OpenSkillIndex← back to search

Hacktricks-skills iscsi-pentesting

Pentest iSCSI (Internet Small Computer Systems Interface) services on port 3260. Use this skill whenever you need to enumerate, authenticate, or mount iSCSI targets during security assessments. Trigger this skill when you see port 3260 open, need to discover iSCSI targets, want to access remote block storage, or are investigating storage vulnerabilities during penetration testing.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/3260-pentesting-iscsi/SKILL.MD
source content

iSCSI Pentesting

This skill helps you enumerate, authenticate, and mount iSCSI targets during security assessments. iSCSI (Internet Small Computer Systems Interface) is a storage networking protocol that provides block-level access to storage devices over TCP/IP networks.

Default port: 3260/tcp

Quick Start

# Install required tools
sudo apt-get install open-iscsi

# Quick enumeration
nmap -sV --script=iscsi-info -p 3260 <target-ip>

Enumeration

1. Nmap Discovery

Use Nmap to identify iSCSI services and check if authentication is required:

nmap -sV --script=iscsi-info -p 3260 <target-ip>

What to look for:

  • Service version information
  • Whether authentication is required
  • Target IQN identifiers

2. Manual Target Discovery

Discover available iSCSI targets using 

iscsiadm
:

iscsiadm -m discovery -t sendtargets -p <target-ip>:3260

Example output:

123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382

Important: The discovery may show internal IPs or different IPs from the one you used, especially if the service is exposed via NAT or a virtual IP.

3. Extract Target Information

For each discovered target, extract the IQN (the second part of each line) and attempt to gather more information:

iscsiadm -m node --targetname="<iqn-identifier>" -p <target-ip>:3260

This shows configuration details including:

  • Authentication method (
    node.session.auth.authmethod
    )
  • Connection addresses (
    node.conn[0].address
    )
  • Session parameters

Authentication

Login to Target

Attempt to login to the discovered target:

iscsiadm -m node --targetname="<iqn-identifier>" -p <target-ip>:3260 --login

Success indicator:

Login to [iface: default, target: <iqn>, portal: <ip>,3260] successful.

Logout from Target

iscsiadm -m node --targetname="<iqn-identifier>" -p <target-ip>:3260 --logout

Brute Force Authentication

If authentication is required, refer to brute force techniques for iSCSI credentials. Common approaches include:

  • Dictionary attacks on username/password
  • Default credential testing
  • Empty credential attempts

NAT Handling (Critical)

When targets are discovered via NAT or virtual IPs, 

iscsiadm
may register the internal address instead of the public address. This requires manual configuration:

Step 1: Rename the Node Directory

After discovery, a directory is created like:

/etc/iscsi/nodes/<iqn>/<internal-ip>,3260,1/

Rename it to use the public IP:

mv "/etc/iscsi/nodes/<iqn>/<internal-ip>,3260,1/" "/etc/iscsi/nodes/<iqn>/<public-ip>,3260,1/"

Step 2: Update Connection Address

Edit the default configuration file:

sed -i 's/<internal-ip>/<public-ip>/g' "/etc/iscsi/nodes/<iqn>/<public-ip>,3260,1/default"

Or manually edit:

nano "/etc/iscsi/nodes/<iqn>/<public-ip>,3260,1/default"

Change 

node.conn[0].address
from internal to public IP.

Mounting iSCSI Targets

On Linux

After successful login, the target should appear as a block device:

# List available devices
lsblk

# Mount the device
sudo mount /dev/sdX1 /mnt/iscsi-target

On Windows

Use the Microsoft iSCSI Initiator:

  1. Open "iSCSI Initiator" from Administrative Tools
  2. Enter the target IP in the "Quick Connect" field
  3. Click "Connect"
  4. Initialize and format the disk in Disk Management

Shodan Reconnaissance

Search for iSCSI services with specific configurations:

# Find iSCSI services with authentication method info
port:3260 AuthMethod

# Find all iSCSI services
port:3260

Common Issues and Solutions

Issue: Connection fails after discovery

Solution: Check if NAT is involved. The discovery may show internal IPs. Follow the NAT handling steps above.

Issue: Authentication required

Solution: Check 

node.session.auth.authmethod
in the target info. If set to 
CHAP
or 
CHAP_MUTUAL
, you'll need credentials. Try brute force or default credentials.

Issue: Target not appearing after login

Solution:

  1. Verify login was successful
  2. Check 
    lsblk
    for new block devices
  3. Try 
    iscsiadm -m session
    to verify active sessions

Workflow Summary

  1. Discover - Use Nmap or 
    iscsiadm
    to find targets
  2. Enumerate - Extract IQN and configuration details
  3. Authenticate - Login with or without credentials
  4. Handle NAT - If needed, fix IP address mismatches
  5. Mount - Access the storage as a block device
  6. Extract - Copy data or analyze contents
  7. Cleanup - Logout and unmount

References