Infosec- Resources

PentestGPT – A ChatGPT Powered Automated Penetration Testing Tool

GBHackers come across a new ChatGPT-powered Penetration testing Tool called “PentestGPT” that helps penetration testers to automate their pentesting operations.

PentestGPT has been released on GitHub under the operator “GreyDGL,” a Ph.D. student at Nanyang Technological University, Singapore.

It is constructed on top of ChatGPT and works in an interactive way to direct penetration testers during general and particular procedures.

To access the PentestGPT Tool, ChatGPT plus member is required as it relies on GPT-4 model for high-quality reasoning, also no public GPT-4 API yet.

To support PentestGPT, a wrapper for ChatGPT sessions has been added.

According to GreyDGL, “It is designed to automate the penetration testing process.

It is built on top of ChatGPT and operates in an interactive mode to guide penetration testers in both overall progress and specific operations.”

PentestGPT is capable of solving simple to moderate HackTheBox machines as well as other CTF puzzles.

You could discover this example in the materials we used to tackle the TEMPLATED HackTheBox challenge.

You can check here the sample testing process of PentestGPT on a target VulnHub machine (Hackable II).

PentestGPT Demo:

Here is a quick video demonstrated by GreyDGL about how effectively pentesters can use the PentestGPT.

Installation:

Installation

  1. Install requirements.txt with pip install -r requirements.txt
  2. Configure the cookies in config. You may follow a sample by cp config/chatgpt_config_sample.py config/chatgpt_config.py. If you’re using cookies:
    • Login to the ChatGPT session page.
    • In Inspect - Network, find the connections to the ChatGPT session page.
    • Find the cookie in the request header in the request https://chat.openai.com/api/auth/session and paste it into the cookie field of config/chatgpt_config.py. (You may use Inspect->Network, find a session, and copy the cookie field in request_headers to https://chat.openai.com/api/auth/session)
    • Note that the other fields are temporarily deprecated due to the update of the ChatGPT page.
    • Fill in userAgent with your user agent.
    • If you’re using API:
      • Fill in the OpenAI API key in chatgpt_config.py.
  3. To verify that the connection is configured properly, you may run python3 test_connection.py. You should see some sample conversations with ChatGPT.
    • The sample
    output is below.1. You're connected with ChatGPT Plus cookie. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-4> ## Test connection for OpenAI api (GPT-4) 2. You're connected with OpenAI API. You have GPT-4 access. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-4 --useAPI> ## Test connection for OpenAI api (GPT-3.5) 3. You're connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-3.5-turbo --useAPI>
  4. (Notice) The above verification process for a cookie. If you encounter errors after several trials, please try to refresh the page, repeat the above steps, and try again. You may also try the cookie to https://chat.openai.com/backend-api/conversations. Please submit an issue if you encounter any problems.

PentestGPT Function:

The handler is the main entry point of the penetration testing tool. It allows pentesters to perform the following operations:

  1. (initialize itself with some pre-designed prompts.)
  2. Start a new penetration testing session by providing the target information.
  3. Ask for todo-list, and acquire the next step to perform.
  4. After completing the operation, pass the information to PentestGPT.
    • Pass a tool output.
    • Pass a webpage content.
    • Pass a human description.

There are 3 modules added with PentestGPT.

  • Test generation module – generates the exact penetration testing commands or operations for the users to execute.
  • Test reasoning module – conducts the reasoning of the test, guiding the penetration testers on what to do next.
  • Parsing module – parses the output of the penetration tools and the contents on the web UI.

You can read the complete details here on GitHub and the top 30 best penetration testing tools.

Struggling to Apply The Security Patch in Your System? –
Try All-in-One Patch Manager Plus

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting the growing, widespread use and potential…

12 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers, successful evaluations, and partnerships such…

13 hours ago

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and education. The latest update, Wireshark 4.2.4,…

16 hours ago

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered platform designed to redefine how we…

16 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information and grant unauthorized access. It's an…

17 hours ago

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the…

20 hours ago