Cyber Security News has found a new ” PentestGPT ” tool that helps penetration testers automate their pentesting processes, and ChatGPT powers it.
A Ph.D. student at Nanyang Technological University, operating under “GreyDGL” on GitHub, recently released a new ChatGPT-powered Penetration Testing Tool dubbed “PentestGPT.”
After its initial release by OpenAI, the ChatGPT achieved immense fame and a user base rapidly due to its extraordinary advancements and possibilities.
Primarily ChatGPT captured the attention of a broad user base due to the two key abilities that we have mentioned below:-
- Engage in human-like conversations
- Provide helpful information
PentestGPT – ChatGPT-Based Penetration Testing Tool
This PentestGPT tool is wholly based on ChatGPT, and it helps the penetration testers perform several complicated procedures involved during penetration testing.
Moreover, for high-quality reasoning, the PentestGPT Tool entirely depends on the OpenAI’s GPT-4 module.
So, if you want access to the PentestGPT Tool, you must purchase or subscribe to the ChatGPT Plus membership since the GPT-4 API is not yet available to the public for free.
Moreover, the PentestGPT Tool ultimately depends on the OpenAI’s GPT-4 module for high-quality reasoning.
So, if you want access to the PentestGPT Tool, you must purchase or subscribe to the ChatGPT Plus membership since the GPT-4 API is not yet available to the public for free.
PentestGPT Design
Here is the complete PetestGPT architecture and the current design is mainly for web penetration testing.
General Design
- A test generation module that generates the exact penetration testing commands or operations for the users to execute.
- A test reasoning module conducts the reasoning of the test, guiding the penetration testers on what to do next.
- A parsing module that parses the output of the penetration tools and the contents on the webUI.
Logic Flow Design
- User initializes all the sessions. (prompt)
- User initializes the task by
- User provides the target information to the ReasoningSession.
- The ReasoningSession generates a task-tree based on the target information.
- The ReasoningSession decides the first todo, and passes the information to the GenerationSession.
- The GenerationSession generates the exact command for the user to execute, and passes it to the User.
Function Design
The handler is the main entry point of the penetration testing tool. It allows pentesters to perform the following operations:
- (initialize itself with some pre-designed prompts.)
- Start a new penetration testing session by providing the target information.
- Ask for todo-list, and acquire the next step to perform.
- After completing the operation, pass the info to PentestGPT.
- The generation module can also start a continuous mode, which helps the user to dig into a specific task.
You can read the complete architecture details here at GitHub.
Here’s what GreyDGL stated:-
“Since the PentestGPT tool is built on ChatGPT so, it seamlessly automates the penetration testing with interactivity, guiding testers in progress and operations.”
Not only that, even PentestGPT also able to rectify the following challenges easily:-
- HackTheBox machines challenges
- CTF challenges
Here’s the quick video demonstration of PentestGPT by GreyDGL:-
3 Modules of PentestGPT
Here below, we have mentioned the three modules of PentestGPT:-
- Test generation module
- Test reasoning module
- Parsing module
Functions of PentestGPT
- Initialize the system by using pre-designed prompts to set up the initial state.
- By entering the target information, it starts a new penetration testing session.
- Ask for the todo-list, which will provide the next step or action to be performed during the penetration testing.
- Carry out the assigned operation or task from the todo-list.
- Once the operation is completed, transfer the following relevant data to PentestGPT for further analysis:-
- Tool output
- Webpage content
- Human description
Installation
- By running the command “pip install -r requirements.txt,” you must install the requirements.txt.
- Then in the config file, you have to configure the cookies, and to do so:
- a. Copy the sample configuration file by running the command “cp config/chatgpt_config_sample.py config/chatgpt_config.py”.
- b. If you use cookies, log in to the ChatGPT session page.
- c. Open the Inspect tool and go to the Network tab.
- d. Look for connections to the ChatGPT session page.
- e. Find the cookie in the request header of the URL “https://chat.openai.com/api/auth/session”.
- f. Copy the cookie value.
- g. Paste the copied cookie into the “cookie” field of the “config/chatgpt_config.py” file.
- h. Note that other fields in the config file are temporarily deprecated due to the ChatGPT page update.
- Fill in the “userAgent” field with your user agent in the “config/chatgpt_config.py” file.
- If you’re using the API, fill in the OpenAI API key in the “chatgpt_config.py” file.
- Now run the command “python3 test_connection.py” to verify the connection is configured correctly.
- Then look for sample conversations with ChatGPT.
Sample Output:
1. You’re connected with ChatGPT Plus cookie.
To start PentestGPT, please use
## Test connection for OpenAI api (GPT-4)
2. You’re connected with OpenAI API. You have GPT-4 access. To start PentestGPT, please use
## Test connection for OpenAI api (GPT-3.5)
3. You’re connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use
## Test connection for OpenAI api (GPT-3.5 16k tokens)
3. You’re connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use
If the errors continue, you must refresh the page, repeat the steps, and retry. If needed, then you can also use the cookie at “https://chat.openai.com/backend-api/conversations.” You can find the complete module here.
Frequently Asked Questions
PentestGPT is a penetration testing tool that ChatGPT powers. It’s made to ease the process of penetration testing. It is built on top of ChatGPT and works in an interactive way to help penetration testers with overall progress and specific operations.
ChatGPT plus or the GPT-4 API are what you should be using. For enhanced reasoning, PentestGPT uses the GPT-4 model. A wrapper is provided to enable PentestGPT to make use of a ChatGPT session, as there is currently no publicly available GPT-4 API. GPT-4 API can be used directly if available.