3260 - Pentesting ISCSI

Reading time: 6 minutes

Basic Information

From Wikipedia:

Katika kompyuta, iSCSI ni kifupi cha Internet Small Computer Systems Interface, kiwango cha mtandao wa kuhifadhi data kilichotegemea Protokali ya Mtandao (IP) kwa ajili ya kuunganisha vifaa vya kuhifadhi data. Inatoa ufikiaji wa kiwango cha block kwa vifaa vya kuhifadhi kwa kubeba amri za SCSI kupitia mtandao wa TCP/IP. iSCSI inatumika kuwezesha uhamishaji wa data kupitia intranets na kusimamia uhifadhi kwa umbali mrefu. Inaweza kutumika kuhamasisha data kupitia mitandao ya eneo la ndani (LANs), mitandao ya eneo pana (WANs), au Mtandao na inaweza kuwezesha uhifadhi na upatikanaji wa data bila kujali eneo.

Protokali hii inaruhusu wateja (wanaitwa waanzilishi) kutuma amri za SCSI (CDBs) kwa vifaa vya kuhifadhi (malengo) kwenye seva za mbali. Ni protokali ya mtandao wa eneo la kuhifadhi (SAN), ikiruhusu mashirika kuunganisha uhifadhi katika mfululizo wa kuhifadhi huku ikitoa wateja (kama vile seva za database na wavuti) hisia ya diski za SCSI zilizounganishwa kwa ndani. Inashindana hasa na Fibre Channel, lakini tofauti na Fibre Channel ya jadi ambayo kawaida inahitaji nyaya maalum, iSCSI inaweza kuendeshwa kwa umbali mrefu kwa kutumia miundombinu ya mtandao iliyopo.

Default port: 3260

PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?

Uhesabu

nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx

Hii skripti itaonyesha ikiwa uthibitisho unahitajika.

Brute force

Mount ISCSI kwenye Linux

Kumbuka: Unaweza kupata kwamba wakati malengo yako yanagunduliwa, yanatajwa chini ya anwani tofauti ya IP. Hii hutokea ikiwa huduma ya iSCSI imewekwa wazi kupitia NAT au IP ya virtual. Katika hali kama hizi, iscsiadmin itashindwa kuungana. Hii inahitaji marekebisho mawili: moja kwa jina la saraka ya nodi iliyoundwa kiotomatiki na shughuli zako za kugundua, na moja kwa faili ya default iliyomo ndani ya saraka hii.

Kwa mfano, unajaribu kuungana na lengo la iSCSI kwenye 123.123.123.123 kwenye bandari 3260. Server inayofichua lengo la iSCSI iko kwa 192.168.1.2 lakini imewekwa wazi kupitia NAT. isciadm itarekodi anwani ya ndani badala ya anwani ya umma:

iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[...]

Amri hii itaunda saraka katika mfumo wako wa faili kama hii:

/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/

Katika saraka, kuna faili ya default yenye mipangilio yote muhimu kuungana na lengo.

1. Badilisha jina la /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/ kuwa /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/
2. Ndani ya /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default, badilisha mipangilio ya node.conn[0].address ili kuelekeza kwenye 123.123.123.123 badala ya 192.168.1.2. Hii inaweza kufanywa kwa amri kama sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default

Sasa unaweza kuunganisha lengo kama ilivyoelezwa katika maagizo kwenye kiungo.

Mount ISCSI on Windows

Manual enumeration

sudo apt-get install open-iscsi

Kwanza kabisa unahitaji kuvumbua majina ya malengo nyuma ya IP:

iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382

Kumbuka kwamba itonyesha IP na bandari za interfaces ambapo unaweza kufikia hizo malengo. Inaweza hata kuonyesha IP za ndani au IP tofauti na ile uliyotumia.

Kisha shika sehemu ya 2 ya mfuatano wa maandiko ya kila mstari (iqn.1992-05.com.emc:fl1001433000190000-3-vnxe kutoka mstari wa kwanza) na jaribu kuingia:

iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.

Kisha, unaweza logout ukitumia –logout

iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.

Tunaweza kupata maelezo zaidi kuhusu hiyo kwa kutumia tu bila parameter yoyote ya --login/--logout

iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
# BEGIN RECORD 2.0-873
node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
node.tpgt = 1
node.startup = manual
node.leading_login = No
iface.hwaddress = <empty>
iface.ipaddress = <empty>
iface.iscsi_ifacename = default
iface.net_ifacename = <empty>
iface.transport_name = tcp
iface.initiatorname = <empty>
iface.bootproto = <empty>
iface.subnet_mask = <empty>
iface.gateway = <empty>
iface.ipv6_autocfg = <empty>
iface.linklocal_autocfg = <empty>
iface.router_autocfg = <empty>
iface.ipv6_linklocal = <empty>
iface.ipv6_router = <empty>
iface.state = <empty>
iface.vlan_id = 0
iface.vlan_priority = 0
iface.vlan_state = <empty>
iface.iface_num = 0
iface.mtu = 0
iface.port = 0
node.discovery_address = 192.168.xx.xx
node.discovery_port = 3260
node.discovery_type = send_targets
node.session.initial_cmdsn = 0
node.session.initial_login_retry_max = 8
node.session.xmit_thread_priority = -20
node.session.cmds_max = 128
node.session.queue_depth = 32
node.session.nr_sessions = 1
node.session.auth.authmethod = None
node.session.auth.username = <empty>
node.session.auth.password = <empty>
node.session.auth.username_in = <empty>
node.session.auth.password_in = <empty>
node.session.timeo.replacement_timeout = 120
node.session.err_timeo.abort_timeout = 15
node.session.err_timeo.lu_reset_timeout = 30
node.session.err_timeo.tgt_reset_timeout = 30
node.session.err_timeo.host_reset_timeout = 60
node.session.iscsi.FastAbort = Yes
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.session.iscsi.DefaultTime2Retain = 0
node.session.iscsi.DefaultTime2Wait = 2
node.session.iscsi.MaxConnections = 1
node.session.iscsi.MaxOutstandingR2T = 1
node.session.iscsi.ERL = 0
node.conn[0].address = 192.168.xx.xx
node.conn[0].port = 3260
node.conn[0].startup = manual
node.conn[0].tcp.window_size = 524288
node.conn[0].tcp.type_of_service = 0
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.auth_timeout = 45
node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 5
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
node.conn[0].iscsi.HeaderDigest = None
node.conn[0].iscsi.DataDigest = None
node.conn[0].iscsi.IFMarker = No
node.conn[0].iscsi.OFMarker = No
# END RECORD

Kuna skripti ya kuandaa mchakato wa msingi wa kuhesabu subnet inapatikana kwenye iscsiadm

Shodan

• port:3260 AuthMethod

Marejeleo

• https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html
• https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm