Security Weekly
Content

Information gathering with GPG/PGP keytrusts

Some times you just need to know more about a person…
Often times during some of the initial phases of a pen test, I find myself needing some avenues for delivering client side attacks – with permission and within scope of course! Now, finding appropriate attacks can be a challenge, but to me a larger challenge is the social aspect. How can I convince someone to actually execute my attack? Having a little more information about the “victim” is helpful.
So, how can we obtain more information? How about some information that implies some level of familiarity, so that we can spoof names. How about some context? GPG/PGP Keytrust information can serve us well here!
NOTE: Be very careful. Use at your own risk. IANAL. For illustration purposes only. Yada, yada, yada. The folks used as an example here are just that – an example. This is al public information!
gpg_icon.jpgSo, how does a GPG/PGP Key get signed by third parties anyways? Well, some go to GPG/PGP Keysigning Parties (Yeah, I know, what nerds. Wait, I am those nerds!). Basically, a bunch of folks meet face to face, verify government issued IDs, and, based on that trust, sign each other’s GPG/PGP keys. Read the whole shebang here. So, given that HOWTO (the first hit in Google for “pgp keysigning party”), what can we determine about V. Alex Brennen?
* He’s the author of the document The Keysigning Party HOWTO
* He’s the maintainer of the The Keysigning Party HOWTO as of January 24th, 2008
* He’s likely got some GPG/PGP Keytrust information (see the first two bullets)
* His e-mail address is vab /at/ mit.edu
So, let’s look up his GPG/PGP Keysigning info! Personally, I like to use the keyserver at MIT (and given that Mr Brennen’s e-mail address is at the mit.edu domain, we’ll likely have some luck there). Surf on over the page, and we’re given the option to search right on the front page. Now, we can search for an e-mail of choice, and list all of the individuals that have signed the particular key for that user. Mr. Brennen obviously has a few! Now, in some cases you won’t turn up any signers, and you’ll pull up a dead end here.
Key-128x128.pngWhat next? Me, I like to search the list of keysigners for recognizable names. Someone I know has their GPG/PGP key signed by at least one recognizable name in the industry, so creating a conversation there might be very interesting. In any case, if you don’t recognize any names, you can always pick at random. Another method would be to pick a keysigner that has several e-mails. What’s one more to the repertoire – this one you control! Create an e-mail at a free service and use it.
With this knowledge of keysigners we might be able to determine some information that they have in common to exchange e-mails about. In this case, we know that Mr. Brennen is an internet author on a particular subject. Surely we can use some social engineering skills to craft an e-mail for this one with web links or attachments.
Now you might be saying that someone that uses GPG/PGP is a pretty sophisticated computer. We do all make mistakes, and often that is all it takes for a compromise – one mistake. So, that being said, it may take all of your social engineering skills to craft that perfect e-mail.
k-gpg-128x128.png
Obviously, if you are using these methods during a test, be sure that it is within scope of your testing. Get permission! Make sure they know about social engineering e-mails, recipients and sources.
On the defense, there is no real way to restrict the posting of the keytrust info. That public acknowledgement is the basis of the network of trust based system. Certainly one could Revoke and create new keys, and have no one sign them.
GPG/PGP works just fine without keysigning. It just isn’t as nerdy.
– L

Larry Pesce

A self-professed, lifelong “tinkerer and explorer,” Larry always wanted to know how things work. “I found myself getting to engage in deep dives of technology from an early age: My dad built the family television from a kit, and I helped. It caught fire. Twice. I helped fix it both times.”

The help and advice received from the infosec community throughout his career inspired him to share what he had learned to help others secure their networks and improve their craft. Part of that ongoing sharing has been as the co-founder and co-host of the international award winning Paul’s Security Weekly podcast for more than 19 years.

Larry has spent the last 15 years as a penetration tester, spending lots of time focused on Healthcare, ICS/OT, Wireless, and IoT/IIoT/Embedded Devices, but now focuses his efforts on securing the software supply chain at Finite State.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.