reNgine-ng is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface.
GNU General Public License v3.0
12
stars
6
forks
source link
feat(llm): GPT4All, Open-source LLM that run locally #44
It is great for local testing (3GB - 8GB) in any corporation that don't want to send data to internet.
"GPT4All is an ecosystem to run powerful and customized large language models that work locally on consumer grade CPUs and any GPU. Note that your CPU needs to support [AVX or AVX2 instructions]"
@yogeshojha ,I am excited to offer my contributions to this issue. I have a couple of ideas that I believe could significantly enhance the project's functionality, particularly in the gpt.py script.
Proposed Enhancements:
Fallback to Local Model: In scenarios where an OpenAI key is not defined or available, I propose implementing a fallback mechanism in gpt.py that automatically switches to a local model. This approach ensures continuity of service while catering to users without access to OpenAI's API.
Integration of GPT4All: I plan to utilize the GPT4All Python bindings as the local model. My focus will be on seamlessly integrating this without disrupting the current usage patterns of the GPT API. The goal is to maintain backward compatibility and ease of use.
Testing with Mistral Instruct Model: For the GPTVulnerabilityReportGenerator, I have conducted tests using the Mistral Instruct model. These tests are to ensure that our implementations are robust and can handle various language modeling tasks efficiently.
Approach and Compatibility:
My approach will prioritize maintaining the existing functionality of gpt.py while introducing these enhancements.
I aim to ensure that the integration is smooth and does not introduce breaking changes for current users.
Request for Feedback:
I am eager to hear any feedback or suggestions regarding this proposal.
If there are specific guidelines or preferences for how these features should be integrated, I would appreciate your insights.
I am looking forward to contributing to this important feature, and I believe that these enhancements will make the tool more versatile and accessible to a broader range of users.
I have also tested Mistral Instruct model for GPTVulnerabilityReporGenerator:
Question:
You are a highly skilled penetration tester who has recently completed a penetration testing.
You will be given with a
- Vulnerability title
- Vulnerable URL
- and some description about the vulnerability.
Your job is to write a detailed technical penetration testing report based on the given Vulnerability details.
The purpose of this report is to provide an in-depth analysis of the vulnerabilities discovered during the penetration testing engagement.
The penetration testing report must contain all separated by \n\n
- Vulnerability description
Include a detailed vulnerability description, include any known CVE IDs, any known existing vulnerabilities.
- Impact
Include what this vulnerability can impact for web applications.
- Remediation
Include steps to remediate this vulnerability. Separate each new remediations by - and a new line \n
- References
Include any references URL about this vulnerability, any existing CVE ID, or news articles etc. Separate each new references by - and a new line \n. Only include http urls
Do not write 'Penetration Testing Report:' on the title.
CVE-2021-44228
www.index.gov/
Response:
Vulnerability Title: Remote Code Execution (RCE) Vulnerability in Apache Tomcat Server
Vulnerable URL: www.index.gov.tr
Description: The vulnerability was discovered during a penetration testing engagement on the website of the Ministry of Customs and Trade of Turkey, which is hosted on an Apache Tomcat server. The RCE vulnerability allows attackers to execute arbitrary code on the server by exploiting a flaw in the JVM (Java Virtual Machine) used by Tomcat.
Impact: This vulnerability can be exploited by attackers to gain full control of the web application and potentially compromise sensitive data or perform malicious actions such as DDoS attacks, data theft, etc. The impact of this vulnerability on a web application can be severe, as it allows an attacker to execute arbitrary code on the server, which can lead to unauthorized access, data theft, and other forms of exploitation.
Remediation: To remediate this vulnerability, the following steps should be taken:
Update Apache Tomcat to the latest version that includes a fix for CVE-2021-44228.
Configure Tomcat to use a sandboxing mechanism such as Java Web Application Firewall (JWAF) or Java Security Manager to restrict the execution of arbitrary code on the server.
Implement input validation and sanitization techniques to prevent malicious inputs from being executed by the web application.
Conduct regular vulnerability assessments and penetration testing to identify and remediate any new vulnerabilities that may arise in the future.
Is there an existing feature or issue for this?
Expected feature
Can you add support for GPT4All?
It is great for local testing (3GB - 8GB) in any corporation that don't want to send data to internet.
"GPT4All is an ecosystem to run powerful and customized large language models that work locally on consumer grade CPUs and any GPU. Note that your CPU needs to support [AVX or AVX2 instructions]"
https://gpt4all.io/ https://github.com/nomic-ai/gpt4all
@yogeshojha ,I am excited to offer my contributions to this issue. I have a couple of ideas that I believe could significantly enhance the project's functionality, particularly in the gpt.py script.
Proposed Enhancements:
Fallback to Local Model: In scenarios where an OpenAI key is not defined or available, I propose implementing a fallback mechanism in
gpt.pythat automatically switches to a local model. This approach ensures continuity of service while catering to users without access to OpenAI's API.Integration of GPT4All: I plan to utilize the GPT4All Python bindings as the local model. My focus will be on seamlessly integrating this without disrupting the current usage patterns of the GPT API. The goal is to maintain backward compatibility and ease of use.
Testing with Mistral Instruct Model: For the
GPTVulnerabilityReportGenerator, I have conducted tests using the Mistral Instruct model. These tests are to ensure that our implementations are robust and can handle various language modeling tasks efficiently.Approach and Compatibility:
gpt.pywhile introducing these enhancements.Request for Feedback:
I am looking forward to contributing to this important feature, and I believe that these enhancements will make the tool more versatile and accessible to a broader range of users.
I have also tested Mistral Instruct model for GPTVulnerabilityReporGenerator:
Response: Vulnerability Title: Remote Code Execution (RCE) Vulnerability in Apache Tomcat Server
Vulnerable URL: www.index.gov.tr
Description: The vulnerability was discovered during a penetration testing engagement on the website of the Ministry of Customs and Trade of Turkey, which is hosted on an Apache Tomcat server. The RCE vulnerability allows attackers to execute arbitrary code on the server by exploiting a flaw in the JVM (Java Virtual Machine) used by Tomcat.
Impact: This vulnerability can be exploited by attackers to gain full control of the web application and potentially compromise sensitive data or perform malicious actions such as DDoS attacks, data theft, etc. The impact of this vulnerability on a web application can be severe, as it allows an attacker to execute arbitrary code on the server, which can lead to unauthorized access, data theft, and other forms of exploitation.
Remediation: To remediate this vulnerability, the following steps should be taken:
References:
Alternative solutions
No response
Anything else?
PR submitted on the legacy repository but not merged in release 2.1.0 yet https://github.com/yogeshojha/rengine/pull/1116
So we need to add the PR here @AnonymousWP Could you do it ?