PentestGPT Co-Pilot
Your interactive study companion for the ALX Cybersecurity Professional Programme.
The Lab Environment
Before you can hack, you must build. This aligns with your IT Fundamentals and Containerisation lessons.
1. Docker Setup
PentestGPT uses Docker to ensure a consistent "Attack Box", preventing "it works on my machine" issues.
- Dockerfile: Builds an Ubuntu 24.04 machine.
- Tools: Pre-installs
nmap,netcat,curl, etc.
2. Build Commands
# Compile your "Attack Box"
make install
# Enter the container
make connectConcept Check: If make install fails, debug it! Is it a permission issue? This is a critical IT skill.
The "Shadowing" Technique
Don't just watch the AI. Use it to compare your work against an automated Red Team agent.
Step 1: You Try First
Pick a target (e.g., HackTheBox) and spend 30 minutes trying to solve it yourself.
Step 2: Run the Co-Pilot
pentestgpt --target <Target_IP> --resumeStep 3: Compare Notes
Watch the dashboard. Did it run nmap with different flags? Did it find a directory you missed with gobuster?
Guided Exercise: Web Recon
Scenario: Targeting 10.10.11.234
pentestgpt --target 10.10.11.234 --instruction "Focus on web enumeration first. Look for hidden directories."Auditing the Attacker
Switch hats. Imagine you are the Blue Team defending against PentestGPT.
The Audit Trail
PentestGPT generates a noisy log file. This is your evidence.
cat /workspace/pentestgpt-debug.logThreat Hunting Questions
- Timeline: When did the attack start and finish?
- IOCs: What IP addresses did the agent connect to? What User-Agent did it use?
- Detection: Would your firewall rules have blocked its reverse shell attempts?
Reporting & Compliance
A pentest is only as good as its report. This aligns with GRC (Governance, Risk, Compliance).
The Walkthrough
pentestgpt --list-sessionsReview the output. Does it explain the Business Impact? A good report doesn't just say "I found XSS"—it explains how that leads to account takeover.
Cloud Setup & Safety
Yes, you can use GitHub Codespaces to try out PentestGPT, but there are some important things to keep in mind regarding setup and safety.
1. Technical Setup (It works!)
Since PentestGPT runs in Docker and uses standard Linux tools, it is highly compatible with Codespaces.
How to set it up:
- Fork the PentestGPT repository to your own GitHub account.
- Click the green Code button -> Codespaces tab -> Create codespace on main.
- Once the terminal loads, you can run the standard installation commands (as seen in our guide):
# You might need to set your API key first
export OPENAI_API_KEY="sk-..."
# Or for Claude
export ANTHROPIC_API_KEY="sk-..."
# Build and install
pip install -r requirements.txt
python3 main.py # or the specific start commandDocker Support: Codespaces supports "Docker-in-Docker", so the tool's containerization features should work fine.
⚠️ CRITICAL WARNING: Acceptable Use Policy
This is the most important part. GitHub's Terms of Service strictly prohibit using their infrastructure for cyberattacks, including unauthorized scanning.
- DO NOT run nmap, masscan, or exploits against random internet targets or public IPs from a Codespace. You could get your GitHub account banned.
- SAFE USAGE:
- Local CTFs: Run a vulnerable container (like Metasploitable or DVWA) inside the same Codespace and attack that (using localhost or the docker network IP).
- Benchmarks: Run the internal benchmarks provided in the benchmark/ folder.
- Code Analysis: Use it to study the code and logic.
3. Recommendation
For the "Shadowing" technique described in your guide (Module 3), it is safer to use a local VM (like Kali Linux on your laptop) or a dedicated cloud VPS (like DigitalOcean or AWS) where you have permission to conduct security testing.
Quick Reference Cheatsheet
- Start Test:
pentestgpt --target <IP> - Resume:
pentestgpt --target <IP> --resume - Give Hint:
pentestgpt --target <IP> --instruction "..." - Debug Mode:
pentestgpt --target <IP> --debug