ChatGPT Based Automated Penetration Testing Tool


Cyber Security News has found a new ” PentestGPT ” tool that helps penetration testers automate their pentesting processes, and ChatGPT powers it.

A Ph.D. student at Nanyang Technological University, operating under “GreyDGL” on GitHub, recently released a new ChatGPT-powered Penetration Testing Tool dubbed “PentestGPT.”

After its initial release by OpenAI, the ChatGPT achieved immense fame and a user base rapidly due to its extraordinary advancements and possibilities.

Primarily ChatGPT captured the attention of a broad user base due to the two key abilities that we have mentioned below:- 

  • Engage in human-like conversations
  • Provide helpful information

PentestGPT ChatGPT-Based Penetration Testing Tool

This PentestGPT tool is wholly based on ChatGPT, and it helps the penetration testers perform several complicated procedures involved during penetration testing.

Moreover, for high-quality reasoning, the PentestGPT Tool entirely depends on the OpenAI’s GPT-4 module. 

So, if you want access to the PentestGPT Tool, you must purchase or subscribe to the ChatGPT Plus membership since the GPT-4 API is not yet available to the public for free.

Moreover, the PentestGPT Tool ultimately depends on the OpenAI’s GPT-4 module for high-quality reasoning. 

So, if you want access to the PentestGPT Tool, you must purchase or subscribe to the ChatGPT Plus membership since the GPT-4 API is not yet available to the public for free.

 PentestGPT Design

Here is the complete PetestGPT architecture and the current design is mainly for web penetration testing.

PentestGPT
PentestGPT architecture

General Design

  • A test generation module that generates the exact penetration testing commands or operations for the users to execute.
  • A test reasoning module conducts the reasoning of the test, guiding the penetration testers on what to do next.
  • A parsing module that parses the output of the penetration tools and the contents on the webUI.

Logic Flow Design

  1. User initializes all the sessions. (prompt)
  2. User initializes the task by
    1. User provides the target information to the ReasoningSession.
    2. The ReasoningSession generates a task-tree based on the target information.
    3. The ReasoningSession decides the first todo, and passes the information to the GenerationSession.
    4. The GenerationSession generates the exact command for the user to execute, and passes it to the User.

Function Design

The handler is the main entry point of the penetration testing tool. It allows pentesters to perform the following operations:

  1. (initialize itself with some pre-designed prompts.)
  2. Start a new penetration testing session by providing the target information.
  3. Ask for todo-list, and acquire the next step to perform.
  4. After completing the operation, pass the info to PentestGPT.
  5. The generation module can also start a continuous mode, which helps the user to dig into a specific task.

You can read the complete architecture details here at GitHub.

Here’s what GreyDGL stated:-

“Since the PentestGPT tool is built on ChatGPT so, it seamlessly automates the penetration testing with interactivity, guiding testers in progress and operations.”

Not only that, even PentestGPT also able to rectify the following challenges easily:-

  • HackTheBox machines challenges
  • CTF challenges

Here’s the quick video demonstration of PentestGPT by GreyDGL:-

3 Modules of PentestGPT

Here below, we have mentioned the three modules of PentestGPT:-

  • Test generation module
  • Test reasoning module
  • Parsing module

Functions of PentestGPT

  • Initialize the system by using pre-designed prompts to set up the initial state.
  • By entering the target information, it starts a new penetration testing session.
  • Ask for the todo-list, which will provide the next step or action to be performed during the penetration testing.
  • Carry out the assigned operation or task from the todo-list.
  • Once the operation is completed, transfer the following relevant data to PentestGPT for further analysis:-
  • Tool output
  • Webpage content
  • Human description

Installation

PentestGPT Installation
  • By running the command “pip install -r requirements.txt,” you must install the requirements.txt.
  • Then in the config file, you have to configure the cookies, and to do so:
  • a. Copy the sample configuration file by running the command “cp config/chatgpt_config_sample.py config/chatgpt_config.py”.
  • b. If you use cookies, log in to the ChatGPT session page.
  • c. Open the Inspect tool and go to the Network tab.
  • d. Look for connections to the ChatGPT session page.
  • e. Find the cookie in the request header of the URL “https://chat.openai.com/api/auth/session”.
  • f. Copy the cookie value.
  • g. Paste the copied cookie into the “cookie” field of the “config/chatgpt_config.py” file.
  • h. Note that other fields in the config file are temporarily deprecated due to the ChatGPT page update.
  • Fill in the “userAgent” field with your user agent in the “config/chatgpt_config.py” file.
  • If you’re using the API, fill in the OpenAI API key in the “chatgpt_config.py” file.
  • Now run the command “python3 test_connection.py” to verify the connection is configured correctly.
  • Then look for sample conversations with ChatGPT.

Sample Output:

1. You’re connected with ChatGPT Plus cookie. 

To start PentestGPT, please use

## Test connection for OpenAI api (GPT-4)

2. You’re connected with OpenAI API. You have GPT-4 access. To start PentestGPT, please use

## Test connection for OpenAI api (GPT-3.5)

3. You’re connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use

## Test connection for OpenAI api (GPT-3.5 16k tokens)

3. You’re connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use

If the errors continue, you must refresh the page, repeat the steps, and retry. If needed, then you can also use the cookie at “https://chat.openai.com/backend-api/conversations.” You can find the complete module here.

Frequently Asked Questions

What is PentestGPT?

PentestGPT is a penetration testing tool that ChatGPT powers. It’s made to ease the process of penetration testing. It is built on top of ChatGPT and works in an interactive way to help penetration testers with overall progress and specific operations.

Do I need to be a ChatGPT plus member to use PentestGPT?

ChatGPT plus or the GPT-4 API are what you should be using. For enhanced reasoning, PentestGPT uses the GPT-4 model. A wrapper is provided to enable PentestGPT to make use of a ChatGPT session, as there is currently no publicly available GPT-4 API. GPT-4 API can be used directly if available.



Source link