16/06/2023, 20:14 PentestGPT | A GPT-empowered Penetration Testing Tool - Tools & Scripts - OneHack.

OneHack.Us | Tutorials For Free, Guides, Articles & …

OneHack.Us | Tutorials For Free, Guides, Articles & Community Forum

PentestGPT | A GPT-empowered Penetration Testing Tool

freebie, penetration-testing, penetration-testers, chatgpt

NoBody 1 May
Friendly 31, 2023, 10:47pm
Websites

CONTRIBUTORS 9 FORKS 408 S TA R S 4.1K ISSUES 16 OPEN LICENSE MIT

PentestGPT 105 MEMBERS

PentestGPT
A GPT-empowered penetration testing tool.
Explore the docs »

Design Details · View Demo · Report Bug or Request Feature

General Updates
[Update on 30/05/2023] A major update that allows the installation of PentestGPT with pip.
Available videos:
PentestGPT for OSCP-like machine: HTB-Jarvis. This is the first part only, and I’ll complete the rest when I
have time.
PentestGPT on HTB-Lame. This is an easy machine, but it shows you how PentestGPT skipped the rabbit
hole and worked on other potential vulnerabilities.

https://onehack.us/t/pentestgpt-a-gpt-empowered-penetration-testing-tool/242254/print 1/4
16/06/2023, 20:14 PentestGPT | A GPT-empowered Penetration Testing Tool - Tools & Scripts - OneHack.Us | Tutorials For Free, Guides, Articles & …

We’re testing PentestGPT on HackTheBox. You may follow this link. More details will be released soon.
Feel free to join the Discord Channel for more updates and share your ideas!

Common Questions
Q: What is PentestGPT?
A: PentestGPT is a penetration testing tool empowered by ChatGPT. It is designed to automate the penetration
testing process. It is built on top of ChatGPT and operate in an interactive mode to guide penetration testers in
both overall
Friendly progress and specific operations.
Websites
Q: Do I need to be a ChatGPT plus member to use PentestGPT?
A: You’re recommended to use ChatGPT plus or GPT-4 API. PentestGPT relies on GPT-4 model for high-
quality reasoning. Since there is no public GPT-4 API yet, a wrapper is included to use ChatGPT session to
support PentestGPT. You may also use GPT-4 API directly if you have access to it.
Q: Why GPT-4?
A: After empirical evaluation, we found that GPT-4 performs better than GPT-3.5 in terms of penetration testing
reasoning. In fact, GPT-3.5 leads to failed test in simple tasks.
Q: Why not just use GPT-4 directly?
A: We found that GPT-4 suffers from losses of context as test goes deeper. It is essential to maintain a “test
status awareness” in this process. You may check the PentestGPT design here for more details.
Q: What about AutoGPT?
A: AutoGPT is not designed for pentest. It may perform malicious operations. Due to this consideration, we
design PentestGPT in an interactive mode. Of course, our end goal is an automated pentest solution.

Getting Started
PentestGPT is a penetration testing tool empowered by ChatGPT.
It is designed to automate the penetration testing process. It is built on top of ChatGPT and operate in an
interactive mode to guide penetration testers in both overall progress and specific operations.
PentestGPT is able to solve easy to medium HackTheBox machines, and other CTF challenges. You can check
this example in resources where we use it to solve HackTheBox challenge TEMPLATED (web challenge).
A sample testing process of PentestGPT on a target VulnHub machine (Hackable II) is available at here.
A sample usage video is below: (or available here: Demo)

Installation
PentestGPT current supports backend of ChatGPT and OpenAI API. You may use either of them. We’re
working on supports to custom local LLM models. You’re recommended to use the OpenAI API for stability and
performance (details in item 3).

1. Install the latest version with pip3 install git+https://github.com/GreyDGL/PentestGPT

2. If you decide to use ChatGPT as the backend

Obtain the cookie to access the ChatGPT session

$ pentestgpt-cookie
export CHATGPT_COOKIE='<your cookie here>`

https://onehack.us/t/pentestgpt-a-gpt-empowered-penetration-testing-tool/242254/print 2/4
16/06/2023, 20:14 PentestGPT | A GPT-empowered Penetration Testing Tool - Tools & Scripts - OneHack.Us | Tutorials For Free, Guides, Articles & …

Copy the previous command and run it in your terminal (export CHATGPT_COOKIE='<big-string-you-
shall-get-from-the-previous-command>')
Test the connection with pentestgpt-connection
Run the tool with pentestgpt

3. To use OpenAI API

export your API key with export OPENAI_KEY='<your key here>'

Test the connection with pentestgpt-connection
Friendly Websites

4. To verify that the connection is configured properly, you may run pentestgpt-connection. After a while,
you should see some sample conversation with ChatGPT.

A sample output is below

1. You're connected with ChatGPT Plus cookie.

To start PentestGPT, please use <pentestgpt --reasoning_model=gpt-4>
## Test connection for OpenAI api (GPT-4)
2. You're connected with OpenAI API. You have GPT-4 access. To start PentestGPT, ple
## Test connection for OpenAI api (GPT-3.5)
3. You're connected with OpenAI API. You have GPT-3.5 access. To start PentestGPT,

5. The ChatGPT cookie solution can be very unstable. We’re constantly working on a better solution. If you have
any idea or encounter any issues, please feel free to contact us.

Usage
1. To start, run pentestgpt --args.

--reasoning_model is the reasoning model you want to use.

--useAPI is whether you want to use OpenAI API.
You’re recommended to use the combination as suggested by test_connection.py, which are:
pentestgpt --reasoning_model=gpt-4
pentestgpt --reasoning_model=gpt-4 --useAPI
pentestgpt --reasoning_model=gpt-3.5-turbo --useAPI

2. The tool works similar to msfconsole. Follow the guidance to perform penetration testing.
3. In general, PentestGPT intakes commands similar to chatGPT. There are several basic commands.
4. The commands are:
* help: show the help message.
* next: key in the test execution result and get the next step.
* more: let PentestGPT to explain more details of the current step. Also, a new sub-task solver will be created
to guide the tester.
* todo: show the todo list.
* discuss: discuss with the PentestGPT.
* google: search on Google. This function is still under development.
* quit: exit the tool and save the output as log file (see the reporting section below).
https://onehack.us/t/pentestgpt-a-gpt-empowered-penetration-testing-tool/242254/print 3/4
16/06/2023, 20:14 PentestGPT | A GPT-empowered Penetration Testing Tool - Tools & Scripts - OneHack.Us | Tutorials For Free, Guides, Articles & …

5. You can use <SHIFT + right arrow> to end your input (and is for next line).
6. You may always use TAB to autocomplete the commands.
7. When you’re given a drop-down selection list, you can use cursor or arrow key to navigate the list. Press ENTER
to select the item. Similarly, use <SHIFT + right arrow> to confirm selection.
8. In the sub-task handler initiated by more, users can execute more commands to investigate into a specific
problem:
9. The commands are:
* help: show the help message.
Friendly Websites
* brainstorm: let PentestGPT brainstorm on the local task for all the possible solutions.
* discuss: discuss with PentestGPT about this local task.
* google: search on Google. This function is still under development.
* continue: exit the subtask and continue the main testing session.

Report and Logging

1. After finishing the penetration testing, a report will be automatically generated in logs folder (if you quit with
quit command).
2. The report can be printed in a human-readable format by running python3 utils/report_generator.py
<log file>. A sample report sample_pentestGPT_log.txt is also uploaded.

License
Distributed under the MIT License. See LICENSE.txt for more information.

GitHub:

GitHub

GitHub - GreyDGL/PentestGPT: A GPT-empowered penetration

testing tool
A GPT-empowered penetration testing tool. Contribute to GreyDGL/PentestGPT
development by creating an account on GitHub.

4 Likes

https://onehack.us/t/pentestgpt-a-gpt-empowered-penetration-testing-tool/242254/print 4/4