# 3260 - Pentesting ISCSI
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFTs收藏品](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
## 基本信息
来自[Wikipedia](https://en.wikipedia.org/wiki/ISCSI):
> 在计算机领域,**iSCSI**是**Internet Small Computer Systems Interface**的缩写,是一种基于Internet协议(IP)的存储网络标准,用于连接数据存储设备。它通过在TCP/IP网络上传输SCSI命令来提供对存储设备的块级访问。iSCSI用于在企业内部进行数据传输,并用于远距离管理存储。它可用于在局域网(LAN)、广域网(WAN)或互联网上传输数据,并可实现独立于位置的数据存储和检索。
>
> 该协议允许客户端(称为发起者)向远程服务器上的存储设备(目标)发送SCSI命令(CDBs)。它是一种存储区域网络(SAN)协议,允许组织将存储合并到存储阵列中,同时为客户端(如数据库和Web服务器)提供本地连接的SCSI磁盘的错觉。它主要与光纤通道竞争,但与通常需要专用布线的传统光纤通道不同,iSCSI可以通过现有网络基础设施在长距离上运行。
**默认端口:** 3260
```
PORT STATE SERVICE VERSION
3260/tcp open iscsi?
```
## 枚举
```
nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
```
这个脚本将指示是否需要身份验证。
### [暴力破解](/generic-methodologies-and-resources/brute-force.md#iscsi)
### [在Linux上挂载ISCSI](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How_to_set_up_and_use_iSCSI_target_on_Linux)
**注意:** 当您的目标被发现时,您可能会发现它们列在不同的IP地址下。如果iSCSI服务通过NAT或虚拟IP公开,则往往会发生这种情况。在这种情况下,`iscsiadmin` 将无法连接。这需要两个调整:一个是根据您的发现活动自动创建的节点目录名称,另一个是该目录中包含的 `default` 文件。
例如,您正在尝试连接到位于123.123.123.123端口3260的iSCSI目标。公开iSCSI目标的服务器实际上位于192.168.1.2,但通过NAT公开。isciadm将注册\_内部\_地址而不是\_公共\_地址:
```
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[...]
```
这个命令将在你的文件系统中创建一个类似这样的目录:
```
/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/
```
在目录中,有一个默认文件,其中包含连接到目标所需的所有设置。
1. 将`/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/`重命名为`/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/`
2. 在`/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`中,将`node.conn[0].address`设置更改为指向123.123.123.123而不是192.168.1.2。可以使用类似`sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`的命令来完成此操作。
现在,您可以按照链接中的说明挂载目标。
### [在Windows上挂载 ISCSI](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476\(v=ws.10\)?redirectedfrom=MSDN)
## **手动枚举**
```bash
sudo apt-get install open-iscsi
```
来自[iscsiadm文档](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm):
首先,您需要**发现**IP地址后面的目标名称:
```bash
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382
```
注意,它会显示您可以访问这些目标的接口的IP和端口。它甚至可以显示内部IP或与您使用的IP不同的IP。
然后,您捕获每行打印字符串的第二部分(从第一行的\_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe\_开始),并尝试登录:
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
然后,您可以使用 `–logout` 进行**注销**
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
我们可以通过仅使用任何`--login`/`--logout`参数来找到更多关于它的信息。
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
# BEGIN RECORD 2.0-873
node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
node.tpgt = 1
node.startup = manual
node.leading_login = No
iface.hwaddress =
iface.ipaddress =
iface.iscsi_ifacename = default
iface.net_ifacename =
iface.transport_name = tcp
iface.initiatorname =
iface.bootproto =
iface.subnet_mask =
iface.gateway =
iface.ipv6_autocfg =
iface.linklocal_autocfg =
iface.router_autocfg =
iface.ipv6_linklocal =
iface.ipv6_router =
iface.state =
iface.vlan_id = 0
iface.vlan_priority = 0
iface.vlan_state =
iface.iface_num = 0
iface.mtu = 0
iface.port = 0
node.discovery_address = 192.168.xx.xx
node.discovery_port = 3260
node.discovery_type = send_targets
node.session.initial_cmdsn = 0
node.session.initial_login_retry_max = 8
node.session.xmit_thread_priority = -20
node.session.cmds_max = 128
node.session.queue_depth = 32
node.session.nr_sessions = 1
node.session.auth.authmethod = None
node.session.auth.username =
node.session.auth.password =
node.session.auth.username_in =
node.session.auth.password_in =
node.session.timeo.replacement_timeout = 120
node.session.err_timeo.abort_timeout = 15
node.session.err_timeo.lu_reset_timeout = 30
node.session.err_timeo.tgt_reset_timeout = 30
node.session.err_timeo.host_reset_timeout = 60
node.session.iscsi.FastAbort = Yes
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.session.iscsi.DefaultTime2Retain = 0
node.session.iscsi.DefaultTime2Wait = 2
node.session.iscsi.MaxConnections = 1
node.session.iscsi.MaxOutstandingR2T = 1
node.session.iscsi.ERL = 0
node.conn[0].address = 192.168.xx.xx
node.conn[0].port = 3260
node.conn[0].startup = manual
node.conn[0].tcp.window_size = 524288
node.conn[0].tcp.type_of_service = 0
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.auth_timeout = 45
node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 5
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
node.conn[0].iscsi.HeaderDigest = None
node.conn[0].iscsi.DataDigest = None
node.conn[0].iscsi.IFMarker = No
node.conn[0].iscsi.OFMarker = No
# END RECORD
```
**有一个用于自动化基本子网枚举过程的脚本可在** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability_Analysis/isciadm) **找到**
## **Shodan**
* `port:3260 AuthMethod`
## **参考资料**
*
*
从零开始学习AWS黑客技术,成为专家 htARTE (HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://hacktricks.xsx.tw/network-services-pentesting/3260-pentesting-iscsi.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.