ChatGPT For Penetration Testing – An Effective Reconnaissance Phase of Pentest

ChatGPT enhances information security by providing valuable insights for efficient reconnaissance in penetration testing and serving as an additional source of security information.

Generative pre-trained transformer language models are growing rapidly with unseen and shocking capabilities. 

Recently GBHackers on Security Published an article about PentestGPT, a new ChatGPT-powered Penetration testing Tool  that helps penetration testers to automate their pentesting operations.

Similarly OpenAI’s ChatGPT is one of the outcomes of these advancements, it’s an AI chatbot, that offers detailed responses across various questions, with untapped potential in numerous applications.

Sheetal Temara, a cybersecurity researcher at the University of the Cumberlands, Williamsburg, KY recently published a case study in Arxiv to represent the ChatGPT’s role in gathering valuable reconnaissance data.

ChatGPT For Penetration Testing

The intel offerings from ChatGPT are diverse on targeted properties, aiding penetration test planning and enhancing cybersecurity with AI language models.

Penetration tests mimic real attacks and it helps organizations to aid vulnerability identification and remediation, among various security processes and TTPs that are used by threat actors.

The penetration test’s first phase, reconnaissance, gathers data on the assessment scope like:-

• Applications
• Networks

The gathered data encompasses several technological components that enable the penetration tester to plan for effective risk evaluation. Here below we have mentioned the technological components that are used:-

• SSL/TLS settings
• Cookies
• Third-party connections
• Network topology
• OS details

ChatGPT provides valuable footprinting information for penetration testing, including IP address space and comprehensive attack surface details.

Assessing the entire attack surface is critical to identify vulnerabilities in all network nodes. ChatGPT returns the target organization’s IP addresses in CIDR format with the quantity specified after the slash.

Understanding vendor technologies is crucial in reconnaissance for penetration testing, and ChatGPT reveals the target website’s technologies, including:-

• CDNs
• Web servers
• Analytics engines
• CRM capabilities
• APIs

Sensitive data security relies on encryption, and ChatGPT provides comprehensive details on SSL ciphers and certificate authority issuers, helping penetration testers in identifying and remediate the vulnerabilities.

Secure SSL/TLS implementation is crucial to prevent data decryption. ChatGPT reveals SSL/TLS versions used by the target website, including TLS 1.0-1.3, SSL 3.0, and widely adopted encryption standards like:-

• Perfect Forward Secrecy (PFS)
• HTTP Strict Transport Security (HSTS)
• Application-Layer Protocol Negotiation (ALPN)
• Elliptic Curve Cryptography (ECC)
• Public Key Pinning (PKP)
• Certificate Transparency (CT)
• Rivest-Shamir-Adleman (RSA) Encryption
• Online Certificate Status Protocol (OCSP) Stapling
• Forward Secrecy with DHE and ECDHE

Reconnaissance Prompts

Reconnaissance in penetration testing benefits from standardized reusable questions designed to extract valuable data from ChatGPT, requiring skillful prompt engineering for desirable results.

Here below we have mentioned all the Reconnaissance Prompts that could be used by the pen testers:-

• What IP address range-related information do you have on [insert organization name here] in your knowledge base?
• What type of domain name information can you gather on [insert target website here]?
• What vendor technologies does [insert target website fqdn here make use of on its website?
• Provide a comprehensive list of SSL ciphers based on your research used by [insert target website fqdn] pursuant to your large corpus of text data present in your knowledge base.
• Please list the partner websites including FQDN based on your research that [insert target website here] has direct links to according to your knowledge base.
• Provide a vendor technology stack based on your research that is used by [insert organization name here].
• Provide a list of network protocol-related information that is available on [insert organization name here].

The research determined that “ChatGPT has the ability to provide valuable insight into the deployment of the target organization’s technology stack as well as specific information about web applicationsdeployed by the target organization,” reads the paper published.

Additional information via Reconnaissance

Reconnaissance unveils the target’s technology stack, aiding penetration testers in selecting specific attacks. ChatGPT provides details on vendor technologies used, including application servers, databases, operating systems, and more.

ChatGPT offers a list of the target organization’s following network protocols, helping in identifying potential risks and lateral movement:-

• HTTP
• HTTPS
• DNS
• SMTP
• NTP
• SSH
• BGP
• SNMP
• TCP
• UDP
• IPv4
• VPN

ChatGPT provides valuable insights for penetration test reconnaissance, assisting in planning and maximizing testing success. Continuous training of ChatGPT necessitates prompt tailoring for desired results and building on initial insights over time.