New Video from @NahamSec Showcases Advanced AI Tool for Cybersecurity

In this video, renowned cybersecurity researcher and bug hunter Ben Sadeghipour, known by the pseudonym @NahamSec, presents an impressive demonstration of an AI tool named Neo, developed by Project Discovery. This tool goes beyond traditional AI models by automating complex tasks related to computer security, ranging from asset recognition to vulnerability exploitation and solving CTF (Capture The Flag) challenges. The video highlights Neo's advanced capabilities while raising questions about the future impact of AI in the field of cybersecurity.

The first part of the demonstration focuses on Neo's reconnaissance (recon) capabilities. NahamSec shows how the tool can automate tedious tasks such as subdomain enumeration, open port discovery, API analysis, and extracting endpoints from JavaScript files. Neo runs a series of tools well-known to security professionals, such as Subfinder, HTTPX, Katana, and Nuclei, and compiles the results into an organized folder. What is particularly remarkable is that Neo not only runs commands but also generates detailed logs, allowing the user to follow each step of the process. For a security researcher or bug bounty hunter, this automation represents a significant time savings, especially for those who want to focus on analysis rather than data collection. However, NahamSec emphasizes that while this feature is useful, it is relatively basic and should be considered a preliminary step rather than a revolution.

The second part of the video is much more captivating, as it features Neo in a CTF-like scenario. NahamSec presents it with a challenge inspired by a real vulnerability, where the goal is to escalate privileges to become an administrator of a website. Unlike traditional tools that require precise instructions, Neo adopts a methodical and autonomous approach. It starts by registering as a standard user, then explores the site to identify potential entry points. By analyzing the JavaScript file app.js, it discovers a vulnerable endpoint that allows modifying user roles via a mass assignment attack. Neo exploits this flaw by assigning itself the administrator role, then accesses the admin panel to retrieve the flag. What impresses here is Neo's ability to document each step of its reasoning, take screenshots, and generate a complete report, much like a human would. This demonstration illustrates how AI can not only identify vulnerabilities but also exploit them autonomously, opening up fascinating prospects for security researchers.

The highlight of the show comes in the third part, where Neo is tested to identify and exploit a zero-day vulnerability in a WordPress plugin. NahamSec selects a recent flaw, discovered by Ryan Kak and published on Wordfence, which allows arbitrary file uploads without authentication. At this stage, no proof of concept (PoC) is publicly available. NahamSec downloads the vulnerable and patched versions of the plugin and asks Neo to compare the two to identify the flaw. In a few minutes, Neo analyzes the differences between the two versions and discovers that a critical file was removed in the update. This file contained a security flaw allowing an attacker to create a malicious GitHub repository, send a GET request to a specific plugin endpoint, and deposit a PHP webshell. Neo then generates a functional PoC, including the steps to set up the exploit, create the GitHub repository, and verify the vulnerability on a target. When NahamSec tests the exploit on a vulnerable WordPress site, Neo gains full shell access in less than an hour, confirming the severity of the flaw. This part of the video is particularly revealing, as it shows how AI can accelerate the vulnerability research process, even in cases where no public information is available.

The implications of these demonstrations are both exciting and concerning for the cybersecurity community. On one hand, tools like Neo could revolutionize the way researchers and bug hunters work, automating repetitive tasks and identifying complex vulnerabilities more quickly. This could allow professionals to focus on more creative or strategic aspects of their work, such as risk analysis or developing countermeasures. On the other hand, NahamSec expresses some concern about the impact of these technologies on the bug bounty landscape. If tools like Neo become widely available, they could make simpler vulnerabilities obsolete, reducing opportunities for beginner bug hunters. However, he emphasizes that AI will not completely replace humans, as creativity and intuition remain indispensable assets in this field. Instead, it could serve as an amplifier for experienced researchers, allowing them to deepen their analyses and discover more subtle flaws.

In conclusion, this video offers a fascinating glimpse into the possibilities offered by artificial intelligence in the field of cybersecurity. Neo is not just an assistant but a tool capable of carrying out complex attacks autonomously while documenting each step of its process. While this may seem frightening to some, it is also an opportunity for security professionals to push the boundaries of their research. NahamSec encourages viewers to follow Project Discovery's announcements to access this tool, while reminding them that AI, though advanced, does not yet replace human expertise. For those interested in cybersecurity, this video is a treasure trove of information on current trends and future challenges.