regularly patch iSCSI daemons and firmware

Monitoring Tips:

• Use Wireshark to inspect unauthorized iSCSI sessions.

• Set up Syslog alerts for unusual discovery requests.

📚 Recommended Books

The Hacker Playbook 3: Practical Guide To Penetration Testing

A hands-on guide packed with attack strategies, including lateral movement and exploitation of services like iSCSI. Perfect for red teamers.