In our previous blog we explored how ChatGPT can assist penetration testers by offering support across tool usage, code analysis, and vulnerability research. As the landscape of AI for penetration testing continues to evolve, security professionals are finding new ways to leverage ChatGPT during security assessments—without breaching ethical boundaries.
In this follow-up, we’ll dive into practical penetration testing scenarios and demonstrate how ChatGPT can support each phase of an engagement—while also recognizing its limitations and ethical constraints.
In this blog, we will utilize the full extent of this technology to provide general assistance during an engagement. So, let’s get started.
We might start by asking ChatGPT for alternative scanning approaches. For example, what are stealthier methods for discovering open ports or identifying active hosts? ChatGPT can provide insights into using Nmap in a quiet mode, banner grabbing, or crafting custom scripts to blend into normal traffic patterns.
While scanning, you found that one of the hosts is using Grafana 7.0.1 service on port 8080. That’s quite an old version. We can also ask if the ChatGPT knows of any vulnerabilities in this version.
While scanning you found that one of the hosts or IPs is using hosting Grafana 7.0.1 on port 8080. That’s quite an old version. We can also ask if ChatGPT knows about any vulnerabilities in this version.
We have seen in many instances that ChatGPT cannot perform or reason with user requests due to ethical considerations; for example, in this instance:
Suppose we found a command injection on one of the servers, and Python is installed. We can ask ChatGPT to create a reverse shell using a Python module.
Oops! ChatGPT did not like the request, but what if we frame the sentence differently and ask it to make a Python script to request a call back to the attacker machine with a bash terminal to interact with? Does it work?
In this way, we can frame our requests to get information.
Suppose we get a foothold or compromise one of the Linux machines inside the network. Next comes the Post exploitation phase. How do we escalate privileges or gain sensitive information such as hashes, private keys, and clear text passwords from other users? We cannot ask ChatGPT to perform these attacks, but we sure ask for open-source tools for post-exploitation.
Time to make a perfect report for our client. Let us revise our findings here, and for instance, we have a command injection vulnerability, Grafana version 8.3.0 LFI vulnerability, etc.
When it comes to any programming language, ChatGPT is quite efficient in finding bugs and errors in code and mitigating them, which is quite efficient for programmers and security testers. According to OpenDataScience (ODS), Amazon employees admitted using ChatGPT for code analysis. Now let us ask our friend ChatGPT if it can analyze and fix vulnerable Python code.
As technology evolves, the role of AI in penetration testing and analysis continues to grow. ChatGPT and similar AI language models can enhance various aspects of these tasks, but they are not poised to fully replace human roles soon.
AI models like ChatGPT are proficient at processing and generating text based on vast datasets, which can streamline certain analytical and testing processes. However, they still face limitations in replicating the nuanced understanding and contextual awareness that human analysts and testers bring to their work. Human experts apply their specialized knowledge, intuition, and experience to interpret complex situations and make informed decisions that AI currently cannot match.
Moreover, many aspects of analysis and manual testing demand creativity and critical thinking—skills where AI struggles. While AI can offer suggestions and insights, it often falls short in generating innovative solutions or adapting to novel scenarios. Exploratory testing, which involves probing systems to uncover new and unexpected issues, relies heavily on the ability of human testers to think creatively, approach problems from diverse perspectives, and adjust strategies in real-time.
To safeguard your business against cyber threats effectively, consider leveraging ours Penetration Testing Services. Reach out now and discover more about how we can assist in protecting your organization.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
info@redfoxsec.com
©️2025 Redfox Cyber Security Inc. All rights reserved.