Check Point Firewall - Port 264

Basic info

CheckPoint Firewall-1 is a widely used firewall solution, but certain configurations allow attackers to extract valuable information about the firewall and its management station. This article will demonstrate how an attacker can leverage port 264/TCP to obtain critical details using publicly available tools and commands.

CheckPoint Firewall-1 includes a SecuRemote Topology service running on port 264/TCP, which allows unauthenticated queries. By interacting with this service, attackers can retrieve the firewall's hostname and the SmartCenter management station's name—potentially leading to further attacks.

The ability to obtain these details is particularly dangerous because it helps attackers map the network infrastructure, identify targets for further exploitation, and develop customized phishing attacks.

Exploiting CheckPoint Firewall-1 with Metasploit

Metasploit provides a module that can interact with the firewall to extract its hostname and management station name.

Step 1: Load the Metasploit Module

Open Metasploit and load the auxiliary module:

Step 2: Set Target IP Address

Set the RHOST parameter to the target CheckPoint Firewall-1 instance:

Step 3: Execute the Module

Run the module to interact with the firewall:

If the firewall is vulnerable, the module will successfully contact the SecuRemote Topology service and return output similar to:

This confirms the presence of the firewall and exposes its internal naming conventions.

Alternative Method: Extracting Hostname and ICA Name Manually

If Metasploit is unavailable, a direct Netcat command can be used to query the firewall:

Step 1: Send Query via Netcat

Step 2: Analyze the Output

A successful query returns the firewall’s certificate name (CN) and organization (O):

These values can be used to gain insights into the firewall’s identity and administrative domains.