Skip to content
PortsDB

Port reference

Port 3260 (TCP) – iSCSI Target

iSCSI target — exposes raw block storage (LUNs) over TCP/IP to remote initiators.

tcpRegisteredCommonly attacked

Default state

Open on SANs, NAS appliances, and servers serving iSCSI LUNs, frequently with no authentication or weak one-way CHAP.

Common attacks

  • Unauthenticated LUN discovery and mounting
  • Weak or one-way CHAP allowing initiator spoofing
  • Cleartext data and credential interception
  • Data theft or tampering on exposed block volumes

Hardening

  • Require mutual (bidirectional) CHAP authentication
  • Restrict targets to a dedicated, isolated storage network
  • Never expose 3260 to the internet or general LAN
  • Use initiator allowlists (IQN) and per-LUN ACLs
  • Enable IPsec or a VLAN to protect cleartext traffic

nmap snippet

nmap -p3260 --script iscsi-info,iscsi-brute <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 3260?

Port 3260 is the default for an iSCSI target, which exposes raw block storage — LUNs — over TCP/IP. Remote initiators (servers, hypervisors) connect, discover targets, and mount the LUNs as if they were local disks. iSCSI is a common SAN technology behind databases, virtual-machine datastores, and backup volumes, served by SANs, NAS appliances, and Linux/Windows targets.

Why it matters for security

iSCSI presents block devices, not files, so anyone who can mount a LUN reads and writes the disk directly, bypassing filesystem permissions. Many targets ship with no authentication or only one-way CHAP, which lets an attacker discover and mount volumes or spoof an initiator. Because traffic is cleartext by default, CHAP secrets and data can also be intercepted on a shared network.

How it's attacked

Attackers scan TCP 3260, perform discovery to enumerate exposed targets, and mount LUNs that lack authentication. Where only one-way CHAP is set, they brute force or sniff the secret and spoof an initiator. Mounted volumes are then read, copied, or tampered with, leaking databases and VM images.

Hardening checklist

Require mutual (bidirectional) CHAP, and confine targets to a dedicated, isolated storage network — never the internet or general LAN. Use initiator allowlists (IQN) and per-LUN ACLs so only authorized hosts can attach, and add IPsec or a private VLAN to protect cleartext traffic. Use the nmap snippet above to enumerate targets and test CHAP on systems you are authorized to assess.

Related ports

Port 860Port 3261Port 2049Port 445

Frequently asked questions

Why is an exposed iSCSI target dangerous?
iSCSI serves raw block devices. An attacker who can reach and mount a LUN reads or writes the disk directly — stealing files, databases, or VM images, or corrupting them, without any filesystem-level permissions.
Does iSCSI encrypt data?
Not by default. iSCSI traffic, including CHAP exchanges, is cleartext unless wrapped in IPsec. Keep it on an isolated storage VLAN and add IPsec if it must traverse untrusted links.