hacktricks/network-services-pentesting/pentesting-264-check-point-firewall-1.md

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Travaillez-vous dans une entreprise de **cybersécurité** ? Voulez-vous voir votre **entreprise annoncée dans HackTricks** ? ou voulez-vous avoir accès à la **dernière version de PEASS ou télécharger HackTricks en PDF** ? Consultez les [**PLANS D'ABONNEMENT**](https://github.com/sponsors/carlospolop) !

- Découvrez [**The PEASS Family**](https://opensea.io/collection/the-peass-family), notre collection exclusive de [**NFTs**](https://opensea.io/collection/the-peass-family)

- Obtenez le [**swag officiel PEASS & HackTricks**](https://peass.creator-spring.com)

- **Rejoignez le** [**💬**](https://emojipedia.org/speech-balloon/) [**groupe Discord**](https://discord.gg/hRep4RUj7f) ou le [**groupe telegram**](https://t.me/peass) ou **suivez** moi sur **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**

- **Partagez vos astuces de piratage en soumettant des PR au [repo hacktricks](https://github.com/carlospolop/hacktricks) et au [repo hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>


Le module envoie une requête au port **264/TCP** sur les pare-feux **CheckPoint Firewall-1** pour obtenir le nom du pare-feu et le nom de la station de gestion \(telle que SmartCenter\) via une demande de pré-authentification.
```text
use auxiliary/gather/checkpoint_hostname
set RHOST 10.10.xx.xx
```
# Pentesting Check Point Firewall-1

## Introduction

Check Point Firewall-1 is a firewall product developed by Check Point Software Technologies. It provides network security by filtering incoming and outgoing traffic based on a set of rules.

## Enumeration

### Version

To determine the version of Check Point Firewall-1, you can use the following command:

```bash
fw ver
```

### Policy

To view the current policy, use the following command:

```bash
fw stat
```

### Rulebase

To view the rulebase, use the following command:

```bash
fw ctl pstat
```

## Exploitation

### Firewall Bypass

One way to bypass the firewall is to use a protocol that is allowed through the firewall, such as HTTP or HTTPS, to connect to a remote server that is outside of the firewall. Once the connection is established, the attacker can use the remote server to connect to internal resources.

### Denial of Service

An attacker can launch a denial of service (DoS) attack against the firewall by flooding it with traffic. This can cause the firewall to crash or become unresponsive, allowing the attacker to bypass the firewall.

### Rulebase Modification

If an attacker gains access to the rulebase, they can modify the rules to allow traffic that would normally be blocked by the firewall. This can allow the attacker to bypass the firewall and gain access to internal resources.

## Conclusion

Check Point Firewall-1 is a popular firewall product that provides network security by filtering incoming and outgoing traffic based on a set of rules. However, it is not immune to attacks, and it is important to regularly test and update the firewall to ensure that it is secure.
```text
[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
[+] Appears to be a CheckPoint Firewall...
[+] Firewall Host: FIREFIGHTER-SEC
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
[*] Auxiliary module execution completed
```
Une autre façon d'obtenir le nom d'hôte et le nom ICA du pare-feu pourrait être
```bash
printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 x.x.x.x 264 | grep -a CN | cut -c 2-
```
# Pentesting Check Point Firewall-1

## Introduction

Check Point Firewall-1 is a firewall product developed by Check Point Software Technologies. It provides network security by filtering incoming and outgoing traffic based on a set of rules.

## Enumeration

### Version

To determine the version of Check Point Firewall-1, you can use the following command:

```bash
fw ver
```

### Policy

To view the current policy, use the following command:

```bash
fw stat
```

### Rulebase

To view the rulebase, use the following command:

```bash
fw ctl pstat
```

### Connections

To view the current connections, use the following command:

```bash
fw tab -t connections -s
```

## Exploitation

### Firewall Bypass

One way to bypass Check Point Firewall-1 is to use a technique called "HTTP Tunneling". This involves encapsulating traffic inside HTTP requests and responses, which are allowed through the firewall.

### Denial of Service

Check Point Firewall-1 can be vulnerable to denial of service attacks if it is not properly configured. One way to perform a denial of service attack is to flood the firewall with traffic, causing it to become overwhelmed and stop functioning.

### Rulebase Modification

If an attacker gains access to the Check Point Firewall-1 management console, they can modify the rulebase to allow traffic that would normally be blocked. This can be done by adding a new rule or modifying an existing one.

## Conclusion

Check Point Firewall-1 is a popular firewall product that provides network security by filtering incoming and outgoing traffic based on a set of rules. However, it can be vulnerable to various attacks if it is not properly configured. It is important to regularly review and update the firewall's configuration to ensure that it is providing adequate protection.
```text
CN=Panama,O=MGMTT.srv.rxfrmi
```
De: [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit\_doGoviewsolutiondetails=&solutionid=sk69360](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360)



<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Travaillez-vous dans une entreprise de **cybersécurité** ? Voulez-vous voir votre **entreprise annoncée dans HackTricks** ? ou voulez-vous avoir accès à la **dernière version de PEASS ou télécharger HackTricks en PDF** ? Consultez les [**PLANS D'ABONNEMENT**](https://github.com/sponsors/carlospolop) !

- Découvrez [**The PEASS Family**](https://opensea.io/collection/the-peass-family), notre collection exclusive de [**NFTs**](https://opensea.io/collection/the-peass-family)

- Obtenez le [**swag officiel PEASS & HackTricks**](https://peass.creator-spring.com)

- **Rejoignez le** [**💬**](https://emojipedia.org/speech-balloon/) **groupe Discord** ou le [**groupe telegram**](https://t.me/peass) ou **suivez** moi sur **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**

- **Partagez vos astuces de piratage en soumettant des PR au [dépôt hacktricks](https://github.com/carlospolop/hacktricks) et au [dépôt hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>