I created a NMAP NSE script that can identify and enumerate iSCSI targets on a host when the service has been identified to be running on port 3260. Currently the script only identifies all the target names on the service and their associated target addresses. Improvements for the future could be to identify the authentication protocol in use (if any) as well as adding brute force functionality.

A copy of the script can be downloaded from http://www.securitywire.com/nse/iscsi-enum-targets.nse

To use the script, it needs to be copied to your NMAP scripts folder (that would be /usr/share/nmap/scripts/ on many installations). After copying the script to the proper location, you need to run “nmap –script-updatedb” for NMAP to reload it’s script table and be aware of the new script.

Here is an example output of the script:

$ nmap -sC localhost -p 3260

Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-10 09:29 EDT
Interesting ports on localhost (127.0.0.1):
PORT     STATE SERVICE
3260/tcp open  iscsi
|  iscsi-enum-targets: iSCSI Targets found
|  TargetName=iqn.2009-10.com.securitywire:storage.lun2
|  TargetAddress=127.0.0.1:3260,1
|  TargetName=iqn.2009-10.com.securitywire:storage.lun1
|_ TargetAddress=127.0.0.1:3260,1

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

I only have limited resources to test the script, I would be interested to hear how it works out across a wide variety of iSCSI targets.