From: Frederic Charpentier (fcharpen@xmcopartners.com)
Date: Fri Jan 07 2005 - 04:33:40 EST
there is no knonw attack on FW1 - 18264/tcp. I've already seen that case
during a pentest : we did not find anything interresting. But, I hope
you will.
Maybe an ASN.1 or Rose attack could lead to a denial of service of the port.
fred
Sharma, Pankaj wrote:
> 18262 /tcp CP_Exnet_PK Check Point Extrnet public key advertisement
> - Protocol for exchange of public keys when configuring Extranet
> no more supported since NG AI R55
> 18263 /tcp CP_Exnet_resolve Check Point Extranet remote objects resolution
> - Protocol for importing exported objects from partner in Extranet
> no more supported since NG AI R55
> 18264 /tcp FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services
> - Protocol for Certificate Revocation Lists and registering users when using the Policy Server
> - needed when e.g. FWM is starting
>
> -----Original Message-----
> From: Paul Kurczaba [mailto:seclists@securinews.com]
> Sent: Thursday, January 06, 2005 12:02 PM
> To: cisspstudy@yahoo.com; pen-test@securityfocus.com
> Subject: RE: Penetration Testing a CheckPoint NG FW on Nokia
>
>
> I know that 264/tcp is used by securemote to get the site information, and that 500/udp is for IPSec. Does anybody know what 18262/tcp and 18264/tcp is used for? It seems questionable...
>
> -Paul
> -----Original Message-----
> From: "Jason binger"<cisspstudy@yahoo.com>
> Sent: 1/5/05 5:34:39 PM
> To: "pen-test@securityfocus.com"<pen-test@securityfocus.com>
> Subject: Penetration Testing a CheckPoint NG FW on Nokia
> I was recently performing a penetration test against a
> CheckPoint FW running on Nokia and received the
> following results from a port scan against the host:
>
> Interesting ports on XYZ:
> (The 65531 ports scanned but not shown below are in
> state: filtered)
> PORT STATE SERVICE VERSION
> 264/tcp open fw1-secureremote Checkpoint Firewall1
> SecureRemote
> 500/tcp closed isakmp
> 18262/tcp closed unknown
> 18264/tcp open unknown
>
> When telnetting to TCP 18264 I received:
>
> HTTP/1.0 400 Bad Request
> Date: Wed, 05 Jan 2005 21:57:57 GMT
> Server: Check Point SVN foundation
> Content-Type: text/html
> Connection: close
> Content-Length: 200
>
> Opening a browser to TCP 18264 gave an "Internal
> Server Error".
>
> Are there any tools that allow me to brute-force a
> username and password through the SecuRemote port to
> gain unauthorised access via VPN?
>
> I found this link for bruteforcing usernames on
> CheckPoint -
> http://www.securiteam.com/securitynews/5TP040U8AW.html
> but could not find the supporting tools. Does anyone
> have this set of tools? and other password
> bruteforcing tools?
>
> Are there any security implications of allowing access
> to TCP 18262 and TCP 18264 ports? What will break if
> these ports are closed?
>
> Does anyone have a list of other tests that should be
> performed against a CheckPoint FW?
>
> Cheers,
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> All your favorites on one personal page - Try My Yahoo!
> http://my.yahoo.com
>
>
>
>
-- _______________________________________ Frederic Charpentier - Xmco Partners Security Consulting / Pentest web : http://www.xmcopartners.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:12 EDT