Automated Pentesting with AI: From Recon to Reporting

[Music] My name is J and uh I am the the graduate student at the University of Rajginina and I am the cyber a great researcher and good morning to everyone and thank you for the joining and I just my talk is I will talk about the how the automated pentesting with the AI from the recon to reporting like the this session will cover the how the generative AI can enhance the entire pentesting process the whole life cycles how it from the reconnaissance to vulnerability anal analysis and the explorations and the like reporting though how my aim is to show just not the tools like the like but the orchestration of the mindset where the AI can goes up to like how we can use

the copilots jipities and the like open uh like whatever the AI models over here like how we can use in our life cycles in pentesting life cycles.

So uh this is the like manual life cycles we are currently following the in uh like pentesting like it's very slow very repetitive like whenever we do the reconnaissance scanning a logs analysis and like a and then after the final step reporting time it it is a very time consuming like when we start by the manual when we do a manual report it takes a lot of time when we are making the whole vulnerability report. So the my aim is to like like reduce the time in the reconnaissance and the like scanning the logs and the reporting time. So the my aim is to like use the AI how we can use the AI to like uh like

reduce the time over the throughout the all ocean work and the like reporting work. So like my AI augmented pen testing life cycle is like the first thing it will help in reconnaissance how we can gather the data of the about the whole client services. Then after like how it will can help in vulnerability analysis like it will prioritize this prioritize the CVS and the like reduce the false positive like identifications how it can help the analyzing the logs and all. Then after you can see like the explo exploitation cycle like AI can craft the payloads and the also the like it can recommend the payloads about the like like whatever the vulnerability is and

then after the final is the reporting like after the all of done you have done the exploit and you all done the all things and after you need to make a report. So the ma like making a report is the main part of like time consuming like 30 to 40% it goes hour of time. So like my main concern is like how we can reduce the reporting time with using the AI. So like we can streaming like the recon process of the AI like we can give them a data collection data set. Then after AI can process and like it can after differentiate the low like role of the each data. Then after it can like says

like how we can prioritize the all vulnerabilities like can identify by the each endpoints and then after it can says like these subdomains like which vulnerable or not like we can use the all like open models for this kind of all processes. I will show you after like how we can use it like like open models for the like vulnerability analysis and for the explorations. Like this is the phase two like vulnerability analysis and the AI like we can like after the reconnaissance phase we know like the we now we we need to use the that data to find the vulnerabilities. So the then after we can how we can use the AI in the

vulnerability findings. So now the the most teams are the quietly like do the like vulnerability analysis by them manually like the like some of the tools bobs bob like Bob suits and all things and like in this all throughout the phase like how we can use and analyze like how we can uh use the chat jeep like open geminis in our process so they can reduce our time and they like they can use the best result what we want and like in nowadays AI can reduce like false positives like we like some of time like we are finding the vulnerabilities and some of time we don't know like what we going to do after this so like it can give the path

as well as also it can give the like crafting the payloads like it and it can give the also like the whole process of the how you can exploit this endpoint. So it can like the main aim is this like how we can process the whole vulnerability analysis with the companioning of the AI and the phase three is the exploitation. So as I said earlier like it how we can help the AI in exploitation part like it we know like this can be exploitable but we don't know how to exploit. So we can like it can help to make a customized code. It can also the help to you know like there is a one GPD over here like

in a market like it says the pan pantest GPT also it can like deepse prediction that like we can use these all tools to make analyze the potential vulnerabilities and it can gives also the true vulnerabilities not the false positives. So I tried all these things and uh I came to know like if we can give the proper context if we can give the proper like the whole background of the vulnerability analysis then it can give the proper exploitable code or like whole thing. So you can directly exploit that vulnerability and just make it the report. So there is like whole process like the we can say like the pantis GPT then the deepse prediction and then the adaptive

payload generation it can do the all things it can also the reduce the times and the faster exploitation smart attack chaining you can also it can suggest like the deepse pentest like when you give the prompt it can also suggest like how you can change this attack to this high attack. So it can increase the your impact on the business and also it can says like what is the business impact of the whole scenario of this like how you can chain into chain to like SQL to like like rce these kind of things. So like then after like main concerning phase is like reporting it's a very boring time like when you do the reporting things like making a docs and

all things you know that like like you are make making the like typing the whole report like definitions like explanation of the what is the business impact what is the risk of the business what is the risk of the uh like vulnerability and like how you can mitigate like you need to make the another report for the like uh like software developers how they can mitigate did like what is the snippet of this? So I tried to uh like uh analyze and this thing and I try to implement the AI how we can reduce this whole time consuming process. So if it takes like when you are making the manually report like it takes four to five business days

the whole vulnerability report like the like high to low impact all vulnerabilities whatever you found on the one domain. So when you are making the whole thing it will takes but like when you use the j like jpity open a deep dick it will reduce your time like when you give the proper pro prompts and all the things like contacts and backgrounds. So it can reduce up to like one two or two days like whole report just you need to format it. So here is the like report generation phase like like the manual report creation is like very high and time consuming as I said and like you can if you want like the whole structure output

it can also done by the AI but like I I don't suggest because like it like a privacy concern of the businesses so like you can't give the whole uh data to like open models so like you just need to after the whole report generation you just need to format it by yourself and just like easy. So like what is the basic thing how you can train your AI models like in the like unique angle like it can act. So the first four like four things you need to do like you need to assign a role like how you can use your GPD models or like open AI models in your tasks. So like you can give like the first thing

role like if you want like you need to if you want like you can make the exploit code then just give the role like you are act as a senior pen tester then just give the context like what you are testing you are testing this you are testing this and then after just give the task like if like I am I have the uh like log of the end map or like end map result or like whole logs and you need to like Apache logs. So you need to analyze the where is the fault. So just give the task like you need to analyze the like whole logs and just like give it like what I need to find it. Then

after like constraint like what is where is the error like where is the fault where is the things you need to and make the background story of for him so it can work easily. So diameter it will provide a like accurate output then like it's a four thing role context task and constraint and it will give the definitely the whole output as you can see like I seen you over here like the what is the problem orchestration like it's a unique scale of the AI efficiently by the carefully designing the prompt how you can design the prompt so it can give the accurate output like we have seen nowadays like the AI models are very good but like you need to know

how to use them because nowadays like all people don't know like how you want to use. So if you don't know how you want to use then how it can give you the proper result. People wants the good result and proper result but they don't know how to use it. So if you know like if you can if you give the proper prompts or like if you give the proper context of the whole thing then it will give the accurate output. So it can reduce the whole pentest life cycle. So as I said like framework ro context task constraint and the output. So while you use the AI prompts so my some of the rules which you are taking

in constraints like you don't use like credentials API case you know like we can give the business aspect like business secrets to the like open AI models so you need to like replace with the like some of the holders like we can say is the company X broad API like the redacted email so it can use the proper output rather than giving the sensitive information to the like general open model. Then after like it can do when you uh you know like there is a business risk on like giving the sensitive data to open mobile open models AI models. So we need to like changing the all like whatever we are giving the output you

need to change like there is a email there is a whatever the sensory data is in it just you need to change it then change it just give it it will give the accurate output after the whole context. So here it says like the always you need to sanitize your logs whatever you are giving in a response whatever you are giving in a context. So it is so that can it can give you the whole output with the redacted mail. Then after you need to change and change it by yourself and just put it like whatever it's what like let's assume like it's crafting the payload then it says like red email like just change it by yourself and just put it it

will work definitely. So here it says like pro prompts that expressially enforce the reaction and the substitute placeholders. Like the first thing as I said like the sanity policy prompt like you need to give the whenever you use the AI you need to give the proper prompt like you will like I will not provide the private or confidential data. You need to use the all things properly. So they can understand like whatever he needs to do when you are using the AI models in your pentest you need to like give this kind of prompts in your AI model. So it can use and helps you to like reduce the confidentiality and the risk of the your

business and it can give the proper output of the whole like whatever you are giving. They have that like it can also help the recon with the tri like sanitize the input like you need to give like I have the standardized input output of the reduction production of the example like you do not need to give the proper services of the whole thing. You can also generate the payload by like using these kind of prompts like exploit payload generation with the standardizing context like just give these kind of prompts like I will provide the sanitizer HTTP request and response where all sensitive tokens and identifiers have been replaced like placeholders. So basing these kind of prompts it will

understand it will like craft your whole thing then after it will give the whole process the whole life and like whole output with the very accurately and also you can how you can generate the report. There is I also mention the prompts over here like uh I you can paste the whole P over here just he can generally whatever how you want the whole report you can just mention it and just he will write down the whole things for you. So I have some like demo I can show you like just the OASP juice like how we can implement the AI with us.

So here we have the uh like a demo web application like OASP JO. We can try how we can use the AI models which can help in our whole pen testing life cycles. Like we can see there is a basic login page and there is a like basic.

So we can see over here we have the uh like a left side we have the over here like request. So we can give the AI. So it can give the suggest like we can try to find.

So we have over here the prompt.

So we can just mean to uh sorry

yeah we have the prompt over here you can see just we need to paste the sanitized request and the sanitized response we got and just he will gives the like outputs like the summarize the which field accept the user input if it's yes the SQL injection is possible or not and like if it's yes then like give the payloads how we can exploit it

Oh sorry.

So we can see the output and we can just

So here it says like u it is yes it's possible but not confirmed. So we need to confirm the whole thing. So, so if it's yes then we can say is like generate the

So we can see Yeah. Like

it's a so yeah it's a basic thing but like we can try out the prompt like for the reporting how it can works for the report.

So, uh this is the ready to prompt like uh you need to paste the whole process of that the like whatever you found and uh what you uh what you need to like how you want the output. So like it says like act as a senior consultant and write the professor pentressing test finding based on the P like in which includes the executive summary technical details and the exe evidence summary impact and recommended remediations and suggested like the CVS score like how we can score it from it like and use it can use like whatever you give the output it can also replace the whole placeholders the like admin mail the token and all things and also

it can generate the how you want the output. You can see over here we can just we need to give the some of the like we don't need to give the screenshot it's a like summarization process. It just you need to craft the whole thing. You can just need to give the basic concept context role and how you going to act. You need to uh tell you need to tell him like how you going to act and how you need to make them whole craft the whole thing. So it can generate the whole uh like report like very easy. You can see the like title of the SQL injection vulnerability the the authentication endpoint the executive summary technical

details evidence summary impact recommendation and like it will be like you can just copy paste in a report like whatever you have the format. So you don't need to write the whole things like you can just customize it. You can just need to give the context of the whole thing. You need to just like uh give the proper role. You need to give the proper prompt to him so he can act accurately. So you can use the AI things like nowadays like I I have seen a lot of plantations says like it's a very risky but it's not risky like you can use it in the proper way so it can help it.

So, so this is the part of demo. So, yeah, we need to consider the some like legal things like you are the authorization it's nonnegotiable like it says like with the great powers comes with great responsibility. So like you need to like be careful like whatever you can you are giving to him you need to like sanitize the all things whatever you are giving because it's a open AI if we have the like in-house model so you can you can use it and you can give it to him but like if you want to use the like open model so you can use like this and like we need to care about the data privacy it's like we don't know like

where it's gone the data like how the AI models are using now this. So you need to careful about that and like conclusion like the like AI is the multiplier not a repressor replacement because like it can reduce our time it can help us a lot while we are doing whatever we are doing but you need to use very precise and very careful like EI it saves like 60 to 80% time of the like reporting and the recon process What as I as you seen over here in a demo and also like remember like AI won't take your jobs but like but the it will not take a jobs but like you know but the pentester using the AI will

so like bring it all together AI is here and it's transporting like transforming the whole penetration life cycle and process so like the uh you know it Uh that's it and uh thank you guys. [Applause] >> Thank you so much for now we are open for question and answer session. If you have any questions, please ask Ash. >> Very good presentation. I just question.

>> Yeah. Yeah. The pentest GP and another one we have like uh I uh there is a It's a start from the S. It's a paid model. Uh it it's uh like made for the all uh for the penetration testing. So you can use that. It's a like specially they guys are made for the like all the VAP analysis and all things. So it's a very useful tool. But like if you want to use like a free tools then pentest GP and the deepse is good. >> Hi. Have you tried this on real life? >> Yeah. >> Yeah. I when I like I tried a lot of things with the uh dipstick like I try

to make a payloads. I try like when I solving the labs that time I try to analyze that like when uh for the recon process like if we have the public domains and all so it can like recon for you for the public available public things for the domain names so it can gives the all information about that also and also like for the reporting time it can like as you saying like it can also the craft whole report for you like with your formatting whatever you want and in exploitation part I uh like in the analysis part I try to analyze summarize the logs like when I need to analyze the whole a list of logs that

time I just give the file and like I need whatever I need to found and just give the whole context and prompt it will summarize and give me output. Sorry.

uh it would be but uh like I haven't tried yet so I don't know about that thing but like you know uh this thing yeah in AI agent I don't know how that works but like these things are you need to just give it the context and like it will have for you like nowadays I I have seen like they know about the charge but they don't they don't know how to use the chibi proper way if you use in a proper way they can give you the like accurate 99% I have seen accurate answer like as I mentioned in like last slides last second or last third like role context task you need to give them then

after he will act accordingly >> yeah hello >> I'm wondering based on experience u how has it been you know hallucination you know false positive responses during this you know using AI any model you know could be Gemini could be JPD could be anything >> yeah like I uh when I started this thing exploring like uh at the time uh like it gives a lot of false positive but uh like if you are expert in giving the prompts like you need to be be specific then It will it won't be give the 99% it won't give the false positive cuz you need to give the proper background proper context and proper role then after it will act

accordingly then uh it it will give the proper results

Yeah, but like we don't as I said like we need to sanitize the all things but like you don't need to give the password and all things >> like just like replace the placeholders like redacted email redacted passwords you are like just uh as you seen over here like these are the placeholder you can use like company X prod API like you just need to replace the all sensitive informations with this >> no so you need to just give the whole context you don't need to give the all sensitive data you don't need to you just replace the all sensitive data this kind of tags or what we say is the detected things, sanitization things and

just it will help you out.

>> Yeah. But like it will like see as I said like it will suggest you then after you need to act. it will suggest you then after you need to you if you don't know at the one point like where can I go after this point if I don't know like after this login page how can I login so it will suggest to you like uh use this payload then after you can get the admin access use this all payloads so you need to try out the all payloads by your thing yourself to what my point Okay. Hi. >> So

>> yeah. >> Yeah. Yeah. Definitely. like if they agrees then it's a like mutual agreement if they like I am right now student I don't have a like proper clients like I'm like doing masters right now so like I am not in any company like like I u had in India so uh like I uh uh give the agreement for this like if I use the chat GPD or dips with in your pen testing or not if they agrees then I will use and otherwise

Is there a chance?

>> So like if it's like uh if it's publically available. So I I I would only give the name of the domain or this thing if I want to do the public things. I will not do the any those who are in the private things. So whatever is publically available is for the all things I would not give them chance for the like

No no no >> no. It won't it won't it won't happen.

>> Yeah, >> it's a very different. Yeah.

>> Yeah. So we uh yeah that's the main concern like we need to we don't need to like proper trust in all AI models we need to proper sanitize the all things before they giving the all things because it's a very risky we don't know like how they going to use our data so like we need to sanitize the all things before they give >> me

one where you get your data. I want to try that anonymiz whatever you want or a dean work on it again from one end to the other. Okay, here is the requirement and you just watch online. >> No, I haven't tried like I am uh like I'm building that uh like script for like you don't need to like sanitize by the by yourself. You need to just give it the whole part. It will sanitize for you. Just scanning the all things and just you need to paste it.

Yeah, like as I said like pantage, GBD and like deepse it will generate the craft like uh for it it can craft like a customized payload for you by the proper endpoint but you need to be precise. like when you are giving the prompt. So when you give the proper uh specific prompt then it will craft for you the proper generic payload. Then like it can list like 10 or 20 payloads and definitely uh like 99% like after after all of the 10 one will work definitely. >> Yeah. like this one I understand it is more of acting like an assistant of yours gives you the prom there I've heard of in option in put an API key to chat then you can

actually run instead of command prompt and say hey run me a met command and look for these IP run the exploit chat does the prompts figures it out and runs it on back. Have you had those kind of >> Yeah, I heard that but I like I don't trust like we use that API properly. So like I don't have a like in inher experience or like using that API and how they going to work like how they going to processing the data. So like announce their Thank you so much.