Introducing HackingBuddyGPT
HackingBuddyGPT is a unique project designed to assist ethical hackers and security researchers in performing security tests using Large Language Models (LLMs). This innovative tool aims to simplify the process of finding new vulnerabilities in systems, all in 50 lines of code or less. By leveraging AI, the project seeks to make the digital world a safer place while potentially earning bug bounties for hackers.
The Mission
The main goal is to become the leading framework for security researchers and penetration testers who are looking to incorporate AI through LLMs in their security testing processes. HackingBuddyGPT provides reusable Linux privilege escalation benchmarks and openly shares findings through accessible reports. For those seeking guidance on which LLM to use, HackingBuddyGPT offers a comparative paper on multiple LLMs.
HackingBuddyGPT in the Spotlight
HackingBuddyGPT has gained recognition and is featured in various events and platforms:
- On November 20, 2024, Manuel Reinsperger is set to present the project at the European Symposium on Security and Artificial Intelligence.
- The project was showcased at the GitHub Accelerator Showcase on July 26, 2024.
- Juergen Cito spoke about it at GitHub HQ during an open source event on July 24, 2024.
- It was part of the GitHub Accelerator 2024 cohort.
- Andreas Happe presented it at FSE'23 in San Francisco.
Core Contributors
The team behind HackingBuddyGPT includes dedicated researchers and developers, starting with Andreas Happe's curiosity about using LLMs for hacking. The team includes Juergen Cito, Manuel Reinsperger, and Diana Strauss, originating from TU Wien's IPA-Lab.
Use Cases and Agents
HackingBuddyGPT is designed to be user-friendly, allowing for quick experimentation with different use cases. Initial tests focused on Linux privilege escalation attacks, and efforts are expanding to web penetration-testing and web API testing. Specific use cases include:
- Minimal Privilege Escalation: A simple example of a Linux privilege escalation using a minimal amount of code.
- Linux Privilege Escalation: Tasking LLMs to escalate privileges for a low-level user to root within a Linux environment.
- Web Penetration Testing (WIP): Undergoing development, aimed at testing website security.
- Web API Testing (WIP): For testing the security of REST APIs, currently in pre-alpha development.
Building Your Own Agent
HackingBuddyGPT provides a framework for developers to create custom agents for security testing. It includes tools to connect to LLMs and log activities, making it straightforward to develop new experiments. The guidance for setting up new agents focuses on simplicity and ease of use.
Setup and Usage
To use HackingBuddyGPT, one needs an OpenAI API key, and a potential target accessible via SSH. The framework provides detailed steps for setting up and running the platform, ensuring minimal dependence on additional software.
Publications and Recognition
The project stems from a strong academic background, with papers detailing the framework's methodology and outcomes:
- Studies on hackers' work ethic and practices.
- Papers on using LLMs for penetration testing.
- A benchmark for Linux privilege escalation.
Ethical Considerations
HackingBuddyGPT emphasizes ethical use and compliance with legal standards. It is intended for educational purposes, and misuse for unauthorized attacks is discouraged, with users urged to follow applicable laws.
By enabling security professionals with AI-driven tools, HackingBuddyGPT takes a significant step towards enhancing cybersecurity measures in an engaging, ethical, and efficient manner.