Recently, Brackish was conducting a phishing engagement, and we had the idea to try out ChatGPT to help us build our phishing infrastructure. We’ve already built this stuff manually, so this experiment would give us an idea of exactly how helpful ChatGPT can be for us in “real” situations.
This was a one-off phishing engagement that was not part of a larger red team campaign, and the infrastructure did not need to remain up after the engagement was finished. We use Terraform and Ansible for stuff like this. This tooling allows us to spin up our infrastructure reliably and repeatably. It also allows us to tear it down quickly – which saves money and time.
As mentioned previously, we’ve done this before, so we have the requisite files already prepared. In day to day operations, all it takes for us to spin up the infrastructure is some slight modification of variable names, a few commands, and then some manual tweaks and verifications.
A simple Terraform module needs a main.tf file – the file that creates some stuff and choreographs everything. In ours, we needed to create a resource group, a virtual network, subnet, public IP, and a network interface along with the virtual machine.
We asked ChatGPT to, “Write a terraform and ansible project to deploy a small virtual machine on azure and install nginx and gophish on that virtual machine.” Here is what it came up with.
That was a decent start, but we like to use more up to date versions of Ubuntu and the azurerm Terraform provider. How did it do with Ansible?
That’s pretty basic, but it is a start. Both of these files needed some slight modifications, and also we needed some ancillary files to actually enable this deployment. We also want HTTPS on our site, so we need to use Certbot for that.
Those were reasonable responses – very close to what we would use. We ended up using ChatGPT to refine these files, and create the other requisite files. With enough work, it is possible to get an end product very close to what is needed. At that point, the use cases for ChatGPT were clear, but the drawbacks were also just as clear.
ChatGPT is great – if you know what you’re doing. If we started this project from scratch, with no idea what to do other than we need to deploy some stuff in Azure to do some phishing, this would have ended in failure. Someone in that situation would not have the knowledge of what they should be asking – and that is the battle with ChatGPT. You need to know what you’re doing, i.e. you’ve probably already done this, or something similar manually. ChatGPT requires specificity.
At the end of the day, ChatGPT is a force multiplier. It will spit out simple scripts, tell you how to edit text quickly, and perform other day-to-day tasks that we are penetration testers perform, but ChatGPT will do them more quickly – sometimes dramatically so. Now, instead of spending an hour writing a script to parse some text, write some files, and make a web request, ChatGPT will do this for us in twenty minutes. At this point, if you aren’t using ChatGPT as an assistant, you’re behind.