infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #71 from rapid7/checkpoint_report 

Checkpoint report
unstable
Tod Beardsley 2011-12-20 13:54:47 -08:00
parent baaa1f6c82 1128c3ec6b
commit 27d3edea63
1 changed files with 36 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
modules/auxiliary/gather/checkpoint_hostname.rb
View File

@ -1,7 +1,3 @@
##
# $Id$
##
## ##
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
@ -9,28 +5,26 @@
# http://metasploit.com/framework/ # http://metasploit.com/framework/
## ##
require 'msf/core' require 'msf/core'
class Metasploit3 < Msf::Auxiliary class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Tcp
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'CheckPoint Firewall-1 Topology Service Hostname Disclosure', 'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
'Description' => %q{ 'Description' => %q{
This module sends a query to the TCP port 264 on CheckPoint This module sends a query to the port 264/TCP on CheckPoint Firewall-1
firewalls to obtain the firewall name and management station firewalls to obtain the firewall name and management station
(such as SmartCenter) name. (such as SmartCenter) name via a pre-authentication topology request.
}, },
'Author' => [ 'patrick' ], 'Author' => [ 'patrick' ],
'Version' => '$Revision$',
'References' => 'References' =>
[ [
# patrickw - None? Stumbled across, probably an old bug/feature but unsure. # patrickw - None? Stumbled across, probably an old bug/feature but unsure.
[ 'URL', 'http://www.osisecurity.com.au/advisories/' ], [ 'URL', 'http://www.osisecurity.com.au/advisories/' ],
[ 'URL', 'http://www.securiteam.com/securitynews/5HP0D2A4UC.html' ] # Related?
] ]
)) ))
@ -45,7 +39,10 @@ class Metasploit3 < Msf::Auxiliary
end end
def run def run
print_status("Attempting to contact Checkpoint FW1 Topology service...") print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
fw_hostname = nil
sc_hostname = nil
connect connect
sock.put("\x51\x00\x00\x00") sock.put("\x51\x00\x00\x00")
@ -56,14 +53,39 @@ class Metasploit3 < Msf::Auxiliary
sock.put("\x00\x00\x00\x0bsecuremote\x00") sock.put("\x00\x00\x00\x0bsecuremote\x00")
res = sock.get_once res = sock.get_once
if (res =~ /CN\=(.+),O\=(.+)\./i) if (res =~ /CN\=(.+),O\=(.+)\./i)
print_good("Firewall Host: #{$1}") fw_hostname = $1
print_good("SmartCenter Host: #{$2}") sc_hostname = $2
print_good("Firewall Host: #{fw_hostname}")
print_good("SmartCenter Host: #{sc_hostname}")
end end
else else
print_error("Unexpected response:\r\n#{res}") print_error("Unexpected response:\r\n#{res.inspect}")
end end
report_info(fw_hostname,sc_hostname)
disconnect disconnect
end end
# Only trust that it's real if we have a hostname. If you get a funny
# response, it might not be what we think it is.
def report_info(fw_hostname,sc_hostname)
return unless fw_hostname
host_info = {
:host => datastore['RHOST'],
:os_name => "Checkpoint Firewall-1",
:purpose => "firewall"
}
host_info[:name] = fw_hostname
host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
report_host(host_info)
svc_info = {
:host => datastore['RHOST'],
:port => datastore['RPORT'],
:proto => "tcp",
:name => "securemote"
}
report_service(svc_info)
end
end end