CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure
This module sends a query to the port 264/TCP on CheckPoint Firewall-1 firewalls to obtain the firewall name and management station (such as SmartCenter) name via a pre-authentication request. The string returned is the CheckPoint Internal CA CN for SmartCenter and the firewall host. Whilst considered "public" information, the majority of installations use detailed hostnames which may aid an attacker in focusing on compromising the SmartCenter host, or useful for government, intelligence and military networks where the hostname reveals the physical location and rack number of the device, which may be unintentionally published to the world.
Rank
- Normal
Authors
- patrick < patrick [at] osisecurity.com.au >
Vulnerability References
- http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostn...
- https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGovie...
Development
Similar Modules
- auxiliary/gather/android_htmlfileprovider
- auxiliary/gather/citrix_published_applications
- auxiliary/gather/citrix_published_bruteforce
- auxiliary/gather/corpwatch_lookup_id
- auxiliary/gather/corpwatch_lookup_name
- auxiliary/gather/d20pass
- auxiliary/gather/enum_dns
- auxiliary/gather/natpmp_external_address
- auxiliary/gather/search_email_collector
- auxiliary/gather/shodan_search
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/gather/checkpoint_hostname
msf auxiliary(checkpoint_hostname) > set RHOST [TARGET IP]
msf auxiliary(checkpoint_hostname) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/gather/checkpoint_hostname
msf auxiliary(checkpoint_hostname) > set RHOST [TARGET IP]
msf auxiliary(checkpoint_hostname) > run
Module Options
| RHOST | The target address |
| RPORT | The target port (default: 264) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| Proxies | Use a proxy chain |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |