A Quick Update on the Latest Activity

Posted February 14th, 2010 by Jason

It has been a busy couple of months, but my posts have been fairly quiet on the blog. Between attending the SANS Security 504 Incident Handling class, traveling for work, moving my family and the holidays things have been moving at a rapid pace.  I’m going to be trying to comment more here, but for now a brief update.

First off, I took the examination for the SANS Incident Handler certification on Friday the 12th.  All the time put into preparation paid off and I passed with 96%!  It was extremely satisfying to pass this exam, since I have been spending the last several weeks studying for it.  On top of just earning the certification, my score was high enough that I can apply to become a SANS Mentor now too.  This is something that I think would be a lot of fun and I really want to do.  Time to start writing up my application and hoping for the best.

Last, I’ve started working on rewriting Reconnoiter to run as a Metasploit module.  I started on this late last week and have made some headway in the process.  Scrapping HTML and using the data in a script or program isn’t much fun.  The main problem I’ve run into is that Google really doesn’t want anyone doing this type of stuff.  While Yahoo! has provided a nice XML web service to aid in accessing data, Google appears to be going out of their way to make this difficult.  I’m actually a bit irritated by this since Google has taken great pains to convince everyone (with good reason on our part to do so) that we need to make it easy for Google to crawl our sites.  Just don’t expect them to return the favor.  Ah well.

Anyhow, I hope to have a rough module up and running by the end of this week.  Current plans are to have the ability to pull results from Google and Yahoo both.  You will be able specify an output directory to save username lists.  Plus, since this is in Metasploit, you can choose between the command line or a web interface to run the module.  That alone may be a real kicker for folks.

The Google query is going to be pretty buggy and a pain to maintain.  The Yahoo! query should be very solid since the script pulls from their XML web service.  The down side is that you will need an AppID to use the Yahoo! query.  So the decision is whether you want to be (relatively) anonymous but have iffy results or if you don’t mind losing some of that anominity for more accurate results.

Technorati Tags: GCIH, Incident Handler, Metasploit, Reconnoiter, SANS

Tags: GCIH, Incident Handler, Metasploit, Reconnoiter, SANS