Information gathering with GPG/PGP keytrusts

Some times you just need to know more about a person…
Often times during some of the initial phases of a pen test, I find myself needing some avenues for delivering client side attacks – with permission and within scope of course! Now, finding appropriate attacks can be a challenge, but to me a larger challenge is the social aspect. How can I convince someone to actually execute my attack? Having a little more information about the “victim” is helpful.
So, how can we obtain more information? How about some information that implies some level of familiarity, so that we can spoof names. How about some context? GPG/PGP Keytrust information can serve us well here!
NOTE: Be very careful. Use at your own risk. IANAL. For illustration purposes only. Yada, yada, yada. The folks used as an example here are just that – an example. This is al public information!
gpg_icon.jpgSo, how does a GPG/PGP Key get signed by third parties anyways? Well, some go to GPG/PGP Keysigning Parties (Yeah, I know, what nerds. Wait, I am those nerds!). Basically, a bunch of folks meet face to face, verify government issued IDs, and, based on that trust, sign each other’s GPG/PGP keys. Read the whole shebang here. So, given that HOWTO (the first hit in Google for “pgp keysigning party”), what can we determine about V. Alex Brennen?
* He’s the author of the document The Keysigning Party HOWTO
* He’s the maintainer of the The Keysigning Party HOWTO as of January 24th, 2008
* He’s likely got some GPG/PGP Keytrust information (see the first two bullets)
* His e-mail address is vab /at/
So, let’s look up his GPG/PGP Keysigning info! Personally, I like to use the keyserver at MIT (and given that Mr Brennen’s e-mail address is at the domain, we’ll likely have some luck there). Surf on over the page, and we’re given the option to search right on the front page. Now, we can search for an e-mail of choice, and list all of the individuals that have signed the particular key for that user. Mr. Brennen obviously has a few! Now, in some cases you won’t turn up any signers, and you’ll pull up a dead end here.
Key-128x128.pngWhat next? Me, I like to search the list of keysigners for recognizable names. Someone I know has their GPG/PGP key signed by at least one recognizable name in the industry, so creating a conversation there might be very interesting. In any case, if you don’t recognize any names, you can always pick at random. Another method would be to pick a keysigner that has several e-mails. What’s one more to the repertoire – this one you control! Create an e-mail at a free service and use it.
With this knowledge of keysigners we might be able to determine some information that they have in common to exchange e-mails about. In this case, we know that Mr. Brennen is an internet author on a particular subject. Surely we can use some social engineering skills to craft an e-mail for this one with web links or attachments.
Now you might be saying that someone that uses GPG/PGP is a pretty sophisticated computer. We do all make mistakes, and often that is all it takes for a compromise – one mistake. So, that being said, it may take all of your social engineering skills to craft that perfect e-mail.
Obviously, if you are using these methods during a test, be sure that it is within scope of your testing. Get permission! Make sure they know about social engineering e-mails, recipients and sources.
On the defense, there is no real way to restrict the posting of the keytrust info. That public acknowledgement is the basis of the network of trust based system. Certainly one could Revoke and create new keys, and have no one sign them.
GPG/PGP works just fine without keysigning. It just isn’t as nerdy.
– L

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.