RE: Penetration Testing a CheckPoint NG FW on Nokia

["Dieter Sarrazyn" <dsr () ascure com>]

> -----Original Message-----
> From: Jason binger [mailto:cisspstudy () yahoo com] 
> Sent: woensdag 5 januari 2005 23:35
> To: pen-test () securityfocus com
> Subject: Penetration Testing a CheckPoint NG FW on Nokia
>
> I was recently performing a penetration test against a 
> CheckPoint FW running on Nokia and received the following 
> results from a port scan against the host:
>
> Interesting ports on XYZ:
> (The 65531 ports scanned but not shown below are in
> state: filtered)
> PORT      STATE  SERVICE          VERSION
> 264/tcp   open   fw1-secureremote Checkpoint Firewall1
> SecureRemote
> 500/tcp   closed isakmp
> 18262/tcp closed unknown
> 18264/tcp open   unknown
>
> When telnetting to TCP 18264 I received:
>
> HTTP/1.0 400 Bad Request
> Date: Wed, 05 Jan 2005 21:57:57 GMT
> Server: Check Point SVN foundation
> Content-Type: text/html
> Connection: close
> Content-Length: 200
>
> Opening a browser to TCP 18264 gave an "Internal Server Error".
>
> Are there any tools that allow me to brute-force a username 
> and password through the SecuRemote port to gain unauthorised 
> access via VPN?

Not by my knowing ... Think you'll have to perform some manual "brute
forcing" with the secureclient/securemote program

> I found this link for bruteforcing usernames on CheckPoint - 
> http://www.securiteam.com/securitynews/5TP040U8AW.html
> but could not find the supporting tools. Does anyone have 
> this set of tools? and other password bruteforcing tools?
>
> Are there any security implications of allowing access to TCP 
> 18262 and TCP 18264 ports? What will break if these ports are closed?
You only have access to 18264, 18262 is closed (see your nmap output).
Port 18264 is used by the Checkpoint ICA services (needed for the SIC to
work, but possibly not from the internet)

More info on port 18264:
http://oldfaq.phoneboy.com/gurus/200211/msg00322.html


Regards,
Dieter