Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-12-18 17:16:10 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/3260-pentesting-iscsi.md

190 lines
11 KiB
Markdown
Raw Normal View History

Translated ['network-services-pentesting/10000-network-data-management-p
2024-01-05 23:03:45 +00:00
# 3260 - Pentesting ISCSI
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Translated ['network-services-pentesting/10000-network-data-management-p
2024-01-05 23:03:45 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
<details>
Translated ['network-services-pentesting/10000-network-data-management-p
2024-01-05 23:03:45 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
<summary>Support HackTricks</summary>
Translated ['network-services-pentesting/10000-network-data-management-p
2024-01-05 23:03:45 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
Translated ['network-services-pentesting/10000-network-data-management-p
2024-01-05 23:03:45 +00:00
</details>
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
{% endhint %}
Translated ['network-services-pentesting/10000-network-data-management-p
2024-01-05 23:03:45 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Informações Básicas
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
De [Wikipedia](https://en.wikipedia.org/wiki/ISCSI):
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
> Em computação, **iSCSI** é um acrônimo para **Internet Small Computer Systems Interface**, um padrão de rede de armazenamento baseado em Protocolo de Internet (IP) para conectar instalações de armazenamento de dados. Ele fornece acesso em nível de bloco a dispositivos de armazenamento, transportando comandos SCSI por uma rede TCP/IP. iSCSI é usado para facilitar transferências de dados sobre intranets e para gerenciar armazenamento a longas distâncias. Pode ser usado para transmitir dados sobre redes de área local (LANs), redes de área ampla (WANs) ou a Internet e pode permitir armazenamento e recuperação de dados independentes de localização.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
>
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
> O protocolo permite que clientes (chamados iniciadores) enviem comandos SCSI (CDBs) para dispositivos de armazenamento (alvos) em servidores remotos. É um protocolo de rede de área de armazenamento (SAN), permitindo que organizações consolidem armazenamento em matrizes de armazenamento, enquanto fornecem aos clientes (como servidores de banco de dados e web) a ilusão de discos SCSI conectados localmente. Ele compete principalmente com Fibre Channel, mas, ao contrário do Fibre Channel tradicional, que geralmente requer cabeamento dedicado, o iSCSI pode ser executado a longas distâncias usando a infraestrutura de rede existente.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
**Porta padrão:** 3260
GitBook: [#3160] No subject
2022-05-01 13:25:53 +00:00
```
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
PORT STATE SERVICE VERSION
3260/tcp open iscsi?
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## Enumeração
GitBook: [#3160] No subject
2022-05-01 13:25:53 +00:00
```
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
```
Translated to Portuguese
2023-06-06 18:56:34 +00:00
Este script indicará se a autenticação é necessária.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
### [Força bruta](../generic-methodologies-and-resources/brute-force.md#iscsi)
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
### [Montar ISCSI no Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How\_to\_set\_up\_and\_use\_iSCSI\_target\_on\_Linux)
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
**Nota:** Você pode descobrir que, quando seus alvos são descobertos, eles estão listados sob um endereço IP diferente. Isso tende a acontecer se o serviço iSCSI estiver exposto via NAT ou um IP virtual. Em casos como esses, `iscsiadmin` falhará ao tentar se conectar. Isso requer duas alterações: uma no nome do diretório do nó criado automaticamente por suas atividades de descoberta e uma no arquivo `default` contido dentro deste diretório.
Update 3260-pentesting-iscsi.md
2021-01-15 09:05:40 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
Por exemplo, você está tentando se conectar a um alvo iSCSI em 123.123.123.123 na porta 3260. O servidor que expõe o alvo iSCSI está na verdade em 192.168.1.2, mas exposto via NAT. isciadm registrará o endereço _interno_ em vez do endereço _público_:
GitBook: [#3160] No subject
2022-05-01 13:25:53 +00:00
```
Update 3260-pentesting-iscsi.md
2021-01-15 09:05:40 +00:00
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[...]
```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
Este comando criará um diretório no seu sistema de arquivos assim:
GitBook: [#3160] No subject
2022-05-01 13:25:53 +00:00
```
Update 3260-pentesting-iscsi.md
2021-01-15 09:05:40 +00:00
/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/
```
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Dentro do diretório, há um arquivo padrão com todas as configurações necessárias para se conectar ao alvo.
Update 3260-pentesting-iscsi.md
2021-01-15 09:05:40 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
1. Renomeie `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/` para `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/`
2. Dentro de `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`, altere a configuração `node.conn[0].address` para apontar para 123.123.123.123 em vez de 192.168.1.2. Isso pode ser feito com um comando como `sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`
Update 3260-pentesting-iscsi.md
2021-01-15 09:05:40 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
Você pode agora montar o alvo conforme as instruções no link.
Update 3260-pentesting-iscsi.md
2021-01-15 09:05:40 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
### [Montar ISCSI no Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476\(v=ws.10\)?redirectedfrom=MSDN)
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
## **Enumeração manual**
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```bash
sudo apt-get install open-iscsi
```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
Exemplo da [documentação do iscsiadm](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm):
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
Primeiro de tudo, você precisa **descobrir os nomes dos alvos** por trás do IP:
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
```bash
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382
```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
_Note que ele mostrará o I**P e a porta das interfaces** onde você pode **alcançar** esses **alvos**. Ele pode até **mostrar IPs internos ou IPs diferentes** do que você usou._
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
Então você **pega a 2ª parte da string impressa de cada linha** (_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ da primeira linha) e **tenta fazer login**:
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
Então, você pode **logout** usando `logout`
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
Podemos encontrar **mais informações** sobre isso apenas usando **sem** nenhum parâmetro `--login`/`--logout`
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
# BEGIN RECORD 2.0-873
node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
node.tpgt = 1
node.startup = manual
node.leading_login = No
iface.hwaddress = <empty>
iface.ipaddress = <empty>
iface.iscsi_ifacename = default
iface.net_ifacename = <empty>
iface.transport_name = tcp
iface.initiatorname = <empty>
iface.bootproto = <empty>
iface.subnet_mask = <empty>
iface.gateway = <empty>
iface.ipv6_autocfg = <empty>
iface.linklocal_autocfg = <empty>
iface.router_autocfg = <empty>
iface.ipv6_linklocal = <empty>
iface.ipv6_router = <empty>
iface.state = <empty>
iface.vlan_id = 0
iface.vlan_priority = 0
iface.vlan_state = <empty>
iface.iface_num = 0
iface.mtu = 0
iface.port = 0
node.discovery_address = 192.168.xx.xx
node.discovery_port = 3260
node.discovery_type = send_targets
node.session.initial_cmdsn = 0
node.session.initial_login_retry_max = 8
node.session.xmit_thread_priority = -20
node.session.cmds_max = 128
node.session.queue_depth = 32
node.session.nr_sessions = 1
node.session.auth.authmethod = None
node.session.auth.username = <empty>
node.session.auth.password = <empty>
node.session.auth.username_in = <empty>
node.session.auth.password_in = <empty>
node.session.timeo.replacement_timeout = 120
node.session.err_timeo.abort_timeout = 15
node.session.err_timeo.lu_reset_timeout = 30
node.session.err_timeo.tgt_reset_timeout = 30
node.session.err_timeo.host_reset_timeout = 60
node.session.iscsi.FastAbort = Yes
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.session.iscsi.DefaultTime2Retain = 0
node.session.iscsi.DefaultTime2Wait = 2
node.session.iscsi.MaxConnections = 1
node.session.iscsi.MaxOutstandingR2T = 1
node.session.iscsi.ERL = 0
node.conn[0].address = 192.168.xx.xx
node.conn[0].port = 3260
node.conn[0].startup = manual
node.conn[0].tcp.window_size = 524288
node.conn[0].tcp.type_of_service = 0
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.auth_timeout = 45
node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 5
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
node.conn[0].iscsi.HeaderDigest = None
node.conn[0].iscsi.DataDigest = None
node.conn[0].iscsi.IFMarker = No
node.conn[0].iscsi.OFMarker = No
# END RECORD
```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
**Há um script para automatizar o processo básico de enumeração de sub-rede disponível em** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability\_Analysis/isciadm)
Translated ['network-services-pentesting/10000-network-data-management-p
2024-01-05 23:03:45 +00:00
GitBook: [#3160] No subject
2022-05-01 13:25:53 +00:00
## **Shodan**
GitBook: [master] one page modified
2020-09-18 11:59:55 +00:00
* `port:3260 AuthMethod`
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Portuguese
2023-06-06 18:56:34 +00:00
## **Referências**
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['mobile-pentesting/ios-pentesting/README.md', 'mobile-pentes
2024-02-09 12:48:36 +00:00
* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
* [https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm)
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
<details>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
<summary>Support HackTricks</summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 04:35:54 +00:00
{% endhint %}
Reference in a new issue Copy permalink