264 - Pentesting Check Point FireWall-1 - HackTricks

Search…

👾

Welcome!

About the author

Getting Started in Hacking

🤩

Generic Methodologies & Resources

Pentesting Methodology

External Recon Methodology

Pentesting Network

Pentesting Wifi

Phishing Methodology

Basic Forensic Methodology

Brute Force - CheatSheet

Python Sandbox Escape & Pyscript

Tunneling and Port Forwarding

Search Exploits

Shells (Linux, Windows, MSFVenom)

🐧

Linux Hardening

Checklist - Linux Privilege Escalation

Linux Privilege Escalation

Useful Linux Commands

Bypass Linux Shell Restrictions

Linux Environment Variables

Linux Post-Exploitation

🍏

MacOS Hardening

MacOS Security & Privilege Escalation

🪟

Windows Hardening

Checklist - Local Windows Privilege Escalation

Windows Local Privilege Escalation

Active Directory Methodology

Lateral Movement

Authentication, Credentials, UAC and EFS

Stealing Credentials

Basic CMD for Pentesters

Basic PowerShell for Pentesters

📱

Mobile Pentesting

Android APK Checklist

Android Applications Pentesting

iOS Pentesting Checklist

👽

Network Services Pentesting

Pentesting JDWP - Java Debug Wire Protocol

Pentesting Printers

Pentesting Remote GdbServer

7/tcp/udp - Pentesting Echo

21 - Pentesting FTP

22 - Pentesting SSH/SFTP

23 - Pentesting Telnet

25,465,587 - Pentesting SMTP/s

43 - Pentesting WHOIS

53 - Pentesting DNS

69/UDP TFTP/Bittorrent-tracker

79 - Pentesting Finger

80,443 - Pentesting Web Methodology

88tcp/udp - Pentesting Kerberos

110,995 - Pentesting POP

111/TCP/UDP - Pentesting Portmapper

113 - Pentesting Ident

123/udp - Pentesting NTP

135, 593 - Pentesting MSRPC

137,138,139 - Pentesting NetBios

139,445 - Pentesting SMB

143,993 - Pentesting IMAP

161,162,10161,10162/udp - Pentesting SNMP

194,6667,6660-7000 - Pentesting IRC

264 - Pentesting Check Point FireWall-1

389, 636, 3268, 3269 - Pentesting LDAP

500/udp - Pentesting IPsec/IKE VPN

502 - Pentesting Modbus

512 - Pentesting Rexec

513 - Pentesting Rlogin

514 - Pentesting Rsh

515 - Pentesting Line Printer Daemon (LPD)

548 - Pentesting Apple Filing Protocol (AFP)

554,8554 - Pentesting RTSP

623/UDP/TCP - IPMI

631 - Internet Printing Protocol(IPP)

873 - Pentesting Rsync

1026 - Pentesting Rusersd

1080 - Pentesting Socks

1098/1099/1050 - Pentesting Java RMI - RMI-IIOP

1433 - Pentesting MSSQL - Microsoft SQL Server

1521,1522-1529 - Pentesting Oracle TNS Listener

1723 - Pentesting PPTP

1883 - Pentesting MQTT (Mosquitto)

2049 - Pentesting NFS Service

2301,2381 - Pentesting Compaq/HP Insight Manager

2375, 2376 Pentesting Docker

3128 - Pentesting Squid

3260 - Pentesting ISCSI

3299 - Pentesting SAPRouter

3306 - Pentesting Mysql

3389 - Pentesting RDP

3632 - Pentesting distcc

3690 - Pentesting Subversion (svn server)

3702/UDP - Pentesting WS-Discovery

4369 - Pentesting Erlang Port Mapper Daemon (epmd)

5000 - Pentesting Docker Registry

5353/UDP Multicast DNS (mDNS) and DNS-SD

5432,5433 - Pentesting Postgresql

5555 - Android Debug Bridge

5601 - Pentesting Kibana

5671,5672 - Pentesting AMQP

5800,5801,5900,5901 - Pentesting VNC

5984,6984 - Pentesting CouchDB

5985,5986 - Pentesting WinRM

5985,5986 - Pentesting OMI

6000 - Pentesting X11

6379 - Pentesting Redis

8009 - Pentesting Apache JServ Protocol (AJP)

8086 - Pentesting InfluxDB

8089 - Pentesting Splunkd

8333,18333,38333,18444 - Pentesting Bitcoin

9000 - Pentesting FastCGI

9001 - Pentesting HSQLDB

9042/9160 - Pentesting Cassandra

9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)

9200 - Pentesting Elasticsearch

10000 - Pentesting Network Data Management Protocol (ndmp)

11211 - Pentesting Memcache

15672 - Pentesting RabbitMQ Management

24007,24008,24009,49152 - Pentesting GlusterFS

27017,27018 - Pentesting MongoDB

44134 - Pentesting Tiller (Helm)

44818/UDP/TCP - Pentesting EthernetIP

47808/udp - Pentesting BACNet

50030,50060,50070,50075,50090 - Pentesting Hadoop

🕸

Pentesting Web

Web Vulnerabilities Methodology

Reflecting Techniques - PoCs and Polygloths CheatSheet

Bypass Payment Process

Cache Poisoning and Cache Deception

Client Side Template Injection (CSTI)

Command Injection

Content Security Policy (CSP) Bypass

Cookies Hacking

CORS - Misconfigurations & Bypass

CRLF (%0D%0A) Injection

Cross-site WebSocket hijacking (CSWSH)

CSRF (Cross Site Request Forgery)

Dangling Markup - HTML scriptless injection

Deserialization

Domain/Subdomain takeover

Email Injections

File Inclusion/Path traversal

Formula/Doc/LaTeX Injection

HTTP Request Smuggling / HTTP Desync Attack

HTTP Response Smuggling / Desync

Upgrade Header Smuggling

hop-by-hop headers

JWT Vulnerabilities (Json Web Tokens)

NoSQL injection

OAuth to Account takeover

Parameter Pollution

PostMessage Vulnerabilities

Rate Limit Bypass

Registration & Takeover Vulnerabilities

Regular expression Denial of Service - ReDoS

Reset/Forgotten Password Bypass

Server Side Inclusion/Edge Side Inclusion Injection

SSRF (Server Side Request Forgery)

SSTI (Server Side Template Injection)

Reverse Tab Nabbing

Unicode Normalization vulnerability

Web Tool - WFuzz

XPATH injection

XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)

XXE - XEE - XML External Entity

XSS (Cross Site Scripting)

XSSI (Cross-Site Script Inclusion)

⛈

Cloud Security

Workspace Security

Github Security

Kubernetes Security

Cloud Security Review

😎

Hardware/Physical Access

Physical Attacks

Escaping from KIOSKs

Firmware Analysis

🦅

Reversing & Exploiting

Reversing Tools & Basic Methods

Common API used in Malware

Linux Exploiting (Basic) (SPA)

Exploiting Tools

Windows Exploiting (Basic Guide - OSCP lvl)

🔮

Crypto & Stego

Cryptographic/Compression Algorithms

Cipher Block Chaining CBC-MAC

Crypto CTFs Tricks

Electronic Code Book (ECB)

Hash Length Extension Attack

RC4 - Encrypt&Decrypt

Esoteric languages

Blockchain & Crypto Currencies

🧐

External Platforms Reviews/Writeups

BRA.I.NSMASHER Presentation

INE Courses and eLearnSecurity Certifications Reviews

🦂

C2

✍

TODO

Other Big References

Hardware Hacking

Other Web Tricks

Interesting HTTP

Emails Vulnerabilities

Android Forensics

6881/udp - Pentesting BitTorrent

1911 - Pentesting fox

Online Platforms with API

Stealing Sensitive Information Disclosure from a Web

Post Exploitation

Powered By GitBook

264 - Pentesting Check Point FireWall-1

Support HackTricks and get benefits!
Module sends a query to the port 264/TCP on CheckPoint Firewall-1 firewalls to obtain the firewall name and management station (such as SmartCenter) name via a pre-authentication request
use auxiliary/gather/checkpoint_hostname
set RHOST 10.10.xx.xx
Sample Output
[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
[+] Appears to be a CheckPoint Firewall...
[+] Firewall Host: FIREFIGHTER-SEC
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
[*] Auxiliary module execution completed
From: https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html#check-point-firewall-1-topology-port-264​
Another way to obtain the firewall's hostname and ICA name could be
printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 x.x.x.x 264 | grep -a CN | cut -c 2-
Sample Output
CN=Panama,O=MGMTT.srv.rxfrmi
From: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360​
Support HackTricks and get benefits!

Network Services Pentesting - Previous

194,6667,6660-7000 - Pentesting IRC

Next - Network Services Pentesting

389, 636, 3268, 3269 - Pentesting LDAP

Last modified 3mo ago

Copy link