# 3260 - ISCSI 渗透测试
☁️ HackTricks 云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 - 你在一家**网络安全公司**工作吗?想要在 HackTricks 上**宣传你的公司**吗?或者你想要**获取最新版本的 PEASS 或下载 HackTricks 的 PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! - 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family) - 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com) - **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** - **通过向[hacktricks 仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud 仓库](https://github.com/carlospolop/hacktricks-cloud)提交 PR 来分享你的黑客技巧。**
## 基本信息 > 在计算机领域,**iSCSI** 是 **Internet Small Computer Systems Interface** 的缩写,它是一种基于互联网协议(IP)的存储网络标准,用于连接数据存储设备。它通过在 TCP/IP 网络上传输 SCSI 命令,提供对存储设备的块级访问。iSCSI 用于在企业内部传输数据,并在远距离管理存储。它可以用于在局域网(LAN)、广域网(WAN)或互联网上传输数据,并实现位置无关的数据存储和检索。 > > 该协议允许客户端(称为发起者)向远程服务器上的存储设备(目标)发送 SCSI 命令(CDBs)。它是一种存储区域网络(SAN)协议,允许组织将存储集中到存储阵列中,同时为客户端(如数据库和 Web 服务器)提供本地连接的 SCSI 磁盘的错觉。它主要与光纤通道竞争,但与通常需要专用布线的传统光纤通道不同,iSCSI 可以在现有的网络基础设施上长距离运行。 **默认端口:**3260 ``` PORT STATE SERVICE VERSION 3260/tcp open iscsi? ``` ## 枚举 ### iSCSI Discovery ### iSCSI发现 iSCSI discovery is the process of identifying iSCSI targets on a network. There are two methods for discovering iSCSI targets: iSCSI发现是识别网络上的iSCSI目标的过程。有两种方法可以发现iSCSI目标: 1. **SendTargets**: This method involves sending an iSCSI command to a specific IP address and port number. The target responds with a list of available targets. 1. **SendTargets**:这种方法涉及向特定的IP地址和端口号发送一个iSCSI命令。目标会回复一个可用目标的列表。 2. **iSNS**: Internet Storage Name Service (iSNS) is a protocol that allows iSCSI initiators to discover and manage iSCSI targets. It uses a central iSNS server to maintain a database of available targets. 2. **iSNS**:Internet Storage Name Service(iSNS)是一种允许iSCSI初始化程序发现和管理iSCSI目标的协议。它使用一个中央iSNS服务器来维护一个可用目标的数据库。 ### iSCSI Target Discovery ### iSCSI目标发现 Once the iSCSI targets have been discovered, the next step is to determine the available LUNs (Logical Unit Numbers) on each target. This can be done using the following methods: 一旦发现了iSCSI目标,下一步是确定每个目标上可用的逻辑单元号(LUNs)。可以使用以下方法来完成: 1. **iSCSI SendTargets**: This method involves sending an iSCSI command to the target IP address and port number. The target responds with a list of available LUNs. 1. **iSCSI SendTargets**:这种方法涉及向目标IP地址和端口号发送一个iSCSI命令。目标会回复一个可用LUNs的列表。 2. **iSCSI Report LUNs**: This method involves sending an iSCSI command to the target IP address and port number. The target responds with a list of available LUNs along with their attributes. 2. **iSCSI Report LUNs**:这种方法涉及向目标IP地址和端口号发送一个iSCSI命令。目标会回复一个可用LUNs及其属性的列表。 ### iSCSI Authentication ### iSCSI身份验证 iSCSI authentication is used to ensure that only authorized initiators can access the iSCSI targets. There are several methods of iSCSI authentication: iSCSI身份验证用于确保只有授权的初始化程序可以访问iSCSI目标。有几种iSCSI身份验证方法: 1. **CHAP (Challenge-Handshake Authentication Protocol)**: This method involves a three-way handshake process between the initiator and the target. The initiator sends a CHAP request to the target, which responds with a CHAP challenge. The initiator then sends a CHAP response, and if it matches the target's challenge, authentication is successful. 1. **CHAP(Challenge-Handshake Authentication Protocol)**:这种方法涉及初始化程序和目标之间的三次握手过程。初始化程序向目标发送一个CHAP请求,目标回复一个CHAP挑战。然后初始化程序发送一个CHAP响应,如果它与目标的挑战匹配,认证成功。 2. **Mutual CHAP**: This method is similar to CHAP, but both the initiator and the target authenticate each other using CHAP. 2. **Mutual CHAP**:这种方法与CHAP类似,但是初始化程序和目标都使用CHAP进行相互认证。 3. **IKE (Internet Key Exchange)**: This method uses a pre-shared key or digital certificates to authenticate the initiator and the target. 3. **IKE(Internet Key Exchange)**:这种方法使用预共享密钥或数字证书来对初始化程序和目标进行身份验证。 ### iSCSI Security ### iSCSI安全 To ensure the security of iSCSI communications, it is important to implement the following measures: 为了确保iSCSI通信的安全性,重要的是要实施以下措施: 1. **IPsec (Internet Protocol Security)**: IPsec can be used to encrypt and authenticate iSCSI traffic between the initiator and the target. 1. **IPsec(Internet Protocol Security)**:IPsec可以用于加密和认证初始化程序和目标之间的iSCSI流量。 2. **CHAP or Mutual CHAP**: Enabling CHAP or Mutual CHAP authentication can help prevent unauthorized access to iSCSI targets. 2. **CHAP或Mutual CHAP**:启用CHAP或Mutual CHAP身份验证可以帮助防止未经授权访问iSCSI目标。 3. **Access Control Lists (ACLs)**: Implementing ACLs can restrict access to iSCSI targets based on IP addresses or initiator IQNs (iSCSI Qualified Names). 3. **访问控制列表(ACLs)**:实施ACLs可以基于IP地址或初始化程序IQNs(iSCSI Qualified Names)限制对iSCSI目标的访问。 4. **Firewalls**: Configuring firewalls to allow only authorized iSCSI traffic can help protect against unauthorized access. 4. **防火墙**:配置防火墙只允许授权的iSCSI流量可以帮助防止未经授权的访问。 5. **Secure Network Segmentation**: Isolating iSCSI traffic on a separate network segment can help prevent unauthorized access and reduce the attack surface. 5. **安全网络分割**:将iSCSI流量隔离在一个单独的网络段上可以帮助防止未经授权的访问并减少攻击面。 ### iSCSI Vulnerabilities ### iSCSI漏洞 There are several vulnerabilities that can be exploited in iSCSI implementations. Some common vulnerabilities include: iSCSI实现中存在一些可以被利用的漏洞。一些常见的漏洞包括: 1. **Weak Authentication**: If weak authentication methods are used, attackers may be able to bypass authentication and gain unauthorized access to iSCSI targets. 1. **弱身份验证**:如果使用弱身份验证方法,攻击者可能能够绕过身份验证并未经授权地访问iSCSI目标。 2. **Default Credentials**: If default credentials are not changed, attackers can easily guess or find them and gain unauthorized access. 2. **默认凭据**:如果默认凭据没有更改,攻击者可以轻松地猜测或找到它们并未经授权地访问。 3. **Insecure Configuration**: Misconfigurations in iSCSI implementations can lead to vulnerabilities that can be exploited by attackers. 3. **不安全的配置**:iSCSI实现中的配置错误可能导致攻击者可以利用的漏洞。 4. **Man-in-the-Middle Attacks**: If iSCSI traffic is not properly encrypted, attackers can intercept and modify the traffic, leading to unauthorized access or data manipulation. 4. **中间人攻击**:如果iSCSI流量没有正确加密,攻击者可以拦截和修改流量,导致未经授权的访问或数据篡改。 5. **Denial of Service (DoS)**: Attackers can launch DoS attacks against iSCSI targets, causing them to become unavailable to legitimate users. 5. **拒绝服务(DoS)**:攻击者可以对iSCSI目标发起DoS攻击,导致它们对合法用户不可用。 ### Countermeasures ### 对策 To mitigate the risks associated with iSCSI vulnerabilities, the following countermeasures can be implemented: 为了减轻与iSCSI漏洞相关的风险,可以实施以下对策: 1. **Strong Authentication**: Implement strong authentication methods, such as CHAP or Mutual CHAP, to ensure only authorized initiators can access iSCSI targets. 1. **强身份验证**:实施强身份验证方法,如CHAP或Mutual CHAP,以确保只有授权的初始化程序可以访问iSCSI目标。 2. **Change Default Credentials**: Always change default credentials to unique and strong passwords to prevent unauthorized access. 2. **更改默认凭据**:始终将默认凭据更改为唯一且强密码,以防止未经授权的访问。 3. **Secure Configuration**: Ensure that iSCSI implementations are properly configured and follow security best practices. 3. **安全配置**:确保iSCSI实现已正确配置并遵循安全最佳实践。 4. **Encrypt iSCSI Traffic**: Use IPsec or other encryption methods to protect iSCSI traffic from interception and modification. 4. **加密iSCSI流量**:使用IPsec或其他加密方法保护iSCSI流量免受拦截和修改。 5. **Implement Access Controls**: Use ACLs to restrict access to iSCSI targets based on IP addresses or initiator IQNs. 5. **实施访问控制**:使用ACLs根据IP地址或初始化程序IQNs限制对iSCSI目标的访问。 6. **Monitor for Anomalies**: Implement monitoring and logging mechanisms to detect and respond to any suspicious activity or unauthorized access attempts. 6. **监控异常情况**:实施监控和日志记录机制,以检测和响应任何可疑活动或未经授权的访问尝试。 7. **Regular Updates and Patching**: Keep iSCSI implementations up to date with the latest security patches and updates to address any known vulnerabilities. 7. **定期更新和修补**:及时更新iSCSI实现的最新安全补丁和更新,以解决已知漏洞。 By implementing these countermeasures, the security of iSCSI implementations can be significantly improved, reducing the risk of unauthorized access and data breaches. ``` nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx ``` 此脚本将指示是否需要身份验证。 ### [暴力破解](../generic-methodologies-and-resources/brute-force.md#iscsi) ### [在Linux上挂载iSCSI](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How\_to\_set\_up\_and\_use\_iSCSI\_target\_on\_Linux) **注意:**您可能会发现,当您的目标被发现时,它们会列在不同的IP地址下。如果iSCSI服务通过NAT或虚拟IP公开,通常会发生这种情况。在这种情况下,`iscsiadmin`将无法连接。这需要对由您的发现活动自动创建的节点的目录名称进行两个调整,并对此目录中包含的`default`文件进行一个调整。 例如,您正在尝试连接到位于123.123.123.123端口3260的iSCSI目标。公开iSCSI目标的服务器实际上位于192.168.1.2,但通过NAT公开。iscsiadm将注册_internal_地址而不是_public_地址: ``` iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260 192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe [...] ``` 这个命令将在你的文件系统中创建一个目录,就像这样: ``` /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/ ``` 在目录中,有一个默认文件,其中包含连接到目标所需的所有设置。 1. 将`/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/`重命名为`/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/` 2. 在`/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`中,将`node.conn[0].address`设置更改为指向123.123.123.123而不是192.168.1.2。可以使用以下命令完成此操作:`sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default` 现在,您可以按照链接中的说明挂载目标。 ### [在Windows上挂载ISCSI](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476\(v=ws.10\)?redirectedfrom=MSDN) ## **手动枚举** ```bash sudo apt-get install open-iscsi ``` 首先,您需要发现IP地址背后的目标名称: ``` iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260 123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe [2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382 [fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382 ``` _请注意,它将显示您可以访问这些目标的接口的IP和端口。它甚至可以显示内部IP或与您使用的IP不同的IP。_ 然后,您**捕获每行打印字符串的第二部分**(从第一行开始的_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_),并**尝试登录**: ```bash iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple) Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful. ``` 然后,您可以使用`–logout`命令**注销**。 ```bash iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful. ``` 我们可以通过仅使用任何`--login`/`--logout`参数来获取有关它的**更多信息**。 ```bash iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 # BEGIN RECORD 2.0-873 node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe node.tpgt = 1 node.startup = manual node.leading_login = No iface.hwaddress = iface.ipaddress = iface.iscsi_ifacename = default iface.net_ifacename = iface.transport_name = tcp iface.initiatorname = iface.bootproto = iface.subnet_mask = iface.gateway = iface.ipv6_autocfg = iface.linklocal_autocfg = iface.router_autocfg = iface.ipv6_linklocal = iface.ipv6_router = iface.state = iface.vlan_id = 0 iface.vlan_priority = 0 iface.vlan_state = iface.iface_num = 0 iface.mtu = 0 iface.port = 0 node.discovery_address = 192.168.xx.xx node.discovery_port = 3260 node.discovery_type = send_targets node.session.initial_cmdsn = 0 node.session.initial_login_retry_max = 8 node.session.xmit_thread_priority = -20 node.session.cmds_max = 128 node.session.queue_depth = 32 node.session.nr_sessions = 1 node.session.auth.authmethod = None node.session.auth.username = node.session.auth.password = node.session.auth.username_in = node.session.auth.password_in = node.session.timeo.replacement_timeout = 120 node.session.err_timeo.abort_timeout = 15 node.session.err_timeo.lu_reset_timeout = 30 node.session.err_timeo.tgt_reset_timeout = 30 node.session.err_timeo.host_reset_timeout = 60 node.session.iscsi.FastAbort = Yes node.session.iscsi.InitialR2T = No node.session.iscsi.ImmediateData = Yes node.session.iscsi.FirstBurstLength = 262144 node.session.iscsi.MaxBurstLength = 16776192 node.session.iscsi.DefaultTime2Retain = 0 node.session.iscsi.DefaultTime2Wait = 2 node.session.iscsi.MaxConnections = 1 node.session.iscsi.MaxOutstandingR2T = 1 node.session.iscsi.ERL = 0 node.conn[0].address = 192.168.xx.xx node.conn[0].port = 3260 node.conn[0].startup = manual node.conn[0].tcp.window_size = 524288 node.conn[0].tcp.type_of_service = 0 node.conn[0].timeo.logout_timeout = 15 node.conn[0].timeo.login_timeout = 15 node.conn[0].timeo.auth_timeout = 45 node.conn[0].timeo.noop_out_interval = 5 node.conn[0].timeo.noop_out_timeout = 5 node.conn[0].iscsi.MaxXmitDataSegmentLength = 0 node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144 node.conn[0].iscsi.HeaderDigest = None node.conn[0].iscsi.DataDigest = None node.conn[0].iscsi.IFMarker = No node.conn[0].iscsi.OFMarker = No # END RECORD ``` **有一个脚本可以自动化基本子网枚举过程,可以在** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability\_Analysis/isciadm) **找到。** ## **Shodan** * `port:3260 AuthMethod` ## **参考资料** {% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %}
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 - 你在一家**网络安全公司**工作吗?想要在HackTricks中**宣传你的公司**吗?或者你想要**获取PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! - 发现我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family) - 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) - **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) **或**[**电报群组**](https://t.me/peass) **或在Twitter上**[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注我**。 - **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。