Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: [PEN-TEST] Download fw1 topology

RE: [PEN-TEST] Download fw1 topology

From: Ogle Ron (Rennes) <OgleR_at_thmulti.com>
Date: Tue, 15 May 2001 09:46:23 +0200

Recall that Checkpoint has two forms for VPNs, fwz and IPsec. If you are
using fwz, then SecuRemote (Secureclient) will download the topology without
authentication first. If you are using IPsec, then SecuRemote will request
authentication before it will download the topology.

If you look in your userc.c file, you will find many interesting pieces of
information that can be used to hack. First, you will find all of the IP
addresses and directly attached networks of all of the interfaces on the
firewall. Second you will find all of the networks that are included in the
firewall's encryption domain. These networks are considered behind the
firewall. It will show you what firewall version and what VPN types that it
will support (FWZ and IPsec). It will show you the identity of the
firewall's manager which may or may not be the firewall itself. This could
be a machine somewhere else. If you can compromise this machine, you've got
the keys to the kingdom. This is also the machine that you download the
info for this userc.c file.

In the newer versions of SecuRemote, you have a policy section. This
section in essence creates a firewall solution on the SecuRemote machine.

One last thing. If you know what your doing, you can change some of the
information in this file by hand. For example, I've added DNS servers,
deleted networks and changed netmasks without having to "update" my
configuration.

Ron Ogle

> -----Original Message-----
> From: railwayclubposse_at_hushmail.com
> [mailto:railwayclubposse_at_hushmail.com]
> Sent: Tuesday, May 15, 2001 2:34 AM
> To: PEN-TEST_at_securityfocus.com
> Cc: davew_at_sec-tec.com
> Subject: Re: [PEN-TEST] Download fw1 topology
>
>
> When I use the Secureclient to try to download topology, it
> asks me for
> a certificate. I don't get anything else.
> If I use a certificate, I get some very interesting and cool
> things in my
> users.c file. How do you get it before you authenticate?
> They've got the
> latest version/sp.
>
> The SDK for the API (OPSEC) used in all the Checkpoint
> products is available
> for download. Could be fun.
>
> > David Wray [mailto:davew_at_sec-tec.com] wrote:
> > I often try to perform a download VPN
> > topology request using Checkpoint Secureclient. Once the
> download is done,
> > any request for the Internal IP address scheme will prompt
> for a username
> > and password.
>
> Free, encrypted, secure Web-based email at www.hushmail.com
>
Received on May 15 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos