In this article, we will explore the cutting-edge capabilities of GPT-4, the latest advancement in language models, and discover how it can revolutionize offensive security strategies. This article delves into practical examples, demonstrating how GPT-4 can be leveraged for tasks such as vulnerability assessment, penetration testing, and threat intelligence gathering. Gain insights into its enhanced natural language understanding, automated exploit generation, and intelligent attack simulations, opening new avenues for proactive cybersecurity defenses. Harness the potential of GPT-4 to fortify your offensive security arsenal.
Reminder: Generative AI is known for hallucinations where they give replies which are lies, and not true so always verify your information.
Here are a few use cases where you can use GPT for Offensive Security tasks:
Writing phishing mails
Earlier one of the ways to detect phishing emails was bad English. Often phishing emails have a history of having incorrect English as often attackers are from non-English speaking places. But now the availability of generative AI tools enables a broader range of users to create convincing phishing and spam messages, even if they lack the skills to do so manually.
For instance, these tools can be used to generate social engineering drafts that impersonate an employee or a company, making it easier for individuals with little experience in crafting these messages to carry out these types of attacks.
Example:
Image 1: Example of Phishing Email
Exploit development
ChatGPT can assist in identifying vulnerabilities, as demonstrated by Cybernews researchers who used the chatbot to exploit a vulnerability that was discovered. However, ChatGPT is programmed to not offer illicit services, like hacking. Therefore, carefully phrased queries are necessary. Merely asking the chatbot to create an exploit for a particular vulnerability will not suffice.
The researchers informed the chatbot that they were conducting a 'Hack the Box' pen test challenge and required assistance in locating a vulnerability. Once discovered, they were given step-by-step instructions, exploit code examples, and samples to use. As a result, the security researchers were able to identify and write an exploit for a well-known application within 45 minutes. This once again showcases how ChatGPT has made a previously complicated and lengthy process accessible to everyone.
Write scripts
GPT-4 can be used to write automation scripts that can make the work of a security professional eas
Example : Here I’m asking ChatGPT to write a Python script that will use httpx to see all the live web hosts from a list of text files containing URLs and then use nuclei on all the domains:
Image 2: Python script output
Source Code review
ChatGPT now with GPT-4 can be used to do source code reviews. It can help security professionals iXn do source code reviews faster. Though sometimes it gives wrong answers it can be used to get a good suggestion which later the security professional can use to verify if the response is correct or not.
Example: I asked GPT-4 to find a security vulnerability in this code
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
$html .= "<pre>{$cmd}</pre>";
}
?>
Here is the response:
Image 3: Code review
Here the code was simple and it could find a flaw in the code correctly but with complex code, it often gives incorrect responses. But these responses can help security professionals in doing their tasks fast as they can get feedback from ChatGPT and can filter out incorrect information:
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at R$50/month. Cancel anytime
Create your own Nuclei template
Chatgpt can be used to create a Nuclei template which can later help in automating the task of finding flaws.
Example:
Image 4: Nuclei template
Write reports
This one is my favorite. As a penetration tester or security professional one needs to write a lot of reports. Reports for clients, reports for other team members, etc. Chatgpt can be extensively used for writing security reports. Though I don’t recommend using chatGPT to make the entire report it can be used for making the task of writing reports easy
Example 1: Here I’m asking ChatGPT to help me write a bug bounty report for an SSRF flaw that I found in example.com along with how to fix the issue:
Image 5: Bug Bounty Report
Example 2: Here I’m asking Chatgpt to write a report on OWASP's top 10 flaws along with how to fix those flaws which I need to send to the client:
Image 6: OWASP top 10 flaws
Prepare for interviews.
Chatgpt can be used for preparing for technical interviews as it can show you common questions that are asked for your role and position.
Example: Here I’m asking ChatGPT to suggest me 10 questions along with an answer for a penetration tester job with 3 years of experience:
Image 10: Interview Questions
Write technical blogs and articles
Chatgpt is now more powerful with GPt-4 and it can help you write technical articles by giving you valuable inputs and suggestions.
Fun fact: GPT-4 is used intensively while writing this article that you are reading.
Conclusion
In conclusion, GPT-4, together with Chatgpt, has the potential to simplify numerous tasks in offensive security, thereby offering valuable assistance to security professionals. Though there are concerns about the possibility of individuals misusing this technology, its positive use cases cannot be disregarded. However, it is unlikely that GPT-4 can replace security professionals soon. Nonetheless, security experts who incorporate AI in their work can certainly outperform those who do not leverage this technology. Ultimately, it is up to us to determine how we use this powerful tool and ensure that it is utilized for the greater good.
Author Bio
Indrajeet Bhuyan is a security researcher from Assam, India. He holds a Bachelor of Technology (B.Tech.) focused on Computer Science from Assam Don Bosco University. He has contributed security to various companies and organizations like Whatsapp, HTC, Samsung, Photobucket, Reverbnation, TVF, ESET, etc. He got featured in multiple national and international news portals like International Business Times, Russia Today, Times of India, Digit, Kaspersky, The Independent, India Today, etc. for his work on cybersecurity. He created ‘WannaSmile’ a tool that was used to protect users from the world’s biggest ransomware attack ‘ WannaCry’ which was featured by various national and international media.
United States
Great Britain
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Singapore
Hungary
Philippines
Mexico
Thailand
Ukraine
Luxembourg
Estonia
Lithuania
Norway
Chile
South Korea
Ecuador
Colombia
Taiwan
Switzerland
Indonesia
Cyprus
Denmark
Finland
Poland
Malta
Czechia
New Zealand
Austria
Turkey
Sweden
Italy
Egypt
Belgium
Portugal
Slovenia
Ireland
Romania
Greece
Argentina
Malaysia
South Africa
Netherlands
Bulgaria
Latvia
Japan
Slovakia
