Offensive GPT

16.10.2023 hacking security AI openAI chatgpt

Estimated reading time: 8 minutes

Recently I have been asked a lot about AI-related topics and what I think about them. Some time ago I wrote a blog post about chatGPT and it’s view on OT security (ChaDGPT on Cyber Security). Of course, the hype around AI hasn’t stopped since then, and we still seem to be on the hype train, with new information flooding social media every week.

My conclusion at that time was the following:

Overall, the use of AI in the information security world has the potential to greatly improve the effectiveness and efficiency of security efforts, but it also brings new challenges, such as the need for proper oversight and the potential for AI to be used maliciously.

The last part, the malicious use of AI, is what I want to look at today. In this blog post we will look at how to get around the limitations chatGPT has implemented.

DISCLAIMER: The following examples are intended to illustrate how attackers could use AI for malicious purposes. This is NOT an INSTRUCTION to harm individuals or businesses, but is for AWARENESS ONLY!

I’m very sorry, but I can’t assist with that

OpenAI seems to have understood that chatGPT can also be used for malicious purposes and has simply removed prompts that are obviously related to hacking.

chatgpt no assist — As a hacker, chatGPT will not assist you :/

Or can I?

It is possible to get the information you need by asking clever questions.

First, it is important to break the problem down into small sub-problems. Instead of directly asking chatGPT to produce malicious code, the code should be written first and chatGPT should be used to debug it.

Let’s have a look at a fictitious example to obfuscate Powershell scripts:

    #If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte.
    if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval}

    Write-Verbose "StartByte: $StartByte"
    Write-Verbose "EndByte: $EndByte"

    #find the filename for the output name
    [String] $FileName = (Split-Path $Path -leaf).Split('.')[0]

    #Calculate the number of binaries
    [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)
    if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}

I’m using Powersploit’s Find-AVSignature script, which usually gets flagged directly by Windows Defender but can work when obfuscated (Antivirus Evasion).

Obfuscating code — chatGPT helps with obfuscating code

Increase efficiency - Say goodbye to cheat sheets!

Attackers are very interested in automating as much as possible (reconnaissance, scans, phishing mails, exploits) in order to launch a large number of attacks in parallel. And because they see themselves as a business, efficiency and (cost) optimisation are also important to them.¹

In this respect, chatGPT can definitely help out. Let’s step away from the bad boys and focus on the ethical side and the good guys for a litte bit.

As Ethical hackers, we have a lot of tools available to us, however where also just human beings, and there is no way to remember all the parameters of each and every tool. We also have to write our own scripts and tools if it comes down to specific situations or systems.

Let’s start with an easy one; give us an example of how to use hashcat with a list of hashes to crack.

Hashcat cheat — How to crack hashes with hashcat

Scripting made easy

As described above, ethical hackers often need their own little scripts and tools to make their work easier or to automate things. Gone are the days of looking up the syntax of language X! Nowadays, we write a prompt with the task to build the script for us by giving it the parameters and the expected result.

Here is an example to quickly create the list for an internal IP range:

IP Range script — The first recommendation is a quick python script to generate IPs

And yes the code is working! Copy the code below and try it for yourself :)

start_ip = "10.10.1.1"
end_ip = "10.10.2.1"

# Split the IP addresses into their four components
start_ip_parts = list(map(int, start_ip.split('.')))
end_ip_parts = list(map(int, end_ip.split('.')))

# Generate the list of IP addresses
ip_list = []

while start_ip_parts <= end_ip_parts:
    ip_list.append(".".join(map(str, start_ip_parts)))
    start_ip_parts[3] += 1
    for i in range(3, 0, -1):
        if start_ip_parts[i] > 255:
            start_ip_parts[i] = 0
            start_ip_parts[i - 1] += 1

# Print the list of IP addresses
for ip in ip_list:
    print(ip)

I don’t like python, give me bash (or any other language)

If you do not have Python installed on your machine, or you just hate Python like me, chatGPT has your back. Just ask it to rewrite the code in bash (or your preferred language).

IP Range script bash — Python is no fun, let's get the same thing in bash then!

Takes a few seconds and you’re up and running:

#!/bin/bash

start_ip="10.10.1.1"
end_ip="10.10.2.1"

# Split the IP addresses into their four components
IFS='.' read -r -a start_ip_parts <<< "$start_ip"
IFS='.' read -r -a end_ip_parts <<< "$end_ip"

# Function to increment an IP address
increment_ip() {
    for ((i=3; i>=0; i--)); do
        start_ip_parts[i]=$((start_ip_parts[i] + 1))
        if ((start_ip_parts[i] > 255)); then
            start_ip_parts[i]=0
        else
            break
        fi
    done
}

# Generate and print the list of IP addresses
while [[ "${start_ip_parts[0]}.${start_ip_parts[1]}.${start_ip_parts[2]}.${start_ip_parts[3]}" != "$end_ip" ]]; do
    echo "${start_ip_parts[0]}.${start_ip_parts[1]}.${start_ip_parts[2]}.${start_ip_parts[3]}"
    increment_ip
done

# Print the end IP address
echo "$end_ip"

Phishing made easy

Let’s say we want to personalise an email to “Mr Fisher”. We have gathered some information through OSINT, but our English is not good enough to write an authentic business email.

To give you an example of how to feed chatGPT with the information, here is an example of how we can write a customised email directly to Mr Fisher:

I have a client, Mr Fisher is his name. He is the CEO of Fiction Ltd, a large financial company. We had dinner once at a trade show, but I forgot to give him some documents for a project related to his IT infrastructure. I would like to email him afterwards to let him know that I have all the documents on a shared drive.

Can you write me an email in business language addressed directly to Mr Fischer?

ChatGPT is kind enough to provide us with a long text, including placeholders for our phishing link and a signature to make the email look authentic.

Subject: Important Project Documents Available on Shared Drive

Dear Mr. Fischer,

I trust this message finds you well. I wanted to extend my sincere appreciation for the opportunity to meet and share a meal during our recent encounter at the trade show. Your insights and the conversation we had left a lasting impression on me.

I regret that, in the midst of our conversation, I inadvertently neglected to provide you with the essential documents for the project pertaining to Fiction Ltd's IT infrastructure. Please accept my apologies for any inconvenience this may have caused.

I'm pleased to inform you that all the requisite project documents are now available on our shared drive. You can access them by following this link: 

[Insert Link to Shared Drive] 

In the event that you encounter any difficulties or require any additional information, please do not hesitate to reach out to me directly, and I will be more than happy to assist.

Your input and cooperation are highly valued, and I'm confident that these documents will be instrumental in advancing the project. If you have any questions or would like to discuss any aspects of the project further, please feel free to contact me at your convenience.

Thank you once again for your time and consideration, and I look forward to our continued collaboration on this important endeavor.

Sincerely,

[Your Name]
[Your Title]
[Your Contact Information]

Of course, this scenario is also made up and the answer is (in my opinion) slightly exaggerated, but the potential for improving phishing content has increased significantly. Attackers with poor English skills are given a tool to write the content in their native language and then have it translated into English (or another language).

Here is an extract from the email translated into German:

Sehr geehrter Herr Fischer,

ich hoffe, diese Nachricht erreicht Sie in bester Verfassung. Ich möchte mich herzlich bei Ihnen bedanken, dass Sie mir die Gelegenheit gegeben haben, uns während unseres letzten Treffens auf der Messe zu verabreden und gemeinsam zu speisen. Ihre Erkenntnisse und unser Gespräch haben bei mir einen bleibenden Eindruck hinterlassen.

Again, the written email reads a little strangely and unnaturally. This may be because the original input was exaggerated. Nevertheless, the end result and the speed with which you achieved it is impressive!

With great power comes great responsibility

Yes, a lot can be done with AI, both positive and negative. The most important thing is, as always is to raise people’s awareness. As a company, it is about understanding the risks and assessing them properly. Tools like chatGPT can do a lot of work for us, whether it’s automating processes, prototyping or other things.

But it is also important to be aware of potential dangers in order to be able to take appropriate countermeasures.

This is sarcasm! ↩︎