maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/3260-pentesting-iscsi.md

162 lines
8.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 3260 - Pentesting ISCSI
{{#include ../banners/hacktricks-training.md}}
## Basiese Inligting
From [Wikipedia](https://en.wikipedia.org/wiki/ISCSI):
> In rekenaarwetenskap is **iSCSI** 'n akroniem vir **Internet Small Computer Systems Interface**, 'n Internet Protocol (IP)-gebaseerde stoor netwerkstandaard vir die koppel van data stoor fasiliteite. Dit bied blokvlak toegang tot stoor toestelle deur SCSI-opdragte oor 'n TCP/IP-netwerk te dra. iSCSI word gebruik om data oordragte oor intranette te fasiliteer en om stoor oor lang afstande te bestuur. Dit kan gebruik word om data oor plaaslike area netwerke (LANs), wye area netwerke (WANs), of die Internet te stuur en kan plek-onafhanklike data stoor en herwinning moontlik maak.
>
> Die protokol laat kliënte (genoem inisiators) toe om SCSI-opdragte (CDBs) na stoor toestelle (teikens) op afgeleë bedieners te stuur. Dit is 'n stoor area netwerk (SAN) protokol, wat organisasies in staat stel om stoor in stoor arrays te konsolideer terwyl dit kliënte (soos databasis en webbedieners) die illusie van plaaslik aangehegte SCSI skywe bied. Dit kompeteer hoofsaaklik met Fibre Channel, maar anders as tradisionele Fibre Channel wat gewoonlik toegewyde kabels vereis, kan iSCSI oor lang afstande gebruik word met bestaande netwerk infrastruktuur.
**Standaard poort:** 3260
```
PORT STATE SERVICE VERSION
3260/tcp open iscsi?
```
## Opname
```
nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
```
Hierdie skrip sal aandui of outentisering vereis word.
### [Brute force](../generic-hacking/brute-force.md#iscsi)
### [Mount ISCSI op Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How_to_set_up_and_use_iSCSI_target_on_Linux)
**Let wel:** Jy mag vind dat wanneer jou teikens ontdek word, hulle onder 'n ander IP-adres gelys word. Dit gebeur dikwels as die iSCSI-diens blootgestel word via NAT of 'n virtuele IP. In sulke gevalle sal `iscsiadmin` misluk om te verbind. Dit vereis twee aanpassings: een aan die gidsnaam van die node wat outomaties deur jou ontdekkingaktiwiteite geskep is, en een aan die `default` lêer wat in hierdie gids bevat is.
Byvoorbeeld, jy probeer om te verbind met 'n iSCSI-teiken op 123.123.123.123 op poort 3260. Die bediener wat die iSCSI-teiken blootstel, is eintlik op 192.168.1.2 maar blootgestel via NAT. isciadm sal die _interne_ adres registreer eerder as die _publieke_ adres:
```
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[...]
```
Hierdie opdrag sal 'n gids in jou lêerstelsel skep soos volg:
```
/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/
```
Binne die gids is daar 'n standaardlêer met al die instellings wat nodig is om met die teiken te verbind.
1. Hernoem `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/` na `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/`
2. Binne `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`, verander die `node.conn[0].address` instelling om na 123.123.123.123 te wys in plaas van 192.168.1.2. Dit kan gedoen word met 'n opdrag soos `sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`
U kan nou die teiken monteer volgens die instruksies in die skakel.
### [Monteer ISCSI op Windows](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476(v=ws.10)?redirectedfrom=MSDN>)
## **Handmatige opsporing**
```bash
sudo apt-get install open-iscsi
```
Eerstens moet jy die **targets** naam agter die IP ontdek:
```bash
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382
```
_Note dat dit die I**P en poort van die interfaces** sal wys waar jy die **teikens** kan **bereik**. Dit kan selfs **interne IP's of verskillende IP's** van die een wat jy gebruik het, **wys**._
Dan **vang jy die 2de deel van die gedrukte string van elke lyn** (_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ van die eerste lyn) en **probeer om in te log**:
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
Dan kan jy **logout** gebruik met `logout`
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
```
Ons kan **meer inligting** daaroor vind deur net **sonder** enige `--login`/`--logout` parameter te gebruik.
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
# BEGIN RECORD 2.0-873
node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
node.tpgt = 1
node.startup = manual
node.leading_login = No
iface.hwaddress = <empty>
iface.ipaddress = <empty>
iface.iscsi_ifacename = default
iface.net_ifacename = <empty>
iface.transport_name = tcp
iface.initiatorname = <empty>
iface.bootproto = <empty>
iface.subnet_mask = <empty>
iface.gateway = <empty>
iface.ipv6_autocfg = <empty>
iface.linklocal_autocfg = <empty>
iface.router_autocfg = <empty>
iface.ipv6_linklocal = <empty>
iface.ipv6_router = <empty>
iface.state = <empty>
iface.vlan_id = 0
iface.vlan_priority = 0
iface.vlan_state = <empty>
iface.iface_num = 0
iface.mtu = 0
iface.port = 0
node.discovery_address = 192.168.xx.xx
node.discovery_port = 3260
node.discovery_type = send_targets
node.session.initial_cmdsn = 0
node.session.initial_login_retry_max = 8
node.session.xmit_thread_priority = -20
node.session.cmds_max = 128
node.session.queue_depth = 32
node.session.nr_sessions = 1
node.session.auth.authmethod = None
node.session.auth.username = <empty>
node.session.auth.password = <empty>
node.session.auth.username_in = <empty>
node.session.auth.password_in = <empty>
node.session.timeo.replacement_timeout = 120
node.session.err_timeo.abort_timeout = 15
node.session.err_timeo.lu_reset_timeout = 30
node.session.err_timeo.tgt_reset_timeout = 30
node.session.err_timeo.host_reset_timeout = 60
node.session.iscsi.FastAbort = Yes
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.session.iscsi.DefaultTime2Retain = 0
node.session.iscsi.DefaultTime2Wait = 2
node.session.iscsi.MaxConnections = 1
node.session.iscsi.MaxOutstandingR2T = 1
node.session.iscsi.ERL = 0
node.conn[0].address = 192.168.xx.xx
node.conn[0].port = 3260
node.conn[0].startup = manual
node.conn[0].tcp.window_size = 524288
node.conn[0].tcp.type_of_service = 0
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.auth_timeout = 45
node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 5
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
node.conn[0].iscsi.HeaderDigest = None
node.conn[0].iscsi.DataDigest = None
node.conn[0].iscsi.IFMarker = No
node.conn[0].iscsi.OFMarker = No
# END RECORD
```
**Daar is 'n skrif om die basiese subnet-opsomming proses te outomatiseer beskikbaar by** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability_Analysis/isciadm)
## **Shodan**
- `port:3260 AuthMethod`
## **Verwysings**
- [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
- [https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink