PentestGPT is a penetration testing tool empowered by ChatGPT. It is designed to automate the penetration testing process. It is built on top of ChatGPT and operate in an interactive mode to guide penetration testers in both overall progress and specific operations.
- [Update on 30/04/2023] The support to OpenAI API is available! I’ll implement a input param parser for it soon. You can now freely configure the OpenAI model in
main.py
(several examples are included). - We’re testing PentestGPT on HackTheBox. You may follow this link. More details will be released soon.
- We include a video of using PentestGPT for OSCP-like machine: HTB-Jarvis. This is the first part only, and I’ll complete the rest when I have time.
Introduction to PentestGPT
- PentestGPT is able to solve easy to medium HackTheBox machines, and other CTF challenges. You can check this example in
resources
where we use it to solve HackTheBox challenge TEMPLATED (web challenge). - A sample testing process of PentestGPT on a target VulnHub machine (Hackable II) is available at here.
- A sample usage video is below: (or available here: Demo)
Installation PentestGPT
- Install
requirements.txt
withpip install -r requirements.txt
- Configure the cookies in
config
. You may follow a sample bycp config/chatgpt_config_sample.py. config/chatgpt_config.py
.- If you’re using cookie:
- Login to ChatGPT session page.
- In
Inspect - Network
, find the connections to the ChatGPT session page. - Find the cookie in the request header in the request to
https://chat.openai.com/api/auth/session
and paste it into thecookie
field ofconfig/chatgpt_config.py
. (You may use Inspect->Network, find session and copy thecookie
field inrequest_headers
tohttps://chat.openai.com/api/auth/session
) - Note that the other fields are temporarily deprecated due to the update of ChatGPT page.
- Fill in
userAgent
with your user agent.
- If you’re using API:
- Fill in the OpenAI API key in
chatgpt_config.py
.
- Fill in the OpenAI API key in
- If you’re using cookie:
- To verify that the connection is configured properly, you may run
python3 test_connection.py
. You should see some sample conversation with ChatGPT.- A sample output is below
1. You're connected with ChatGPT Plus cookie.
To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-4 --useAPI=False>
## Test connection for OpenAI api (GPT-4)
2. You're connected with OpenAI API. You have GPT-4 access. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-4 --useAPI=True>
## Test connection for OpenAI api (GPT-3.5)
3. You're connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT, please use <python3 main.py --reasoning_model=gpt-3.5-turbo --useAPI=True>
- (Notice) The above verification process for cookie. If you encounter errors after several trials, please try to refresh the page, repeat the above steps, and try again. You may also try with the cookie to
https://chat.openai.com/backend-api/conversations
. Please submit an issue if you encounter any problem.
Usage PentestGPT
- To start, run
python3 main.py --args
.--reasoning_model
is the reasoning model you want to use.--useAPI
is whether you want to use OpenAI API.- You’re recommended to use the combination as suggested by
test_connection.py
, which are:python3 main.py --reasoning_model=gpt-4 --useAPI=False
python3 main.py --reasoning_model=gpt-4 --useAPI=True
python3 main.py --reasoning_model=gpt-3.5-turbo --useAPI=True
- The tool works similar to msfconsole. Follow the guidance to perform penetration testing.
- In general, PentestGPT intakes commands similar to chatGPT. There are several basic commands.
- The commands are:
help
: show the help message.next
: key in the test execution result and get the next step.more
: let PentestGPT to explain more details of the current step. Also, a new sub-task solver will be created to guide the tester.todo
: show the todo list.discuss
: discuss with the PentestGPT.google
: search on Google. This function is still under development.quit
: exit the tool and save the output as log file (see the reporting section below).
- You can use <SHIFT + right arrow> to end your input (and is for next line).
- You may always use
TAB
to autocomplete the commands. - When you’re given a drop-down selection list, you can use cursor or arrow key to navigate the list. Press
ENTER
to select the item. Similarly, use <SHIFT + right arrow> to confirm selection.
- The commands are:
- In the sub-task handler initiated by
more
, users can execute more commands to investigate into a specific problem:- The commands are:
help
: show the help message.brainstorm
: let PentestGPT brainstorm on the local task for all the possible solutions.discuss
: discuss with PentestGPT about this local task.google
: search on Google. This function is still under development.continue
: exit the subtask and continue the main testing session.
- The commands are:
Report
- After finishing the penetration testing, a report will be automatically generated in
logs
folder (if you quit withquit
command). - The report can be printed in a human-readable format by running
python3 utils/report_generator.py <log file>
. A sample reportsample_pentestGPT_log.txt
is also uploaded.
Design Documentation
The current design is mainly for web penetration testing
General Design
PentestGPT provides a unified terminal input handler, and backed by three main components:
- A test generation module which generates the exact penetration testing commands or operations for the users to execute.
- A test reasoning module which conducts the reasoning of the test, guiding the penetration testers on what to do next.
- A parsing module which parses the output of the penetration tools and the contents on the webUI.
Function Design
The handler is the main entry point of the penetration testing tool. It allows pentesters to perform the following operations:
- (initialize itself with some pre-designed prompts.)
- Start a new penetration testing session by providing the target information.
- Ask for todo-list, and acquire the next step to perform.
- After completing the operation, pass the information to PentestGPT.
- Pass a tool output.
- Pass a webpage content.
- Pass a human description.
Common Questions
Yes. PentestGPT relies on GPT-4 model for high-quality reasoning. Since there is no public GPT-4 API yet, a wrapper is included to use ChatGPT session to support PentestGPT.
After empirical evaluation, we found that GPT-4 performs better than GPT-3.5 in terms of penetration testing reasoning. In fact, GPT-3.5 leads to failed test in simple tasks.
We found that GPT-4 suffers from losses of context as test goes deeper. It is essential to maintain a “test status awareness” in this process. You may check the PentestGPT design here for more details.
AutoGPT is not designed for pentest. It may perform malicious operations. Due to this consideration, we design PentestGPT in an interactive mode. Of course, our end goal is an automated pentest solution.