Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [PEN-TEST] Download fw1 topology

From: "Ogle Ron (Rennes)" <OgleR () thmulti com>
Date: Tue, 15 May 2001 09:46:23 +0200
Recall that Checkpoint has two forms for VPNs, fwz and IPsec.  If you are
using fwz, then SecuRemote (Secureclient) will download the topology without
authentication first.  If you are using IPsec, then SecuRemote will request
authentication before it will download the topology.

If you look in your userc.c file, you will find many interesting pieces of
information that can be used to hack.  First, you will find all of the IP
addresses and directly attached networks of all of the interfaces on the
firewall.  Second you will find all of the networks that are included in the
firewall's encryption domain.  These networks are considered behind the
firewall.  It will show you what firewall version and what VPN types that it
will support (FWZ and IPsec).  It will show you the identity of the
firewall's manager which may or may not be the firewall itself.  This could
be a machine somewhere else.  If you can compromise this machine, you've got
the keys to the kingdom.  This is also the machine that you download the
info for this userc.c file.

In the newer versions of SecuRemote, you have a policy section.  This
section in essence creates a firewall solution on the SecuRemote machine.

One last thing.  If you know what your doing, you can change some of the
information in this file by hand.  For example, I've added DNS servers,
deleted networks and changed netmasks without having to "update" my
configuration.

Ron Ogle


-----Original Message-----
From: railwayclubposse () hushmail com
[mailto:railwayclubposse () hushmail com]
Sent: Tuesday, May 15, 2001 2:34 AM
To: PEN-TEST () securityfocus com
Cc: davew () sec-tec com
Subject: Re: [PEN-TEST] Download fw1 topology


When I use the Secureclient to try to download topology, it 
asks me for 
a certificate. I don't get anything else. 
If I use a certificate, I get some very interesting and cool 
things in my 
users.c file. How do you get it before you authenticate? 
They've got the 
latest version/sp.

The SDK for the API (OPSEC) used in all the Checkpoint 
products is available 
for download. Could be fun.


David Wray [mailto:davew () sec-tec com] wrote:
I often try to perform a download VPN
topology request using Checkpoint Secureclient. Once the 

download is done,

any request for the Internal IP address scheme will prompt 

for a username

and password.


Free, encrypted, secure Web-based email at www.hushmail.com
Previous By Date Next
Previous By Thread Next

Current thread: