hacktricks/network-services-pentesting/3260-pentesting-iscsi.md

# 3260 - Pentesting ISCSI

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Basic Information

From [Wikipedia](https://en.wikipedia.org/wiki/ISCSI):

> In computing, **iSCSI** is an acronym for **Internet Small Computer Systems Interface**, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.
>
> Protokol omogućava klijentima (nazvanim inicijatori) da šalju SCSI komande (CDB) uređajima za skladištenje (ciljevi) na udaljenim serverima. To je protokol skladišne mreže (SAN), koji omogućava organizacijama da konsoliduju skladište u skladišne nizove dok klijentima (kao što su serveri za baze podataka i web serveri) pruža iluziju lokalno povezanih SCSI diskova. Glavni konkurent mu je Fibre Channel, ali za razliku od tradicionalnog Fibre Channel-a koji obično zahteva posvećeno kabliranje, iSCSI može raditi na velikim udaljenostima koristeći postojeću mrežnu infrastrukturu.

**Default port:** 3260
```
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
```
## Enumeracija
```
nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
```
Ovaj skript će pokazati da li je autentifikacija potrebna.

### [Brute force](../generic-methodologies-and-resources/brute-force.md#iscsi)

### [Mount ISCSI na Linuxu](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How\_to\_set\_up\_and\_use\_iSCSI\_target\_on\_Linux)

**Napomena:** Možda ćete primetiti da kada su vaši ciljevi otkriveni, oni su navedeni pod drugom IP adresom. To se obično dešava ako je iSCSI usluga izložena putem NAT-a ili virtuelne IP adrese. U ovakvim slučajevima, `iscsiadmin` će se neuspešno povezati. Ovo zahteva dva podešavanja: jedno za ime direktorijuma čvora koji je automatski kreiran vašim aktivnostima otkrivanja, i jedno za `default` datoteku koja se nalazi unutar ovog direktorijuma.

Na primer, pokušavate da se povežete na iSCSI cilj na 123.123.123.123 na portu 3260. Server koji izlaže iSCSI cilj se zapravo nalazi na 192.168.1.2, ali je izložen putem NAT-a. isciadm će registrovati _internu_ adresu umesto _javne_ adrese:
```
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[...]
```
Ova komanda će kreirati direktorijum u vašem fajl sistemu kao što je ovaj:
```
/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/
```
Unutar direktorijuma, postoji podrazumevajući fajl sa svim podešavanjima potrebnim za povezivanje sa ciljem.

1. Preimenujte `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/` u `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/`
2. Unutar `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`, promenite podešavanje `node.conn[0].address` da pokazuje na 123.123.123.123 umesto na 192.168.1.2. Ovo se može uraditi sa komandom kao što je `sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`

Sada možete montirati cilj prema uputstvima u linku.

### [Mount ISCSI on Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476\(v=ws.10\)?redirectedfrom=MSDN)

## **Ručno enumerisanje**
```bash
sudo apt-get install open-iscsi
```
Primer iz [iscsiadm docs](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm):

Prvo što treba da uradite je da **otkrijete imena ciljeva** iza IP adrese:
```bash
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382
```
_Napomena da će prikazati I**P i port interfejsa** gde možete **dostići** te **ciljeve**. Može čak **prikazati interne IP adrese ili različite IP adrese** od one koju ste koristili._

Zatim **uhvatite 2. deo odštampanog stringa svake linije** (_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ iz prve linije) i **pokušajte da se prijavite**:
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
Zatim, možete **logout** koristeći `–logout`
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
Možemo pronaći **više informacija** o tome jednostavno koristeći **bez** bilo kog `--login`/`--logout` parametra
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
# BEGIN RECORD 2.0-873
node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
node.tpgt = 1
node.startup = manual
node.leading_login = No
iface.hwaddress = <empty>
iface.ipaddress = <empty>
iface.iscsi_ifacename = default
iface.net_ifacename = <empty>
iface.transport_name = tcp
iface.initiatorname = <empty>
iface.bootproto = <empty>
iface.subnet_mask = <empty>
iface.gateway = <empty>
iface.ipv6_autocfg = <empty>
iface.linklocal_autocfg = <empty>
iface.router_autocfg = <empty>
iface.ipv6_linklocal = <empty>
iface.ipv6_router = <empty>
iface.state = <empty>
iface.vlan_id = 0
iface.vlan_priority = 0
iface.vlan_state = <empty>
iface.iface_num = 0
iface.mtu = 0
iface.port = 0
node.discovery_address = 192.168.xx.xx
node.discovery_port = 3260
node.discovery_type = send_targets
node.session.initial_cmdsn = 0
node.session.initial_login_retry_max = 8
node.session.xmit_thread_priority = -20
node.session.cmds_max = 128
node.session.queue_depth = 32
node.session.nr_sessions = 1
node.session.auth.authmethod = None
node.session.auth.username = <empty>
node.session.auth.password = <empty>
node.session.auth.username_in = <empty>
node.session.auth.password_in = <empty>
node.session.timeo.replacement_timeout = 120
node.session.err_timeo.abort_timeout = 15
node.session.err_timeo.lu_reset_timeout = 30
node.session.err_timeo.tgt_reset_timeout = 30
node.session.err_timeo.host_reset_timeout = 60
node.session.iscsi.FastAbort = Yes
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.session.iscsi.DefaultTime2Retain = 0
node.session.iscsi.DefaultTime2Wait = 2
node.session.iscsi.MaxConnections = 1
node.session.iscsi.MaxOutstandingR2T = 1
node.session.iscsi.ERL = 0
node.conn[0].address = 192.168.xx.xx
node.conn[0].port = 3260
node.conn[0].startup = manual
node.conn[0].tcp.window_size = 524288
node.conn[0].tcp.type_of_service = 0
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.auth_timeout = 45
node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 5
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
node.conn[0].iscsi.HeaderDigest = None
node.conn[0].iscsi.DataDigest = None
node.conn[0].iscsi.IFMarker = No
node.conn[0].iscsi.OFMarker = No
# END RECORD
```
**Postoji skripta za automatizaciju osnovnog procesa enumeracije podmreže dostupna na** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability\_Analysis/isciadm)

## **Shodan**

* `port:3260 AuthMethod`

## **Reference**

* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
* [https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm)

{% hint style="success" %}
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}