mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
162 lines
7.9 KiB
Markdown
162 lines
7.9 KiB
Markdown
# 3260 - Pentesting ISCSI
|
||
|
||
{{#include ../banners/hacktricks-training.md}}
|
||
|
||
## 基本信息
|
||
|
||
来自 [Wikipedia](https://en.wikipedia.org/wiki/ISCSI):
|
||
|
||
> 在计算中,**iSCSI** 是 **Internet Small Computer Systems Interface** 的缩写,是一种基于互联网协议 (IP) 的存储网络标准,用于连接数据存储设施。它通过在 TCP/IP 网络上传输 SCSI 命令,提供对存储设备的块级访问。iSCSI 用于促进通过内部网的数据传输,并管理远程存储。它可以用于在局域网 (LAN)、广域网 (WAN) 或互联网中传输数据,并可以实现位置无关的数据存储和检索。
|
||
>
|
||
> 该协议允许客户端(称为发起者)向远程服务器上的存储设备(目标)发送 SCSI 命令(CDB)。它是一种存储区域网络 (SAN) 协议,允许组织将存储整合到存储阵列中,同时为客户端(如数据库和 Web 服务器)提供本地附加 SCSI 磁盘的幻觉。它主要与光纤通道竞争,但与通常需要专用电缆的传统光纤通道不同,iSCSI 可以通过现有网络基础设施在长距离上运行。
|
||
|
||
**默认端口:** 3260
|
||
```
|
||
PORT STATE SERVICE VERSION
|
||
3260/tcp open iscsi?
|
||
```
|
||
## 枚举
|
||
```
|
||
nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
|
||
```
|
||
该脚本将指示是否需要身份验证。
|
||
|
||
### [暴力破解](../generic-hacking/brute-force.md#iscsi)
|
||
|
||
### [在Linux上挂载ISCSI](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How_to_set_up_and_use_iSCSI_target_on_Linux)
|
||
|
||
**注意:** 您可能会发现,当发现目标时,它们在不同的IP地址下列出。如果iSCSI服务通过NAT或虚拟IP暴露,通常会发生这种情况。在这种情况下,`iscsiadmin`将无法连接。这需要两个调整:一个是您发现活动自动创建的节点的目录名称,另一个是该目录中包含的`default`文件。
|
||
|
||
例如,您正在尝试连接到位于123.123.123.123的3260端口上的iSCSI目标。暴露iSCSI目标的服务器实际上位于192.168.1.2,但通过NAT暴露。isciadm将注册_内部_地址而不是_公共_地址:
|
||
```
|
||
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
|
||
192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
|
||
[...]
|
||
```
|
||
此命令将在您的文件系统中创建一个目录,如下所示:
|
||
```
|
||
/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/
|
||
```
|
||
在该目录中,有一个默认文件,包含连接目标所需的所有设置。
|
||
|
||
1. 将 `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/` 重命名为 `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/`
|
||
2. 在 `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default` 中,将 `node.conn[0].address` 设置更改为指向 123.123.123.123,而不是 192.168.1.2。这可以通过以下命令完成: `sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`
|
||
|
||
您现在可以按照链接中的说明挂载目标。
|
||
|
||
### [在 Windows 上挂载 ISCSI](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476(v=ws.10)?redirectedfrom=MSDN>)
|
||
|
||
## **手动枚举**
|
||
```bash
|
||
sudo apt-get install open-iscsi
|
||
```
|
||
首先,您需要**发现IP背后的目标**名称:
|
||
```bash
|
||
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
|
||
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
|
||
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
|
||
[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382
|
||
```
|
||
_请注意,它将显示您可以到达这些目标的接口的 I**P 和端口**。它甚至可以显示您使用的不同 IP 或内部 IP。_
|
||
|
||
然后您**捕获每行打印字符串的第二部分**(_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ 来自第一行)并**尝试登录**:
|
||
```bash
|
||
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
|
||
Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
|
||
Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
|
||
```
|
||
然后,您可以使用 `–logout` **注销**。
|
||
```bash
|
||
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
|
||
Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
|
||
Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
|
||
```
|
||
我们可以通过仅使用 **without** 任何 `--login`/`--logout` 参数找到 **more information**。
|
||
```bash
|
||
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
|
||
# BEGIN RECORD 2.0-873
|
||
node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
|
||
node.tpgt = 1
|
||
node.startup = manual
|
||
node.leading_login = No
|
||
iface.hwaddress = <empty>
|
||
iface.ipaddress = <empty>
|
||
iface.iscsi_ifacename = default
|
||
iface.net_ifacename = <empty>
|
||
iface.transport_name = tcp
|
||
iface.initiatorname = <empty>
|
||
iface.bootproto = <empty>
|
||
iface.subnet_mask = <empty>
|
||
iface.gateway = <empty>
|
||
iface.ipv6_autocfg = <empty>
|
||
iface.linklocal_autocfg = <empty>
|
||
iface.router_autocfg = <empty>
|
||
iface.ipv6_linklocal = <empty>
|
||
iface.ipv6_router = <empty>
|
||
iface.state = <empty>
|
||
iface.vlan_id = 0
|
||
iface.vlan_priority = 0
|
||
iface.vlan_state = <empty>
|
||
iface.iface_num = 0
|
||
iface.mtu = 0
|
||
iface.port = 0
|
||
node.discovery_address = 192.168.xx.xx
|
||
node.discovery_port = 3260
|
||
node.discovery_type = send_targets
|
||
node.session.initial_cmdsn = 0
|
||
node.session.initial_login_retry_max = 8
|
||
node.session.xmit_thread_priority = -20
|
||
node.session.cmds_max = 128
|
||
node.session.queue_depth = 32
|
||
node.session.nr_sessions = 1
|
||
node.session.auth.authmethod = None
|
||
node.session.auth.username = <empty>
|
||
node.session.auth.password = <empty>
|
||
node.session.auth.username_in = <empty>
|
||
node.session.auth.password_in = <empty>
|
||
node.session.timeo.replacement_timeout = 120
|
||
node.session.err_timeo.abort_timeout = 15
|
||
node.session.err_timeo.lu_reset_timeout = 30
|
||
node.session.err_timeo.tgt_reset_timeout = 30
|
||
node.session.err_timeo.host_reset_timeout = 60
|
||
node.session.iscsi.FastAbort = Yes
|
||
node.session.iscsi.InitialR2T = No
|
||
node.session.iscsi.ImmediateData = Yes
|
||
node.session.iscsi.FirstBurstLength = 262144
|
||
node.session.iscsi.MaxBurstLength = 16776192
|
||
node.session.iscsi.DefaultTime2Retain = 0
|
||
node.session.iscsi.DefaultTime2Wait = 2
|
||
node.session.iscsi.MaxConnections = 1
|
||
node.session.iscsi.MaxOutstandingR2T = 1
|
||
node.session.iscsi.ERL = 0
|
||
node.conn[0].address = 192.168.xx.xx
|
||
node.conn[0].port = 3260
|
||
node.conn[0].startup = manual
|
||
node.conn[0].tcp.window_size = 524288
|
||
node.conn[0].tcp.type_of_service = 0
|
||
node.conn[0].timeo.logout_timeout = 15
|
||
node.conn[0].timeo.login_timeout = 15
|
||
node.conn[0].timeo.auth_timeout = 45
|
||
node.conn[0].timeo.noop_out_interval = 5
|
||
node.conn[0].timeo.noop_out_timeout = 5
|
||
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
|
||
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
|
||
node.conn[0].iscsi.HeaderDigest = None
|
||
node.conn[0].iscsi.DataDigest = None
|
||
node.conn[0].iscsi.IFMarker = No
|
||
node.conn[0].iscsi.OFMarker = No
|
||
# END RECORD
|
||
```
|
||
**有一个脚本可以自动化基本的子网枚举过程,位于** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability_Analysis/isciadm)
|
||
|
||
## **Shodan**
|
||
|
||
- `port:3260 AuthMethod`
|
||
|
||
## **参考文献**
|
||
|
||
- [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
|
||
- [https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm)
|
||
|
||
{{#include ../banners/hacktricks-training.md}}
|