iSCSI
aka iscsi-target, lun
SCSI block storage over IP on 3260. Targets are often exported with no (or weak CHAP) authentication — discover the target, log in, and the raw LUN mounts as a local disk you can read straight off.
Ports
| Port | Proto | Notes |
|---|---|---|
3260 | tcp | iSCSI target |
Fingerprint
- nmap iscsi-info lists targets + auth requirement
- iscsiadm discovery returns target IQNs
Key files
| Path | Holds | Sensitive |
|---|---|---|
exported LUN (block device) | whole filesystem images, VMs, backups | sensitive |
Exploitation primitives
- Discover exported targets (IQNs) — often no auth
- Log in and the LUN appears as /dev/sdX; mount it and read the filesystem
- Weak CHAP secrets crack offline (nmap iscsi-brute)
Overview
iSCSI on 3260 serves raw block devices over the network. If a target allows you to log in, you mount its disk and read everything on it — including VM images and backups.
Enumeration
Scan for targets + auth:
nmap -p3260 --script iscsi-info <TARGET>Discover target IQNs:
sudo iscsiadm -m discovery -t sendtargets -p <TARGET>:3260Mount the LUN
Log into the target:
sudo iscsiadm -m node --targetname "<IQN>" -p <TARGET>:3260 --loginIt appears as a new block device — find and mount it:
lsblk && sudo mount /dev/sdb1 /mntCrack CHAP (if required)
nmap -p3260 --script iscsi-brute <TARGET>Hardening
Require mutual CHAP with strong secrets, bind targets to specific initiator IQNs/IPs, and isolate the storage network.