Nmap Development mailing list archives

Re: [NSE] iSCSI library and scripts

From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 5 Dec 2010 23:49:21 +0100


On 5 dec 2010, at 23.17, Matt Selsky wrote:


On Dec 4, 2010, at 1:55 PM, Patrik Karlsson wrote:


On 23 nov 2010, at 14.24, Matt Selsky wrote:



On Thu, 18 Nov 2010, Patrik Karlsson wrote:

Hi,

I'm attaching some of my recent work where I've attempted to implement the iSCSI protocol in Nmap.
There are two scripts, a library and a probe with matching match lines to detect the iSCSI target.
The iscsi-info script attempts to list all available iSCSI targets and whether they're protected by authentication 
or not.
The iscsi-brute script attempts to brute force CHAP authentication against a given iSCSI target.

Feedback, comments and test results are most welcome. I've done all testing against OpenFiler myself.
//Patrik


Testing against IBM XIV's iSCSI implementation.  I scanned all 6 iSCSI interfaces:

$ ./nmap --datadir=. --script=iscsi-info -sV -p 3260 10.192.11.244 10.192.11.245 10.192.11.246 10.192.11.247 
10.192.11.248 10.192.11.249

Starting Nmap 5.36TEST2 ( http://nmap.org ) at 2010-11-23 08:12 EST
Nmap scan report for xiv523-m7p1 (10.192.11.244)
Host is up (0.00021s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info:
|   iqn.2005-10.com.xivstorage:002523
|_    Target address: 10.192.11.244:3260,1

Nmap scan report for xiv523-m7p2 (10.192.11.245)
Host is up (0.00022s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info:
|   iqn.2005-10.com.xivstorage:002523
|_    Target address: 10.192.11.244:3260,1

Nmap scan report for xiv523-m8p1 (10.192.11.246)
Host is up (0.00027s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info:
|   iqn.2005-10.com.xivstorage:002523
|_    Target address: 10.192.11.244:3260,1

Nmap scan report for xiv523-m8p2 (10.192.11.247)
Host is up (0.00025s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info:
|   iqn.2005-10.com.xivstorage:002523
|_    Target address: 10.192.11.244:3260,1

Nmap scan report for xiv523-m9p1 (10.192.11.248)
Host is up (0.00023s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info:
|   iqn.2005-10.com.xivstorage:002523
|_    Target address: 10.192.11.244:3260,1

Nmap scan report for xiv523-m9p2 (10.192.11.249)
Host is up (0.00022s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info:
|   iqn.2005-10.com.xivstorage:002523
|_    Target address: 10.192.11.244:3260,1

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 6 IP addresses (6 hosts up) scanned in 83.69 seconds


iscsiadm shows different target addresses:

# /sbin/iscsiadm -m node
10.192.11.249:3260,5 iqn.2005-10.com.xivstorage:002523
10.192.11.244:3260,1 iqn.2005-10.com.xivstorage:002523
10.192.11.247:3260,4 iqn.2005-10.com.xivstorage:002523
10.192.11.245:3260,6 iqn.2005-10.com.xivstorage:002523
10.192.11.248:3260,3 iqn.2005-10.com.xivstorage:002523
10.192.11.246:3260,2 iqn.2005-10.com.xivstorage:002523

The number after the comma changes in the iscsiadm output, but not the iscsi-info output.

Let me know if you need debug output.

Cheers,


-- 
Matt


This took a little longer than I expected, but I've been busy with other stuff.
I have looked at the pcap you sent off-list and made quite a few changes to both the script and library.
It should now work properly and return the results your expecting. Could you try it again?
I'm attaching the new files.


Here's the new output:

$ ./nmap --datadir=. --script=iscsi-info -sV -p 3260 10.192.11.244 10.192.11.245 10.192.11.246 10.192.11.247 
10.192.11.248 10.192.11.249

Starting Nmap 5.36TEST2 ( http://nmap.org ) at 2010-12-05 16:56 EST
Nmap scan report for xiv523-m7p1 (10.192.11.244)
Host is up (0.00023s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info: 
|   Target: iqn.2005-10.com.xivstorage:002523
|     Address: 10.192.11.244:3260,1
|     Address: 10.192.11.246:3260,2
|     Address: 10.192.11.248:3260,3
|     Address: 10.192.11.247:3260,4
|     Address: 10.192.11.249:3260,5
|     Address: 10.192.11.245:3260,6
|_    Authentication: Failed to logout

Nmap scan report for xiv523-m7p2 (10.192.11.245)
Host is up (0.00023s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info: 
|   Target: iqn.2005-10.com.xivstorage:002523
|     Address: 10.192.11.244:3260,1
|     Address: 10.192.11.246:3260,2
|     Address: 10.192.11.248:3260,3
|     Address: 10.192.11.247:3260,4
|     Address: 10.192.11.249:3260,5
|     Address: 10.192.11.245:3260,6
|_    Authentication: Failed to logout

Nmap scan report for xiv523-m8p1 (10.192.11.246)
Host is up (0.00028s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info: 
|   Target: iqn.2005-10.com.xivstorage:002523
|     Address: 10.192.11.244:3260,1
|     Address: 10.192.11.246:3260,2
|     Address: 10.192.11.248:3260,3
|     Address: 10.192.11.247:3260,4
|     Address: 10.192.11.249:3260,5
|     Address: 10.192.11.245:3260,6
|_    Authentication: Failed to logout

Nmap scan report for xiv523-m8p2 (10.192.11.247)
Host is up (0.00025s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info: 
|   Target: iqn.2005-10.com.xivstorage:002523
|     Address: 10.192.11.244:3260,1
|     Address: 10.192.11.246:3260,2
|     Address: 10.192.11.248:3260,3
|     Address: 10.192.11.247:3260,4
|     Address: 10.192.11.249:3260,5
|     Address: 10.192.11.245:3260,6
|_    Authentication: Failed to logout

Nmap scan report for xiv523-m9p1 (10.192.11.248)
Host is up (0.00024s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info: 
|   Target: iqn.2005-10.com.xivstorage:002523
|     Address: 10.192.11.244:3260,1
|     Address: 10.192.11.246:3260,2
|     Address: 10.192.11.248:3260,3
|     Address: 10.192.11.247:3260,4
|     Address: 10.192.11.249:3260,5
|     Address: 10.192.11.245:3260,6
|_    Authentication: Failed to logout

Nmap scan report for xiv523-m9p2 (10.192.11.249)
Host is up (0.00025s latency).
PORT     STATE SERVICE VERSION
3260/tcp open  iscsi?
| iscsi-info: 
|   Target: iqn.2005-10.com.xivstorage:002523
|     Address: 10.192.11.244:3260,1
|     Address: 10.192.11.246:3260,2
|     Address: 10.192.11.248:3260,3
|     Address: 10.192.11.247:3260,4
|     Address: 10.192.11.249:3260,5
|     Address: 10.192.11.245:3260,6
|_    Authentication: Failed to logout

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 6 IP addresses (6 hosts up) scanned in 83.74 seconds



Thanks Matt. Except for that ugly "Failed to logout" message, which is addressed in this attached version, it looks 
more accurate.
Does anyone have any objections to me commiting the library and two scripts?

//P

Attachment: iscsi-info.nse
Description:


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] iSCSI library and scripts Patrik Karlsson (Nov 17)
- Re: [NSE] iSCSI library and scripts Matt Selsky (Nov 23)
  - Re: [NSE] iSCSI library and scripts Patrik Karlsson (Nov 23)
  - Re: [NSE] iSCSI library and scripts Patrik Karlsson (Dec 04)
    - Re: [NSE] iSCSI library and scripts Matt Selsky (Dec 05)
    - Re: [NSE] iSCSI library and scripts Patrik Karlsson (Dec 05)
    - Re: [NSE] iSCSI library and scripts Matt Selsky (Dec 05)
    - Re: [NSE] iSCSI library and scripts Patrik Karlsson (Dec 05)
    - Re: [NSE] iSCSI library and scripts David Fifield (Dec 05)
    - Re: [NSE] iSCSI library and scripts Patrik Karlsson (Dec 10)
    - Re: [NSE] iSCSI library and scripts Matt Selsky (Dec 05)