mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-06 10:18:55 +00:00
149 lines
6.1 KiB
Markdown
149 lines
6.1 KiB
Markdown
|
# 3260 - Pentesting ISCSI
|
|||
|
|
|
|||
|
|
## Basic Information
|
|||
|
|
|
|||
|
|
> In computing, **iSCSI** is an acronym for **Internet Small Computer Systems Interface**, an Internet Protocol \(IP\)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks \(LANs\), wide area networks \(WANs\), or the Internet and can enable location-independent data storage and retrieval.
|
|||
|
|
>
|
|||
|
|
> The protocol allows clients \(called initiators\) to send SCSI commands \(CDBs\) to storage devices \(targets\) on remote servers. It is a storage area network \(SAN\) protocol, allowing organizations to consolidate storage into storage arrays while providing clients \(such as database and web servers\) with the illusion of locally attached SCSI disks. It mainly competes with Fibre Channel, but unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure.
|
|||
|
|
|
|||
|
|
**Default port:** 3260
|
|||
|
|
|
|||
|
|
```text
|
|||
|
|
PORT STATE SERVICE VERSION
|
|||
|
|
3260/tcp open iscsi?
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## Enumeration
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
This script will indicate if authentication is required.
|
|||
|
|
|
|||
|
|
### [Brute force](../brute-force.md#iscsi)
|
|||
|
|
|
|||
|
|
### [Mount ISCSI on Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How_to_set_up_and_use_iSCSI_target_on_Linux)
|
|||
|
|
|
|||
|
|
### [Mount ISCSI on Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476%28v=ws.10%29?redirectedfrom=MSDN)
|
|||
|
|
|
|||
|
|
## **Manual enumeration**
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
sudo apt-get install open-iscsi
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
First of all you need to **discover the targets** name behind the IP:
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
|
|||
|
|
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
|
|||
|
|
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
|
|||
|
|
[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
_Note that it will show the I**P and port of the interfaces** where you can **reach** those **targets**. It can even **show internal IPs or different IPs** from the one you used._
|
|||
|
|
|
|||
|
|
Then you **catch the 2nd part of the printed string of each line** \(_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ from the first line\) and **try to login**:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
|
|||
|
|
Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
|
|||
|
|
Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
Then, you can **logout** using `–logout`
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
|
|||
|
|
Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
|
|||
|
|
Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
We can find **more information** about it by just using **without** any `--login`/`--logout` parameter
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
|
|||
|
|
# BEGIN RECORD 2.0-873
|
|||
|
|
node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
|
|||
|
|
node.tpgt = 1
|
|||
|
|
node.startup = manual
|
|||
|
|
node.leading_login = No
|
|||
|
|
iface.hwaddress = <empty>
|
|||
|
|
iface.ipaddress = <empty>
|
|||
|
|
iface.iscsi_ifacename = default
|
|||
|
|
iface.net_ifacename = <empty>
|
|||
|
|
iface.transport_name = tcp
|
|||
|
|
iface.initiatorname = <empty>
|
|||
|
|
iface.bootproto = <empty>
|
|||
|
|
iface.subnet_mask = <empty>
|
|||
|
|
iface.gateway = <empty>
|
|||
|
|
iface.ipv6_autocfg = <empty>
|
|||
|
|
iface.linklocal_autocfg = <empty>
|
|||
|
|
iface.router_autocfg = <empty>
|
|||
|
|
iface.ipv6_linklocal = <empty>
|
|||
|
|
iface.ipv6_router = <empty>
|
|||
|
|
iface.state = <empty>
|
|||
|
|
iface.vlan_id = 0
|
|||
|
|
iface.vlan_priority = 0
|
|||
|
|
iface.vlan_state = <empty>
|
|||
|
|
iface.iface_num = 0
|
|||
|
|
iface.mtu = 0
|
|||
|
|
iface.port = 0
|
|||
|
|
node.discovery_address = 192.168.xx.xx
|
|||
|
|
node.discovery_port = 3260
|
|||
|
|
node.discovery_type = send_targets
|
|||
|
|
node.session.initial_cmdsn = 0
|
|||
|
|
node.session.initial_login_retry_max = 8
|
|||
|
|
node.session.xmit_thread_priority = -20
|
|||
|
|
node.session.cmds_max = 128
|
|||
|
|
node.session.queue_depth = 32
|
|||
|
|
node.session.nr_sessions = 1
|
|||
|
|
node.session.auth.authmethod = None
|
|||
|
|
node.session.auth.username = <empty>
|
|||
|
|
node.session.auth.password = <empty>
|
|||
|
|
node.session.auth.username_in = <empty>
|
|||
|
|
node.session.auth.password_in = <empty>
|
|||
|
|
node.session.timeo.replacement_timeout = 120
|
|||
|
|
node.session.err_timeo.abort_timeout = 15
|
|||
|
|
node.session.err_timeo.lu_reset_timeout = 30
|
|||
|
|
node.session.err_timeo.tgt_reset_timeout = 30
|
|||
|
|
node.session.err_timeo.host_reset_timeout = 60
|
|||
|
|
node.session.iscsi.FastAbort = Yes
|
|||
|
|
node.session.iscsi.InitialR2T = No
|
|||
|
|
node.session.iscsi.ImmediateData = Yes
|
|||
|
|
node.session.iscsi.FirstBurstLength = 262144
|
|||
|
|
node.session.iscsi.MaxBurstLength = 16776192
|
|||
|
|
node.session.iscsi.DefaultTime2Retain = 0
|
|||
|
|
node.session.iscsi.DefaultTime2Wait = 2
|
|||
|
|
node.session.iscsi.MaxConnections = 1
|
|||
|
|
node.session.iscsi.MaxOutstandingR2T = 1
|
|||
|
|
node.session.iscsi.ERL = 0
|
|||
|
|
node.conn[0].address = 192.168.xx.xx
|
|||
|
|
node.conn[0].port = 3260
|
|||
|
|
node.conn[0].startup = manual
|
|||
|
|
node.conn[0].tcp.window_size = 524288
|
|||
|
|
node.conn[0].tcp.type_of_service = 0
|
|||
|
|
node.conn[0].timeo.logout_timeout = 15
|
|||
|
|
node.conn[0].timeo.login_timeout = 15
|
|||
|
|
node.conn[0].timeo.auth_timeout = 45
|
|||
|
|
node.conn[0].timeo.noop_out_interval = 5
|
|||
|
|
node.conn[0].timeo.noop_out_timeout = 5
|
|||
|
|
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
|
|||
|
|
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
|
|||
|
|
node.conn[0].iscsi.HeaderDigest = None
|
|||
|
|
node.conn[0].iscsi.DataDigest = None
|
|||
|
|
node.conn[0].iscsi.IFMarker = No
|
|||
|
|
node.conn[0].iscsi.OFMarker = No
|
|||
|
|
# END RECORD
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
**There is a script to automate login/logout process available at** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability_Analysis/isciadm)\*\*\*\*
|
|||
|
|
|
|||
|
|
## **References**
|
|||
|
|
|
|||
|
|
{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %}
|
|||
|
|
|
|||
|
|
|
|||
|
|
|