Penetration testing is an important step in determining the security of systems and networks. It involves modelling real-world assaults and identifying weaknesses that malicious actors can exploit. However, penetration testing may be time-consuming, difficult, and tiresome, particularly for beginner testers.
Table of Contents
What is PentestGPT?
PentestGPT is a program that automates penetration testing procedures by utilizing natural language processing and artificial intelligence. It is capable of creating realistic phishing emails, developing malicious payloads, exploiting vulnerabilities, and performing post-exploitation tasks. PentestGPT is designed to minimize the time and effort necessary for penetration testers to conduct security assessments while also improving the quality and accuracy of their findings.
Installation
Create a new directory for downloading the repository.
mkdir pentestgpt
Navigate inside the directory.
cd pentestgpt
Pull the source code from the official Pentest GPT GitHub repository
git clone https://github.com/GreyDGL/PentestGPT.git .
Note the .
at the end of the command, this will not create additional directories, instead pull the source code inside the current directory.
Install the required packages by executing the below command:
pip install -r requirements.txt
Next, copy the sample configuration file by running the following command:
cp config/chatgpt_config_sample.py config/chatgpt_config.py
Open the config/chatgpt_config.py
file in a text editor and fill in the necessary details based on your preferred authentication method (cookie or API).
Note: If you’re using cookie authentication follow this steps
- Log in to the ChatGPT session page in your web browser.
- Open the developer tools by pressing F12 or right-clicking and selecting “Inspect”.
- Go to the “Network” tab in the developer tools and filter for requests to the ChatGPT session page.
- Look for a request to
https://chat.openai.com/api/auth/session
and copy the cookie from the “Request Headers” section. - Paste the copied cookie into the
cookie
field ofconfig/chatgpt_config.py
. - Fill in the
userAgent
field with your browser user agent. You can find your user agent by visitinghttps://www.whatismybrowser.com/detect/what-is-my-user-agent
.
Note: If you’re using API authentication Follow this steps
- Fill in the
apiKey
field inconfig/chatgpt_config.py
with your OpenAI API key. - Save the
config/chatgpt_config.py
file. - To verify that the connection is properly configured, run the following command:
python3 test_connection.py
You should see some sample conversation with ChatGPT, which means your connection is working correctly. here we give sample output below for your knowledge.
1. You're connected with ChatGPT Plus cookie.
To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-4>
## Test connection for OpenAI api (GPT-4)
2. You're connected with OpenAI API. You have GPT-4 access. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-4 --useAPI>
## Test connection for OpenAI api (GPT-3.5)
3. You're connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-3.5-turbo --useAPI>
The cookie verification method described above. If you continue to receive errors after numerous tries, please reload the page, repeat the preceding instructions, and try again. You might also try using the cookie to navigate to https://chat.openai.com/backend-api/conversations
. Please submit an issue if you encounter any problem.
Usage
1. Install the required packages by running below code in your terminal.
pip install -r requirements.txt
2. Configure the cookies in config/chatgpt_config.py
. Copy the sample file cp config/chatgpt_config_sample.py config/chatgpt_config.py
, and fill in the cookie and user agent fields. You may follow the sample by logging into the ChatGPT session page, inspecting the network, finding the cookie in the request header, and pasting it into the cookie
field of config/chatgpt_config.py
.
3. If you’re using the OpenAI API, fill in the API key in config/chatgpt_config.py
.
4. Verify the connection is properly configured by running the below code. You should see a sample conversation with ChatGPT.
python3 test_connection.py
5. Start PentestGPT by running, depending on your preference for the reasoning model and use of API.
python3 main.py --reasoning_model=gpt-4
python3 main.py --reasoning_model=gpt-4 --useAPI
python3 main.py --reasoning_model=gpt-3.5-turbo --useAPI,
6. Once PentestGPT is running, you can use the following basic commands:
help
: show the help message.next
: key in the test execution result and get the next step.more
: let PentestGPT explain more details of the current step, and create a new sub-task solver to guide the tester.todo
: show the to-do list.discuss
: discuss with Pentest GPT.google
: search on Google (under development).quit
: exit the tool and save the output as a log file.
7. Use <SHIFT + right arrow>
to end your input and move to the next line.
8. Use TAB
to autocomplete the commands.
9. When given a drop-down selection list, use the cursor or arrow keys to navigate the list and press ENTER
to select the item. Use <SHIFT + right arrow>
to confirm the selection.
10. In the sub-task handler initiated by more
, you can execute more commands to investigate a specific problem:
help
: show the help message.brainstorm
: let Pentest GPT brainstorm on the local task for all possible solutions.discuss
: discuss with PentestGPT about this local task.google
: search on Google (under development).continue
: exit the subtask and continue the main testing session.
PentestGPT Function
The handler is the primary point of entry for the penetration testing tool. It enables pentesters to carry out the following tasks:
- (Begin with some pre-programmed prompts.)
- Begin a new penetration testing session by inputting the target data.
- Request a to-do list and learn about the next action to take.
- After finishing the operation, send the data to PentestGPT.
- Send a tool output.
- Send a webpage’s content.
- Pass a human description.
There are 3 modules added with PentestGPT.
- Test generation module: creates the precise penetration testing instructions or processes for users to conduct.
- Test reasoning module: carries out the test reasoning, directing the penetration testers on what to do next.
- Parsing module: parses the output of the penetration tools and the contents on the webUI.
You can read the complete details here on GitHub and the top 30 best penetration testing tools.
Features of PentestGPT
PentestGPT can produce custom payloads for a variety of attacks, including SQL injection, cross-site scripting, command injection, and others. PentestGPT will produce an appropriate payload for you if you supply some basic information about the target system and the sort of attack you wish to undertake.
PentestGPT can create commands and scripts for a variety of pentesting tools, including Nmap, Metasploit, and Burp Suite. Simply indicate the tool to be used and the parameters to be specified, and Pentest GPT will produce a command or script for you.
Pentest GPT is capable of producing reports and summaries of pentesting findings. Simply give some raw data or logs from your pentesting operations, and Pentest GPT will develop a report or overview of the major results, dangers, and suggestions.
Pentest GPT can produce realistic phishing emails and landing pages. You only need to supply basic information about the target organization and the sort of phishing campaign you want to conduct, and PentestGPT will produce an email and a landing page that appear convincing and enticing.
FAQs of PentestGPT
What is PentestGPT?
PentestGPT is a ChatGPT-enabled penetration testing tool. Its purpose is to automate the penetration testing procedure. It is built on ChatGPT and works in an interactive mode to help penetration testers through both overall progress and specific procedures.
Do I have to be a member of ChatGPT plus to use PentestGPT?
Yes. PentestGPT’s high-quality reasoning is based on the GPT-4 model. Because there is no public GPT-4 API yet, a wrapper is added to allow Pentest GPT using a ChatGPT session.
Why GPT-4?
After empirical testing, we discovered that GPT-4 performs better than GPT-3.5 in terms of penetration testing logic. In fact, GPT-3.5 causes tests to fail in easy jobs.
what about AutoGPT?
AutoGPT wasn’t built for pentesting. It has the potential to carry out harmful operations. Because of this, we designed Pentest GPT in an interactive mode. Our ultimate goal is, of course, an automated pentest system.
This article helps you learn about PentestGPT. We trust that it has been helpful to you. Please feel free to share your thoughts and feedback in the comment section below.