-----Original Message-----
From: Jason binger [mailto:cisspstudy@yahoo.com]
Sent: woensdag 5 januari 2005 23:35
To: pen-test@securityfocus.com
Subject: Penetration Testing a CheckPoint NG FW on Nokia
I was recently performing a penetration test against a
CheckPoint FW running on Nokia and received the following
results from a port scan against the host:
Interesting ports on XYZ:
(The 65531 ports scanned but not shown below are in
state: filtered)
PORT STATE SERVICE VERSION
264/tcp open fw1-secureremote Checkpoint Firewall1
SecureRemote
500/tcp closed isakmp
18262/tcp closed unknown
18264/tcp open unknown
When telnetting to TCP 18264 I received:
HTTP/1.0 400 Bad Request
Date: Wed, 05 Jan 2005 21:57:57 GMT
Server: Check Point SVN foundation
Content-Type: text/html
Connection: close
Content-Length: 200
Opening a browser to TCP 18264 gave an "Internal Server Error".
Are there any tools that allow me to brute-force a username
and password through the SecuRemote port to gain unauthorised
access via VPN?
Not by my knowing ... Think you'll have to perform some manual "brute
forcing" with the secureclient/securemote program
I found this link for bruteforcing usernames on CheckPoint -
http://www.securiteam.com/securitynews/5TP040U8AW.html
but could not find the supporting tools. Does anyone have
this set of tools? and other password bruteforcing tools?
Are there any security implications of allowing access to TCP
18262 and TCP 18264 ports? What will break if these ports are closed?
You only have access to 18264, 18262 is closed (see your nmap output).
Port 18264 is used by the Checkpoint ICA services (needed for the SIC to
work, but possibly not from the internet)
More info on port 18264:
http://oldfaq.phoneboy.com/gurus/200211/msg00322.html
Regards,
Dieter
