People have sometimes thought about a future where they could ask a computer anything and it would tell them everything. Well, that future isn’t that far away, and it might even be closer than you think.
OpenAI has done some groundbreaking research (you can check it out here: ChatGPT) where you can talk to a chatbot and ask it to code and explain anything you can think of. It really is that simple. Well, the idea isn’t that old. GitHub Copilot had the same idea, but this has taken it to the next level.
Let me give you an example –
It really is that simple. It tells you not only how to write it but also what is what? It also explains how to use it.
Usage in Pentesting
As an Offensive Security Engineer, the first thing I would think about is how I could use it to aid myself. (Well, this is a censored first thought)
- Now I can write pentesting tools easily. Yaay
- Now I can write exploits easily. Yaay.
I’m sorry to let myself and the readers down. That’s not true. Well, yes, it can help your script kiddie attitude a little bit, but in the long run, it won’t, and you’ll fail. Why? Well, let’s look at some examples:
Directory Enumeration
Let’s ring the bell and start talking about everything. Let’s ask ChatGPT to make a tool for directory enumeration.
Now, even good things have bad parts. Let’s attempt to break down this code.
Now you can talk about more important things. I asked the bot how buffer overflow attacks could happen with this code. It said that it is not directly vulnerable to buffer overflow attacks, but that an attacker could use it to their advantage and It then gave an update to the code as a solution to this exploit.
You can bend a tool and easily know how to break it and solve the problem at the same time. It helps you in the sense that it makes it easier to make secure applications, but it also makes it easier for attackers to find security holes and use them.
Cookie Grabbing
I made a tool where my piece of code basically grabs the session/cookie, changes it, refreshes the session, and runs the changed cookie. Let’s use ChatGPT to make the same thing.
There is a big problem with this code. This code doesn’t work the way you want it to. My plan was to get a cookie, then change it and refresh it within the same session. This is how cookie manipulation is done. In this case, it keeps calling the same URL. It might not work right if you log in and then go to a different page. Yes, you can fix this with python modules, but you have to know the language and how to use the modules. You think it will help you build it easily, but it won’t.
So, How does it exactly help you?
This is a great place to learn more about anything in depth. In the case of pentesting, you can use it to learn how a tool works and how to make your own tools better. For example, I made a base64-encoded authentication tool that uses brute force to break this kind of authentication. When I tried to use ChatGPT, I discovered that there is a simpler way to create and improve the tool that works better.
What Should you Know?
If you want to use this tool well, you should have a basic understanding of programming, languages, and how things work. If you think that you will use it to enhance your script-kiddie-ness, you will not go much from there. It will rather help you learn more quickly about the tool and how to use it correctly. My opinion is that it is not an industry-based tool that can be used to automate tasks. Instead, it is a learning and development tool that should be used to learn about your field.
But there’s no question that you should be impressed by how far research has come. It’s great, and with that, I want to say “Happy Learning” to everyone.