Check Point Firewall - Port 264
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! π
Follow us on:
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
CheckPoint Firewall-1 is a widely used firewall solution, but certain configurations allow attackers to extract valuable information about the firewall and its management station. This article will demonstrate how an attacker can leverage port 264/TCP to obtain critical details using publicly available tools and commands.
CheckPoint Firewall-1 includes a SecuRemote Topology service running on port 264/TCP, which allows unauthenticated queries. By interacting with this service, attackers can retrieve the firewall's hostname and the SmartCenter management station's nameβpotentially leading to further attacks.
The ability to obtain these details is particularly dangerous because it helps attackers map the network infrastructure, identify targets for further exploitation, and develop customized phishing attacks.
Metasploit provides a module that can interact with the firewall to extract its hostname and management station name.
Open Metasploit and load the auxiliary module:
Set the RHOST parameter to the target CheckPoint Firewall-1 instance:
Run the module to interact with the firewall:
If the firewall is vulnerable, the module will successfully contact the SecuRemote Topology service and return output similar to:
This confirms the presence of the firewall and exposes its internal naming conventions.
If Metasploit is unavailable, a direct Netcat command can be used to query the firewall:
A successful query returns the firewallβs certificate name (CN) and organization (O):
These values can be used to gain insights into the firewallβs identity and administrative domains.
Learn & practice
Become VeryLazyTech ! π
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π