PentestGPT – A ChatGPT Empowered Automated Penetration Testing Tool

PentestGPT – A ChatGPT Empowered Automated Penetration Testing Tool

Cyber Security News has found a new ” PentestGPT ” tool that helps penetration testers automate their pentesting processes, and ChatGPT powers it.

A Ph.D. student at Nanyang Technological University, operating under “GreyDGL” on GitHub, recently released a new ChatGPT-powered Penetration Testing Tool dubbed “PentestGPT.”

Read moreBuilding cyber skills and roles from CyBOK foundations

After its initial release by OpenAI, the ChatGPT achieved immense fame and a user base rapidly due to its extraordinary advancements and possibilities.

Primarily ChatGPT captured the attention of a broad user base due to the two key abilities that we have mentioned below:- 

Read moreAccessibility as a cyber security priority

Engage in human-like conversations

Provide helpful information

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

PentestGPT ChatGPT-Based Penetration Testing Tool

This PentestGPT tool is wholly based on ChatGPT, and it helps the penetration testers perform several complicated procedures involved during penetration testing.

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

Moreover, for high-quality reasoning, the PentestGPT Tool entirely depends on the OpenAI’s GPT-4 module. 

So, if you want access to the PentestGPT Tool, you must purchase or subscribe to the ChatGPT Plus membership since the GPT-4 API is not yet available to the public for free.

Read moreS3 Ep135: Sysadmin by day, extortionist by night

Moreover, the PentestGPT Tool ultimately depends on the OpenAI’s GPT-4 module for high-quality reasoning. 

So, if you want access to the PentestGPT Tool, you must purchase or subscribe to the ChatGPT Plus membership since the GPT-4 API is not yet available to the public for free.

 PentestGPT Design

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

Here is the complete PetestGPT architecture and the current design is mainly for web penetration testing.

PentestGPT architecture

General Design

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

A test generation module that generates the exact penetration testing commands or operations for the users to execute.

A test reasoning module conducts the reasoning of the test, guiding the penetration testers on what to do next.

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

A parsing module that parses the output of the penetration tools and the contents on the webUI.

Logic Flow Design

User initializes all the sessions. (prompt)

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

User initializes the task by
User provides the target information to the ReasoningSession.

The ReasoningSession generates a task-tree based on the target information.

Read moreCISA, NSA Issue New IAM Best Practice Guidelines

The ReasoningSession decides the first todo, and passes the information to the GenerationSession.

The GenerationSession generates the exact command for the user to execute, and passes it to the User.

Function Design

Read more6 Ways to Mitigate Risk While Expanding Access

The handler is the main entry point of the penetration testing tool. It allows pentesters to perform the following operations:

(initialize itself with some pre-designed prompts.)

Read moreHypervisors and Ransomware: Defending Attractive Targets

Start a new penetration testing session by providing the target information.

Ask for todo-list, and acquire the next step to perform.

Read moreNIST Launches Cybersecurity Initiative for Small Businesses

After completing the operation, pass the info to PentestGPT.

The generation module can also start a continuous mode, which helps the user to dig into a specific task.

Read moreEducating Your Board of Directors on Cybersecurity

You can read the complete architecture details here at GitHub.

Here’s what GreyDGL stated:-

“Since the PentestGPT tool is built on ChatGPT so, it seamlessly automates the penetration testing with interactivity, guiding testers in progress and operations.”

Read morePersonal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack

Not only that, even PentestGPT also able to rectify the following challenges easily:-

HackTheBox machines challenges

Read moreMany Vulnerabilities Found in PrinterLogic Enterprise Software

CTF challenges

Here’s the quick video demonstration of PentestGPT by GreyDGL:-

3 Modules of PentestGPT

Read moreIndustrial Giant ABB Confirms Ransomware Attack, Data Theft

Here below, we have mentioned the three modules of PentestGPT:-

Test generation module

Read moreOrganizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

Test reasoning module

Parsing module

Functions of PentestGPT

Read moreGoogle Cloud Users Can Now Automate TLS Certificate Lifecycle

Initialize the system by using pre-designed prompts to set up the initial state.

By entering the target information, it starts a new penetration testing session.

Read moreZyxel Firewalls Hacked by Mirai Botnet

Ask for the todo-list, which will provide the next step or action to be performed during the penetration testing.

Carry out the assigned operation or task from the todo-list.

Read moreWatch Now: Threat Detection and Incident Response Virtual Summit

Once the operation is completed, transfer the following relevant data to PentestGPT for further analysis:-
Tool output

Webpage content

Read moreNCC Group Releases Open Source Tools for Developers, Pentesters

Human description

Installation

PentestGPT InstallationBy running the command “pip install -r requirements.txt,” you must install the requirements.txt.

Read moreMemcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation

Then in the config file, you have to configure the cookies, and to do so:
a. Copy the sample configuration file by running the command “cp config/chatgpt_config_sample.py config/chatgpt_config.py”.

b. If you use cookies, log in to the ChatGPT session page.

Read morePyPI Enforcing 2FA for All Project Maintainers to Boost Security

c. Open the Inspect tool and go to the Network tab.

d. Look for connections to the ChatGPT session page.

Read moreCredible Handwriting Machine

e. Find the cookie in the request header of the URL “https://chat.openai.com/api/auth/session”.

f. Copy the cookie value.

Read moreGoogle Is Not Deleting Old YouTube Videos

g. Paste the copied cookie into the “cookie” field of the “config/chatgpt_config.py” file.

h. Note that other fields in the config file are temporarily deprecated due to the ChatGPT page update.
Fill in the “userAgent” field with your user agent in the “config/chatgpt_config.py” file.

Read moreFriday Squid Blogging: Peruvian Squid-Fishing Regulation Drives Chinese Fleets Away

If you’re using the API, fill in the OpenAI API key in the “chatgpt_config.py” file.

Now run the command “python3 test_connection.py” to verify the connection is configured correctly.

Read moreSecurity Risks of New .zip and .mov Domains

Then look for sample conversations with ChatGPT.

Sample Output:

1. You’re connected with ChatGPT Plus cookie. 

Read moreMicrosoft Secure Boot Bug

To start PentestGPT, please use <pentestgpt –reasoning_model=gpt-4>

## Test connection for OpenAI api (GPT-4)

Read moreBarracuda zero-day abused since 2022 to drop new malware, steal data

2. You’re connected with OpenAI API. You have GPT-4 access. To start PentestGPT, please use <pentestgpt –reasoning_model=gpt-4 –useAPI>

## Test connection for OpenAI api (GPT-3.5)

Read moreWordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection

3. You’re connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use <pentestgpt –reasoning_model=gpt-3.5-turbo –useAPI>

## Test connection for OpenAI api (GPT-3.5 16k tokens)

Read moreMicrosoft finds macOS bug that lets hackers bypass SIP root restrictions

3. You’re connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use <pentestgpt –reasoning_model=gpt-3.5-turbo-16k –useAPI>

If the errors continue, you must refresh the page, repeat the steps, and retry. If needed, then you can also use the cookie at “https://chat.openai.com/backend-api/conversations.” You can find the complete module here.

Frequently Asked Questions

What is PentestGPT?
Read moreRomCom malware spread via Google Ads for ChatGPT, GIMP, more

PentestGPT is a penetration testing tool that ChatGPT powers. It’s made to ease the process of penetration testing. It is built on top of ChatGPT and works in an interactive way to help penetration testers with overall progress and specific operations.

Do I need to be a ChatGPT plus member to use PentestGPT?

ChatGPT plus or the GPT-4 API are what you should be using. For enhanced reasoning, PentestGPT uses the GPT-4 model. A wrapper is provided to enable PentestGPT to make use of a ChatGPT session, as there is currently no publicly available GPT-4 API. GPT-4 API can be used directly if available.

Read moreMany Public Salesforce Sites are Leaking Private Data

The post PentestGPT – A ChatGPT Empowered Automated Penetration Testing Tool appeared first on Cyber Security News.

   Read More 

Read moreWordPress force installs critical Jetpack patch on 5 million sites

Cyber Security News 

Related Posts

A new Agent Tesla variant. Hot wallet hacks. DevSecOps and AI. Notes on the labor market. Two threats in a hybrid war: Fancy Bear and NoName057(16).
A new Agent Tesla variant. Hot wallet hacks. DevSecOps and AI. Notes on the labor market. Two threats in a hybrid war: Fancy Bear and NoName057(16).

A new Agent Tesla variant. Hot wallet hacks. DevSecOps and AI. Notes on the labor market. Two threats in a hybrid war: Fancy Bear and NoName057(16).

New Agent Tesla variant is out. Lost credentials and crypto wallet hacks. Tension between DevSecOps and AI. Cybersecurity jobs seem to be getting tougher (say the people who are doing them). Fancy Bear makes an attempt on Ukrainian energy infrastructure. A look at NoName057(16).   Read More 

The CyberWire 

Spearphishing transposes espionage tradecraft to cyberspace.
Spearphishing transposes espionage tradecraft to cyberspace.

Spearphishing transposes espionage tradecraft to cyberspace.

The persistence of Log4j vulnerabilities. Lack of encryption as a contributor to data loss. Update on FSB spearphishing by Star Blizzard. Legal action against Star Blizzard’s FSB operators. How the GRU faked celebrity videos in its Doppelgänger campaign. Killmilk says he’s retiring. Section 702 renewal advances in committee.   Read More 

The CyberWire 

AT&T now says data breach impacted 51 million customers

AT&T now says data breach impacted 51 million customers

AT&T is sending data breach notifications to 51 million former and current customers, warning them that their personal data was exposed in a hacking forum. However, the company has still not disclosed how the data was obtained. […]   Read More 

BleepingComputer