iScsi - Port 3260
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! π
Follow us on:
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
iSCSI (Internet Small Computer Systems Interface) is a network protocol that allows clients (initiators) to send SCSI commands to storage devices (targets) over IP networks. It's commonly used in SAN (Storage Area Network) environments for centralized disk management and remote storage access.
High-value targets: iSCSI often connects to critical infrastructure like databases and VMs.
Misconfigurations can lead to unauthenticated access or credential leaks.
Exposed iSCSI services can reveal disk images, file systems, and even credentials.
Port 3260 handles the iSCSI target communication, where:
Initiators (clients) request access to storage blocks.
Targets (servers) expose storage resources via Logical Unit Numbers (LUNs).
Session Initiation via iSCSI login.
Discovery Phase: Client requests list of available targets.
Authentication: Optional but often skipped or weakly implemented.
Data Transfer: SCSI commands are encapsulated in TCP/IP.
Below are common attack vectors in iSCSI deployments:
No Authentication
Default config allows any initiator to access targets.
Weak CHAP Credentials
Often reused or stored in plaintext.
Information Disclosure
Target names, volume names, and paths can leak sensitive info.
Exposure to the Internet
Misconfigured firewalls or open 3260 ports.
Unpatched CVEs
Older storage devices may run vulnerable firmware.
-p 3260: Scan the iSCSI port
--script=iscsi-info: Attempts to extract target name and LUNs
You may get a raw iSCSI response showing protocol version or session response.
Lists available iSCSI targets.
Works only if no auth is required or credentials are known.
Output:
If successful, the system will map the remote disk locally (e.g., /dev/sdb).
Look for:
/etc/shadow files
Password backups
SSH keys
Configs containing internal IPs
Metasploit has auxiliary modules for discovery:
While Nikto isnβt iSCSI-specific, you can use it to fingerprint misconfigured web GUIs tied to SAN devices.
CVE-2020-2732
iSCSI memory leak in certain Linux kernels
CVE-2015-1420
iSCSI stack buffer overflow in Netgear ReadyNAS
Exploit DB
CVE-2018-1000861
Remote command execution via iSCSI web management interface
Once access is gained to an iSCSI volume:
Look for saved credential files
.bash_history, .ssh/id_rsa, /etc/shadow
Search for sudoers misconfigurations
Enumerate LVM volumes for hidden partitions
If LUNs expose full disk images, mount them locally and search for:
SAM/NTDS.dit (Windows)
MySQL databases
AWS credentials
Leave a backdoor in iSCSI shared volume
e.g., .bashrc modification
Enable remote access via hidden SSH key
Inject key into /home/user/.ssh/authorized_keys
Exfiltrate disk image for offline cracking
Always enable CHAP authentication
Whitelist initiator IPs
Limit access with firewall rules (block 3260 externally)
Use VLANs or separate subnets for SAN traffic
Regularly patch iSCSI daemons and firmware
Use Wireshark to inspect unauthorized iSCSI sessions.
Set up Syslog alerts for unusual discovery requests.
A hands-on guide packed with attack strategies, including lateral movement and exploitation of services like iSCSI. Perfect for red teamers.
Learn & practice
Become VeryLazyTech ! π
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π