Information gathering with GPG/PGP keytrusts
Some times you just need to know more about a person...
Often times during some of the initial phases of a pen test, I find myself needing some avenues for delivering client side attacks - with permission and within scope of course! Now, finding appropriate attacks can be a challenge, but to me a larger challenge is the social aspect. How can I convince someone to actually execute my attack? Having a little more information about the "victim" is helpful.
So, how can we obtain more information? How about some information that implies some level of familiarity, so that we can spoof names. How about some context? GPG/PGP Keytrust information can serve us well here!
NOTE: Be very careful. Use at your own risk. IANAL. For illustration purposes only. Yada, yada, yada. The folks used as an example here are just that - an example. This is al public information!
So, how does a GPG/PGP Key get signed by third parties anyways? Well, some go to GPG/PGP Keysigning Parties (Yeah, I know, what nerds. Wait, I am those nerds!). Basically, a bunch of folks meet face to face, verify government issued IDs, and, based on that trust, sign each other's GPG/PGP keys. Read the whole shebang here. So, given that HOWTO (the first hit in Google for "pgp keysigning party"), what can we determine about V. Alex Brennen?
* He's the author of the document The Keysigning Party HOWTO
* He's the maintainer of the The Keysigning Party HOWTO as of January 24th, 2008
* He's likely got some GPG/PGP Keytrust information (see the first two bullets)
* His e-mail address is vab /at/ mit.edu
So, let's look up his GPG/PGP Keysigning info! Personally, I like to use the keyserver at MIT (and given that Mr Brennen's e-mail address is at the mit.edu domain, we'll likely have some luck there). Surf on over the page, and we're given the option to search right on the front page. Now, we can search for an e-mail of choice, and list all of the individuals that have signed the particular key for that user. Mr. Brennen obviously has a few! Now, in some cases you won't turn up any signers, and you'll pull up a dead end here.
What next? Me, I like to search the list of keysigners for recognizable names. Someone I know has their GPG/PGP key signed by at least one recognizable name in the industry, so creating a conversation there might be very interesting. In any case, if you don't recognize any names, you can always pick at random. Another method would be to pick a keysigner that has several e-mails. What's one more to the repertoire - this one you control! Create an e-mail at a free service and use it.
With this knowledge of keysigners we might be able to determine some information that they have in common to exchange e-mails about. In this case, we know that Mr. Brennen is an internet author on a particular subject. Surely we can use some social engineering skills to craft an e-mail for this one with web links or attachments.
Now you might be saying that someone that uses GPG/PGP is a pretty sophisticated computer. We do all make mistakes, and often that is all it takes for a compromise - one mistake. So, that being said, it may take all of your social engineering skills to craft that perfect e-mail.
Obviously, if you are using these methods during a test, be sure that it is within scope of your testing. Get permission! Make sure they know about social engineering e-mails, recipients and sources.
On the defense, there is no real way to restrict the posting of the keytrust info. That public acknowledgement is the basis of the network of trust based system. Certainly one could Revoke and create new keys, and have no one sign them.
GPG/PGP works just fine without keysigning. It just isn't as nerdy.
- L
This information can be beneficial to a penetration tester, as wall as an attacker. In the "perfect storm" we can take the information gathered to be able to deliver a spear fishing type of attack, with a high amount of confidence that the attack will be successful.
