mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 19:13:39 +00:00
161 lines
7.6 KiB
Markdown
161 lines
7.6 KiB
Markdown
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
- Travaillez-vous dans une entreprise de **cybersécurité** ? Voulez-vous voir votre **entreprise annoncée dans HackTricks** ? ou voulez-vous avoir accès à la **dernière version de PEASS ou télécharger HackTricks en PDF** ? Consultez les [**PLANS D'ABONNEMENT**](https://github.com/sponsors/carlospolop) !
|
|
|
|
- Découvrez [**The PEASS Family**](https://opensea.io/collection/the-peass-family), notre collection exclusive de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
- Obtenez le [**swag officiel PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
|
|
- **Rejoignez le** [**💬**](https://emojipedia.org/speech-balloon/) [**groupe Discord**](https://discord.gg/hRep4RUj7f) ou le [**groupe telegram**](https://t.me/peass) ou **suivez** moi sur **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
|
|
- **Partagez vos astuces de piratage en soumettant des PR au [repo hacktricks](https://github.com/carlospolop/hacktricks) et au [repo hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|
|
|
|
|
|
Le module envoie une requête au port **264/TCP** sur les pare-feux **CheckPoint Firewall-1** pour obtenir le nom du pare-feu et le nom de la station de gestion \(telle que SmartCenter\) via une demande de pré-authentification.
|
|
```text
|
|
use auxiliary/gather/checkpoint_hostname
|
|
set RHOST 10.10.xx.xx
|
|
```
|
|
# Pentesting Check Point Firewall-1
|
|
|
|
## Introduction
|
|
|
|
Check Point Firewall-1 is a firewall product developed by Check Point Software Technologies. It provides network security by filtering incoming and outgoing traffic based on a set of rules.
|
|
|
|
## Enumeration
|
|
|
|
### Version
|
|
|
|
To determine the version of Check Point Firewall-1, you can use the following command:
|
|
|
|
```bash
|
|
fw ver
|
|
```
|
|
|
|
### Policy
|
|
|
|
To view the current policy, use the following command:
|
|
|
|
```bash
|
|
fw stat
|
|
```
|
|
|
|
### Rulebase
|
|
|
|
To view the rulebase, use the following command:
|
|
|
|
```bash
|
|
fw ctl pstat
|
|
```
|
|
|
|
## Exploitation
|
|
|
|
### Firewall Bypass
|
|
|
|
One way to bypass the firewall is to use a protocol that is allowed through the firewall, such as HTTP or HTTPS, to connect to a remote server that is outside of the firewall. Once the connection is established, the attacker can use the remote server to connect to internal resources.
|
|
|
|
### Denial of Service
|
|
|
|
An attacker can launch a denial of service (DoS) attack against the firewall by flooding it with traffic. This can cause the firewall to crash or become unresponsive, allowing the attacker to bypass the firewall.
|
|
|
|
### Rulebase Modification
|
|
|
|
If an attacker gains access to the rulebase, they can modify the rules to allow traffic that would normally be blocked by the firewall. This can allow the attacker to bypass the firewall and gain access to internal resources.
|
|
|
|
## Conclusion
|
|
|
|
Check Point Firewall-1 is a popular firewall product that provides network security by filtering incoming and outgoing traffic based on a set of rules. However, it is not immune to attacks, and it is important to regularly test and update the firewall to ensure that it is secure.
|
|
```text
|
|
[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
|
|
[+] Appears to be a CheckPoint Firewall...
|
|
[+] Firewall Host: FIREFIGHTER-SEC
|
|
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
|
|
[*] Auxiliary module execution completed
|
|
```
|
|
Une autre façon d'obtenir le nom d'hôte et le nom ICA du pare-feu pourrait être
|
|
```bash
|
|
printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 x.x.x.x 264 | grep -a CN | cut -c 2-
|
|
```
|
|
# Pentesting Check Point Firewall-1
|
|
|
|
## Introduction
|
|
|
|
Check Point Firewall-1 is a firewall product developed by Check Point Software Technologies. It provides network security by filtering incoming and outgoing traffic based on a set of rules.
|
|
|
|
## Enumeration
|
|
|
|
### Version
|
|
|
|
To determine the version of Check Point Firewall-1, you can use the following command:
|
|
|
|
```bash
|
|
fw ver
|
|
```
|
|
|
|
### Policy
|
|
|
|
To view the current policy, use the following command:
|
|
|
|
```bash
|
|
fw stat
|
|
```
|
|
|
|
### Rulebase
|
|
|
|
To view the rulebase, use the following command:
|
|
|
|
```bash
|
|
fw ctl pstat
|
|
```
|
|
|
|
### Connections
|
|
|
|
To view the current connections, use the following command:
|
|
|
|
```bash
|
|
fw tab -t connections -s
|
|
```
|
|
|
|
## Exploitation
|
|
|
|
### Firewall Bypass
|
|
|
|
One way to bypass Check Point Firewall-1 is to use a technique called "HTTP Tunneling". This involves encapsulating traffic inside HTTP requests and responses, which are allowed through the firewall.
|
|
|
|
### Denial of Service
|
|
|
|
Check Point Firewall-1 can be vulnerable to denial of service attacks if it is not properly configured. One way to perform a denial of service attack is to flood the firewall with traffic, causing it to become overwhelmed and stop functioning.
|
|
|
|
### Rulebase Modification
|
|
|
|
If an attacker gains access to the Check Point Firewall-1 management console, they can modify the rulebase to allow traffic that would normally be blocked. This can be done by adding a new rule or modifying an existing one.
|
|
|
|
## Conclusion
|
|
|
|
Check Point Firewall-1 is a popular firewall product that provides network security by filtering incoming and outgoing traffic based on a set of rules. However, it can be vulnerable to various attacks if it is not properly configured. It is important to regularly review and update the firewall's configuration to ensure that it is providing adequate protection.
|
|
```text
|
|
CN=Panama,O=MGMTT.srv.rxfrmi
|
|
```
|
|
De: [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit\_doGoviewsolutiondetails=&solutionid=sk69360](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360)
|
|
|
|
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
- Travaillez-vous dans une entreprise de **cybersécurité** ? Voulez-vous voir votre **entreprise annoncée dans HackTricks** ? ou voulez-vous avoir accès à la **dernière version de PEASS ou télécharger HackTricks en PDF** ? Consultez les [**PLANS D'ABONNEMENT**](https://github.com/sponsors/carlospolop) !
|
|
|
|
- Découvrez [**The PEASS Family**](https://opensea.io/collection/the-peass-family), notre collection exclusive de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
- Obtenez le [**swag officiel PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
|
|
- **Rejoignez le** [**💬**](https://emojipedia.org/speech-balloon/) **groupe Discord** ou le [**groupe telegram**](https://t.me/peass) ou **suivez** moi sur **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
|
|
- **Partagez vos astuces de piratage en soumettant des PR au [dépôt hacktricks](https://github.com/carlospolop/hacktricks) et au [dépôt hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|