A GPT-empowered penetration testing tool.
Explore the docs »
Design Details
·
View Demo
·
Report Bug or Request Feature
virtualenv -p python3 venv
, source venv/bin/activate
)pip3 install git+https://github.com/GreyDGL/PentestGPT
export OPENAI_API_KEY='<your key here>'
,export API base with export OPENAI_BASEURL='https://api.xxxx.xxx/v1'
if you need.pentestgpt-connection
tmux
as terminal environment. You can do so by simply run tmux
in the native terminal.pentestgpt --logging
resources
where we use it to solve HackTheBox challenge TEMPLATED (web challenge). PentestGPT is tested under Python 3.10
. Other Python3 versions should work but are not tested.
PentestGPT relies on OpenAI API to achieve high-quality reasoning. You may refer to the installation video here.
pip3 install git+https://github.com/GreyDGL/PentestGPT
git clone https://github.com/GreyDGL/PentestGPT
cd PentestGPT
pip3 install -e .
export OPENAI_API_KEY='<your key here>'
export OPENAI_BASEURL='https://api.xxxx.xxx/v1'
if you need.pentestgpt-connection
To verify that the connection is configured properly, you may run pentestgpt-connection
. After a while, you should see some sample conversation with ChatGPT.
You're testing the connection for PentestGPT v 0.11.0
#### Test connection for OpenAI api (GPT-4)
1. You're connected with OpenAI API. You have GPT-4 access. To start PentestGPT, please use <pentestgpt --reasoning_model=gpt-4>
- notice: if you have not linked a payment method to your OpenAI account, you will see error messages.
pentestgpt --reasoning_model=gpt-4 --useAPI=False
. poetry
is installed. If not, please refer to the poetry installation guide.You are recommended to run:
pentestgpt --reasoning_model=gpt-4-turbo
to use the latest GPT-4-turbo API.pentestgpt --reasoning_model=gpt-4
if you have access to GPT-4 API.pentestgpt --reasoning_model=gpt-3.5-turbo-16k
if you only have access to GPT-3.5 API.To start, run pentestgpt --args
.
--help
show the help message--reasoning_model
is the reasoning model you want to use. --parsing_model
is the parsing model you want to use. --useAPI
is whether you want to use OpenAI API. By default it is set to True
.--log_dir
is the customized log output directory. The location is a relative directory.--logging
defines if you would like to share the logs with us. By default it is set to False
.The tool works similar to msfconsole. Follow the guidance to perform penetration testing.
In general, PentestGPT intakes commands similar to chatGPT. There are several basic commands.
help
: show the help message.next
: key in the test execution result and get the next step.more
: let PentestGPT to explain more details of the current step. Also, a new sub-task solver will be created to guide the tester.todo
: show the todo list.discuss
: discuss with the PentestGPT.google
: search on Google. This function is still under development.quit
: exit the tool and save the output as log file (see the reporting section below).TAB
to autocomplete the commands.ENTER
to select the item. Similarly, use <SHIFT + right arrow> to confirm selection.\
The user can submit info about:
In the sub-task handler initiated by more
, users can execute more commands to investigate into a specific problem:
help
: show the help message.brainstorm
: let PentestGPT brainstorm on the local task for all the possible solutions.discuss
: discuss with PentestGPT about this local task.google
: search on Google. This function is still under development.continue
: exit the subtask and continue the main testing session.pentestgpt --logging
. We will only collect the LLM usage, without any information related to your OpenAI key.logs
folder (if you quit with quit
command).python3 utils/report_generator.py <log file>
. A sample report sample_pentestGPT_log.txt
is also uploaded.PentestGPT now support local LLMs, but the prompts are only optimized for GPT-4.
pentestgpt --reasoning_model=gpt4all --parsing_model=gpt4all
.module_mapping
class in pentestgpt/utils/APIs/module_import.py
.module_import.py
, gpt4all.py
and chatgpt_api.py
to create API support for your own model.Please cite our paper at:
@inproceedings {299699,
author = {Gelei Deng and Yi Liu and V{\'\i}ctor Mayoral-Vilches and Peng Liu and Yuekang Li and Yuan Xu and Tianwei Zhang and Yang Liu and Martin Pinzger and Stefan Rass},
title = {{PentestGPT}: Evaluating and Harnessing Large Language Models for Automated Penetration Testing},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {847--864},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/deng},
publisher = {USENIX Association},
month = aug
}
Distributed under the MIT License. See LICENSE.txt
for more information.
The tool is for educational purpose only and the author does not condone any illegal use. Use as your own risk.