PentestGPT Tool and Guide

“PentestGPT” is a new ChatGPT-powered penetration testing tool that assists penetration testers in automating their pentesting activitie. PentestGPT was uploaded on GitHub by “GreyDGL,” a Ph.D. student at Nanyang Technological University in Singapore.It is built on top of ChatGPT and operates in an interactive mode to guide penetration testers through general and specific processes.

Since the PentestGPT Tool relies on the GPT-4 model for high quality reasoning and there isn’t yet a public GPT-4 API, you must be a ChatGPT + member in order to utilise it. A wrapper for ChatGPT sessions has been created to enable PentestGPT.

It is intended to automate the penetration testing process, according to GreyDGL. It is constructed on top of ChatGPT and runs in an interactive manner to direct penetration testers with regard to both general advancement and particular operations.

In addition to various CTF challenges, entestGPT can solve easy-to-intermediate HackTheBox devices. This example may be found in the resources we utilized to complete the templated HackTheBox challenge.

PentestGPT Demo:

Installation

1. Install requirements.txt with pip install -r requirements.txt
2. Configure the cookies in config. You may follow a sample by cp config/chatgpt_config_sample.py config/chatgpt_config.py. If you’re using cookies:
   • Login to the ChatGPT session page.
   • In Inspect - Network, find the connections to the ChatGPT session page.
   • Find the cookie in the request header in the request to https://chat.openai.com/api/auth/session and paste it into the cookie field of config/chatgpt_config.py. (You may use Inspect->Network, find session and copy the cookie field in request_headers to https://chat.openai.com/api/auth/session)
   • Note that the other fields are temporarily deprecated due to the update of ChatGPT page.
   • Fill in userAgent with your user agent.
   • If you’re using API:
     • Fill in the OpenAI API key in chatgpt_config.py.
3. To verify that the connection is configured properly, you may run python3 test_connection.py. You should see some sample conversation with ChatGPT.
   • The sample
   output is below.1. You're connected with ChatGPT Plus cookie. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-4> ## Test connection for OpenAI api (GPT-4) 2. You're connected with OpenAI API. You have GPT-4 access. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-4 --useAPI> ## Test connection for OpenAI api (GPT-3.5) 3. You're connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-3.5-turbo --useAPI>
4. (Notice) The above verification process for cookie. If you encounter errors after several trials, please try to refresh the page, repeat the above steps, and try again. You may also try with the cookie to https://chat.openai.com/backend-api/conversations. Please submit an issue if you encounter any problems.

PentestGPT Function:

The handler is the main entry point of the penetration testing tool. It allows pentesters to perform the following operations:

1. (initialize itself with some pre-designed prompts.)
2. Start a new penetration testing session by providing the target information.
3. Ask for todo-list, and acquire the next step to perform.
4. After completing the operation, pass the information to PentestGPT.
   • Pass a tool output.
   • Pass a webpage content.
   • Pass a human description.

There are 3 modules added with PentestGPT.

• Test generation module – generates the exact penetration testing commands or operations for the users to execute.
• Test reasoning module – conducts the reasoning of the test, guiding the penetration testers on what to do next.
• Parsing module – parses the output of the penetration tools and the contents on the webUI.