Penetration Testing mailing list archives
Re: Penetration Testing a CheckPoint NG FW on Nokia
From: Frederic Charpentier <fcharpen () xmcopartners com>
Date: Fri, 07 Jan 2005 10:33:40 +0100
there is no knonw attack on FW1 - 18264/tcp. I've already seen that case during a pentest : we did not find anything interresting. But, I hope you will.
Maybe an ASN.1 or Rose attack could lead to a denial of service of the port. fred Sharma, Pankaj wrote:
18262 /tcp CP_Exnet_PK Check Point Extrnet public key advertisement - Protocol for exchange of public keys when configuring Extranetno more supported since NG AI R55 18263 /tcp CP_Exnet_resolve Check Point Extranet remote objects resolution- Protocol for importing exported objects from partner in Extranetno more supported since NG AI R55 18264 /tcp FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services- Protocol for Certificate Revocation Lists and registering users when using the Policy Server- needed when e.g. FWM is starting-----Original Message----- From: Paul Kurczaba [mailto:seclists () securinews com] Sent: Thursday, January 06, 2005 12:02 PM To: cisspstudy () yahoo com; pen-test () securityfocus com Subject: RE: Penetration Testing a CheckPoint NG FW on Nokia I know that 264/tcp is used by securemote to get the site information, and that 500/udp is for IPSec. Does anybody know what 18262/tcp and 18264/tcp is used for? It seems questionable... -Paul -----Original Message----- From: "Jason binger"<cisspstudy () yahoo com> Sent: 1/5/05 5:34:39 PM To: "pen-test () securityfocus com"<pen-test () securityfocus com> Subject: Penetration Testing a CheckPoint NG FW on Nokia I was recently performing a penetration test against a CheckPoint FW running on Nokia and received the following results from a port scan against the host:Interesting ports on XYZ:(The 65531 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 264/tcp open fw1-secureremote Checkpoint Firewall1 SecureRemote 500/tcp closed isakmp 18262/tcp closed unknown 18264/tcp open unknownWhen telnetting to TCP 18264 I received: HTTP/1.0 400 Bad RequestDate: Wed, 05 Jan 2005 21:57:57 GMT Server: Check Point SVN foundation Content-Type: text/html Connection: close Content-Length: 200Opening a browser to TCP 18264 gave an "InternalServer Error".Are there any tools that allow me to brute-force ausername and password through the SecuRemote port to gain unauthorised access via VPN?I found this link for bruteforcing usernames onCheckPoint - http://www.securiteam.com/securitynews/5TP040U8AW.html but could not find the supporting tools. Does anyone have this set of tools? and other password bruteforcing tools?Are there any security implications of allowing accessto TCP 18262 and TCP 18264 ports? What will break if these ports are closed?Does anyone have a list of other tests that should beperformed against a CheckPoint FW?Cheers, __________________________________ Do you Yahoo!? All your favorites on one personal page - Try My Yahoo! http://my.yahoo.com
-- _______________________________________ Frederic Charpentier - Xmco Partners Security Consulting / Pentest web : http://www.xmcopartners.com
Current thread:
- Penetration Testing a CheckPoint NG FW on Nokia Jason binger (Jan 06)
- Re: Penetration Testing a CheckPoint NG FW on Nokia Seth Jackson (Jan 06)
- <Possible follow-ups>
- RE: Penetration Testing a CheckPoint NG FW on Nokia Dieter Sarrazyn (Jan 06)
- RE: Penetration Testing a CheckPoint NG FW on Nokia Eliot Mansfield (Jan 06)
- RE: Penetration Testing a CheckPoint NG FW on Nokia Paul Kurczaba (Jan 06)
- RE: Penetration Testing a CheckPoint NG FW on Nokia rzaluski (Jan 06)
- Re: Penetration Testing a CheckPoint NG FW on Nokia Andre Ludwig (Jan 06)
- RE: Penetration Testing a CheckPoint NG FW on Nokia Sharma, Pankaj (Jan 06)
- Re: Penetration Testing a CheckPoint NG FW on Nokia Frederic Charpentier (Jan 07)
- RE: Penetration Testing a CheckPoint NG FW on Nokia Dieter Sarrazyn (Jan 10)
- Google Hacking and SiteDigger 2.0 Kartik Trivedi (Jan 11)