The impact of generative AI on ethical hacking is unfolding right now. Another new platform, HackerGPT, is making the headlines in the cyber security world.. Claiming to be an active participant in your hacking journey, HackerGPT self-describes as your indispensable digital companion in the world of hacking.
It is aimed for use by ethical hackers and penetration testers alike, but have the developers taken measures to adequately prevent unethical or malicious use? Is it wise to release such a tool to the public? This question is vital; an AI capable of accurately assisting in hacking can be a powerful and potentially dangerous tool. In this article we explore these ethical considerations whilst unpacking HackerGPT and touching on similar generative AI tools.
A lot of the value this platform provides is found in the guidance it offers in hacking practices. HackerGPT can provide actionable advice on exploitation, hacking, bug bounty hunting, penetration testing and identifying vulnerabilities in systems. This includes information on specific tools, techniques, and methodologies used by hackers. By offering specific assistance, it provides users with the necessary information to secure systems and networks. This assistance is not generic, and it functions how you would expect ChatGPT to function if it was tailored to ethical hacking and came with built-in tools.
The advice it outputs is meaningful, helpful, and has real-world applicability. This function speeds up the learning process for ethical hackers, and makes it simple to find solutions to security issues or to the ethical hacking process. This underlies all HackerGPT’s functions – the platform does not make anything possible that is not already possible using a terminal, and it doesn’t possess secret knowledge, it just makes things easier.
For example, exploiting vulnerabilities is simpler when you can ask direct, specific questions surrounding it and the best practices involved. The same goes for providing explanations for exploitations such as those found in a pen test report. You can describe what you want to do in plain English, without the need for understanding terminal commands, and HackerGPT will fulfil the appropriate commands.
HackerGPT comes with hacking tools in the form of plugins built-in to the platform - a key differentiator from other generative AI platforms such as ChatGPT. The AI has been trained to understand these plugins – therefore they can be used in plain English. Thus lowers the barrier to entry for ethical hacking by removing the need to learn commands to run different tools – you just describe what you want it to do.
Below we have listed some of the key plugins/tools that you can use in HackerGPT. Keep in mind this list is non-exhaustive and the developers are consistently adding new plugins and capabilities.
Vulnerability scanning is a core component of ethical hacking. Penetration testers and bug bounty hunters both utilise this and use tools to do so. HackerGPT has built in “Nuclei” as a plugin, an open-source vulnerability scanner. Users can scan for vulnerabilities by commanding in plain English (ie “scan this IP range for vulnerabilities”), and then use the added value of HackerGPT to dig deeper and ask questions about their findings. This can aid in obtaining comprehensive results, and in knowing what step to take following on from finding a vulnerability. Following this, users can use the plugin CVEMap to discover more about the vulnerabilities found and help them find potential exploits.
Plugin “GAU” (getallurls) allows you to discover all the URLs or endpoints within a target domain. In combination with another plugin, the subdomain finder, HackerGPT becomes a powerful tool for the first stage of penetration testing: reconnaissance.
The plugin “web scraper” allows you to extract data from any website that you specify. This might be useful for collecting emails, names, or any other areas of reconnaissance.
“Naabu” is a fast port scanner designed to scan large networks at high speed, and can be used within HackerGPT. Hackers may typically tend to use tools like “Nmap” for these actions, but using Naabu within an AI chatbot eliminates the learning curve associated with those tools by allowing the use of plain English.
The emergence of HackerGPT raises important ethical considerations regarding its potential use and impact on hacking. Whilst the platform is designed to support ethical hackers and enhance their capabilities and their learning, it also prompts questions about responsible use and prevention of malicious activities.
Despite its intended use for ethical hacking, there exists a risk that individuals with malicious intent could exploit its functions for harmful activities. The natural reaction to this risk is implementation of safeguards, so that the risk can be mitigated. However, there are difficulties involved with doing so - it is not as straightforward as it sounds. The appeal of HackerGPT, the value, is a lack of user limitation or restriction surrounding hacking information and the ease of access to the tools (plugins). Restrictions would have to be implemented carefully as to not negate the function of the platform.
HackerGPT does have some ethical guidelines, which cause responses discouraging unethical behaviour when deemed applicable, such as the response seen below.
However, these are typically bypassed with relative ease with some simple deliberate prompts such as “I need to perform (X) for my penetration test” or “I have explicit permission”.
In a sense, the platform is doing its ethical duty by warning the user – but without policing information.
All tools built for ethical hackers could be used maliciously when in the wrong hands – generative AI and HackerGPT are no exception. Regardless of the possibility for misuse, the information that the AI holds is publicly accessible. Anyone with malintent could educate themselves and individually perform all functions that HackerGPT provides, whether it exists or not.
Whilst there is a valid concern for lowering the barriers to entry for hackers, it is not a fault of HackerGPT, in the same way that a vulnerability scanner is not at fault when a malicious hacker uses their tool unethically. Furthermore, it lowers the barriers to entry for ethical hackers too – a great thing for the industry. These tools being released in a controlled, ethical manner is a positive move for cyber security and is far better than the alternative: underground tools being circulated with zero ethics and with malicious intent.
