InformationalMay 24, 2023ChatGPT for Pen Testing (Pt. 2)

Our previous blog discussed how ChatGPT could be vital in providing vital assistance during penetration testing. This groundbreaking AI technology can provide essential insight into how to effectively perform pen-testing, provide various tools to assist us and make finding code analysis easier. In this blog, we will utilize the full extent of this technology to provide general assistance during an engagement. So, let us get started.

ChatGPT and Penetration Testing – Scenario

You have been approached by XYZ company to test their internal network for any vulnerabilities and report it to the company. They have also informed you that their blue teamers are monitoring the network for any anomalies. This means that we cannot use noisy tools like Nmap to scan the whole subnet and open ports. Hmm, let us ask ChatGPT about that.

Sweet, masscan is a pretty handy and fast tool. Ok, we can also ask ChatGPT how to scan a subnet with service banners. Take a look.

While scanning, you found that one of the hosts is using hosting Grafana 7.0.1 on port 8080. That’s quite an old version. We can also ask if the ChatGPT knows of any vulnerabilities in this version.

While scanning you found that one of the hosts or IPs is using hosting Grafana 7.0.1 on port 8080. That’s quite an old version. We can also ask if the ChatGPT knows of any vulnerabilities in this version.

As of May 12, this feature is only available on ChatGPT Plus as a Beta feature.

ChatGPT – The Ethical Line

We have seen in many instances that ChatGPT cannot perform or reason with user requests due to ethical considerations; for example, in this instance:

Suppose we found a command injection on one of the servers, and Python is installed. We can ask ChatGPT to create a reverse shell using a Python module.

Oops! ChatGPT did not like the request, but what if we frame the sentence differently and ask it to make a Python script to request a call back to the attacker machine with a bash terminal to interact with? Does it work?

ChatGPT and Open Source Penetration Testing Tools

Suppose we get a foothold or compromise one of the Linux machines inside the network. Next comes the Post exploitation phase. How do we escalate privileges or gain sensitive information such as hashes, private keys, and clear text passwords from other users? We cannot ask ChatGPT to perform these attacks, but we sure ask for open-source tools for post-exploitation.

ChatGPT and Pen Test Reporting

Time to make a perfect report for our client. Let us revise our findings here, and for instance, we have a command injection vulnerability, Grafana version 8.3.0 LFI vulnerability, etc.

ChatGPT and Finding Security Bugs

When it comes to any programming language, ChatGPT is quite efficient in findings bugs and errors in code and mitigating them, which is quite efficient for programmers and security testers. According to OpenDataScience (ODS), Amazon employees admitted using ChatGPT for code analysis. Now let us ask our friend ChatGPT if it can analyze and fix vulnerable Python code.

The Future of ChatGPT and Penetration Testing

Can ChatGPT replace various roles required for analysis and manual testing in the near future? While ChatGPT and other AI language models like mine can assist with analysis and testing tasks, it is important to recognize that there are certain limitations to what an AI can currently achieve. While we can help automate certain aspects of analysis and testing, fully replacing human roles in these domains is not yet feasible.

There are several reasons why AI language models cannot replace all analysis and manual testing roles in the near future. One key factor is the contextual understanding that humans possess. AI models like ChatGPT excel at processing and generating text based on patterns and training data, but we lack the real-world context and deep understanding that human analysts and testers bring to the table. Analysts and testers leverage their expertise, domain knowledge, and intuition to interpret complex situations and make informed decisions.

Additionally, analysis and manual testing often require creativity and critical thinking skills. While AI models can provide suggestions and insights, we may struggle to generate innovative solutions or adapt to unfamiliar scenarios. Exploratory testing, which involves actively exploring systems and discovering new issues, is where human testers excel. Based on ongoing observations, they can approach systems from different angles, think outside the box, and adapt their testing strategies.

Secure your business from cyber threats with our pen testing services. Get in touch with us now to discover more!

Vivashu Rai

by Vivashu Rai

Security Consultant | Redfox Security