Hacktricks-skills checkpoint-firewall-recon
Reconnaissance and vulnerability assessment for Check Point Firewall-1 systems. Use this skill whenever the user needs to enumerate Check Point firewalls, discover firewall/management station hostnames via port 264, or assess HTTP Security Server format string vulnerabilities (CAN-2004-0039). Trigger on mentions of Check Point, CP, Firewall-1, port 264, SecuRemote, or firewall enumeration tasks.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/network-services-pentesting/pentesting-264-check-point-firewall-1/SKILL.MDCheck Point Firewall-1 Reconnaissance
This skill provides techniques for enumerating Check Point Firewall-1 systems and assessing known vulnerabilities. Use these methods during authorized security assessments only.
When to Use This Skill
- Enumerating Check Point firewalls in a network
- Discovering firewall and management station hostnames
- Assessing HTTP Security Server format string vulnerabilities
- Port 264/TCP reconnaissance
- Security audits of Check Point infrastructure
Prerequisites
- Authorized access to target systems
- Network connectivity to target firewall
- Basic pentesting tools (nc, Metasploit optional)
Technique 1: Port 264 Hostname Discovery
Check Point Firewall-1 exposes the SecuRemote Topology service on port 264/TCP. This service can reveal the firewall hostname and SmartCenter management station name.
Method A: Metasploit Module
If Metasploit is available, use the built-in auxiliary module:
use auxiliary/gather/checkpoint_hostname set RHOST <target_ip> run
Expected output:
[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service... [+] Appears to be a CheckPoint Firewall... [+] Firewall Host: <hostname> [+] SmartCenter Host: <management_hostname>
Method B: Direct Socket Query
Send a raw query to port 264 and parse the response:
printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 <target_ip> 264 | grep -a CN | cut -c 2-
Expected output:
CN=<hostname>,O=<organization>
Script: Use
scripts/checkpoint-264-discovery.shTechnique 2: HTTP Security Server Format String Vulnerability (CAN-2004-0039)
Affected Versions
- NG FCS, NG FP1, NG FP2, NG FP3 HF2
- NG with Application Intelligence R54/R55
Requirements
- HTTP Security Server or AI HTTP proxy must be enabled
- Transparent inspection of the targeted port
- If HTTP inspection is disabled, the vulnerability is not exploitable
Detection
Send a malformed HTTP request with format string specifiers. If the firewall (not backend) responds with reflected payload, the proxy is active:
printf 'BOGUS%%08x%%08x%%08x%%n HTTP/1.0\r\nHost: internal.local\r\n\r\n' | nc -nv <firewall_ip> 80
Indicators of vulnerability:
- Immediate response from firewall (not backend server)
- Response contains hex values or format string output
- Error page generated by proxy with attacker-controlled content
Script: Use
scripts/checkpoint-http-format-string.shExploitation Concepts
Format String Primitive
- Force parser into error routine (invalid method/URI/headers)
- Place attacker-controlled dwords at the start
- Use
/%x
to leak pointers%s - Use
/%n
to write formatted byte counts to chosen addresses%hn - Overwrite return pointers, vtables, or heap metadata
- Hijack execution with shellcode or ROP
Heap Overflow Primitive
The unsafe
sprintf()- Send long request body with oversized directives (e.g.,
)%99999x - Formatted output overruns allocation
- Corrupt adjacent heap structures
- Forge freelist pointers or function tables
- Trigger dereference for code execution
Impact
Successful exploitation grants:
- Code execution in firewall process (SYSTEM on Windows, root on UNIX)
- Rule manipulation capabilities
- Traffic interception
- Pivot point into management network
Safety and Legal Considerations
- Only use on systems you own or have explicit authorization to test
- Document all findings for the authorized party
- Report vulnerabilities through proper channels
- This information is for defensive security and authorized assessments only