brutespray
→ View on GitHubAI Summary: Brutespray is a credential brute-forcing tool designed to automatically test default credentials against discovered services from various scan outputs, including Nmap and Nessus. It supports over 30 protocols and features capabilities such as multi-auth support, password spray mode, an interactive terminal UI, and resume functionality, allowing for efficient and comprehensive credential testing across networks. The tool is built in Go and offers extensive customization options through YAML configuration files and embedded wordlists.
README
Brutespray
Created by: Shane Young/@t1d3nio && Jacob Robles/@shellfail
Inspired by: Leon Johnson/@sho-luv
Description
Brutespray automatically attempts default credentials on discovered services. It takes scan output from Nmap (GNMAP/XML), Nessus, Nexpose, JSON, and lists, then brute-forces credentials across 30+ protocols in parallel. Built in Go with an interactive terminal UI, embedded wordlists, and resume capability.
Quick Install
go install github.com/x90skysn3k/brutespray/v2@latest
Release Binaries | Build from Source | Docker
Quick Start
# From Nmap scan output
brutespray -f nmap.gnmap -u admin -p password
# Target a specific host
brutespray -H ssh://192.168.1.1:22 -u admin -p passlist.txt
# CIDR range
brutespray -H ssh://10.1.1.0/24:22 -u root -p passlist.txt
# Combo credentials
brutespray -H ssh://10.0.0.1:22 -C root:root
See all examples for more usage patterns.
Demo
Features
- 30+ protocols — SSH, FTP, RDP, SMB, MySQL, PostgreSQL, Redis, LDAP, WinRM, and more
- Module parameters — Per-module settings via
-m KEY:VALUE(auth type, target path, NTLM domain, etc.) - Multi-auth support — HTTP Digest/NTLM auto-detection, SMTP PLAIN/LOGIN, IMAP/POP3 SASL, SMB pass-the-hash
- Interactive TUI — Tabbed views, live settings, pause/resume hosts (details)
- Multiple input formats — Nmap GNMAP/XML, Nessus, Nexpose, JSON, lists (details)
- Password spray mode — Lockout-aware spraying with configurable delays (details)
- SOCKS5 proxy — Full proxy support with authentication (details)
- Resume & checkpoint — Interrupt with Ctrl+C, resume later (details)
- Embedded wordlists — Layered manifest system compiled into the binary (details)
- Summary reports — JSON, CSV, Metasploit RC, NetExec scripts (details)
- Performance tuning — Dynamic threading, circuit breaker, rate limiting (details)
- YAML config files — Per-engagement settings (details)
Supported Services
ssh ftp ftps telnet smtp smtp-vrfy imap pop3 mysql postgres mssql mongodb redis vnc snmp smbnt rdp http https vmauthd teamspeak asterisk nntp oracle xmpp ldap ldaps winrm rexec rlogin rsh wrapper
Full details and service-specific notes: docs/services.md
Print discovered services from a scan file with -P -q:
Documentation
| Guide | Description |
|---|---|
| Installation | Go install, release binaries, build from source, Docker |
| Usage | CLI flags, config files, input formats |
| Services | All 32 protocols with ports, status, and notes |
| Examples | Common usage patterns and recipes |
| Interactive TUI | Keybindings, tabs, live settings |
| Advanced | Spray mode, proxy, resume, performance tuning |
| Wordlists | Manifest system, layers, overrides, customization |
| Output & Reporting | Summary reports, Metasploit/NetExec integration |