NexusBrute
NexusBrute: A modular Node.js toolkit for ethical security testing. Features Smart Brute, API Fuzzer, Session Logger, and more ... Use responsibly! 🌌
Install / Use
/learn @PicoBaz/NexusBruteREADME
🌌 NexusBrute
NexusBrute is a comprehensive Node.js toolkit designed for ethical security testing and penetration testing. Built with modularity and precision in mind, it provides security professionals with 14 powerful modules to identify vulnerabilities and strengthen system defenses.
⚠️ Legal Disclaimer
THIS TOOL IS FOR AUTHORIZED SECURITY TESTING ONLY
Use NexusBrute only on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal and punishable by law. The developers assume no liability for misuse of this software.
🚀 Features Overview
NexusBrute includes 14 specialized security testing modules:
- Smart Brute Force - Intelligent credential testing
- Password Generator - Cryptographically secure password generation
- Rate Limit Checker - API rate limit detection
- Wordlist Optimizer - Password list optimization
- API Fuzzer - Comprehensive API security testing
- SQL Injection Tester - Automated SQLi detection
- DDoS Tester - Load testing and stress analysis
- JWT Analyzer - JWT security testing
- Header Injection Tester - HTTP header vulnerability scanner
- WebSocket Security Tester - Real-time WebSocket testing
- Subdomain Enumerator - Advanced subdomain discovery
- Multi-Target Campaign Manager - Orchestrate multi-target tests
- SSL/TLS Analyzer - Certificate and protocol security
- Authentication Bypass Tester - Authentication vulnerability scanner
📦 Installation
git clone https://github.com/PicoBaz/NexusBrute.git
cd NexusBrute
npm install axios chalk ws
mkdir results wordlists keys
node index.js
Prerequisites
- Node.js v14 or higher
- npm or yarn
🔥 Module Details
1. 🔓 Smart Brute Force
Intelligent login testing with rate-limiting and proxy support.
Features:
- Multiple username/password combinations
- Configurable delays between attempts
- Proxy rotation support
- Success/failure tracking
- Real-time progress monitoring
- Automatic retry logic
Configuration:
{
"smartBrute": {
"targetUrl": "https://example.com/login",
"usernames": ["admin", "user", "root"],
"passwords": ["password123", "admin123"],
"delay": 1000,
"maxAttempts": 100,
"useProxy": false
}
}
Use Cases:
- Testing password policies
- Validating account lockout mechanisms
- Brute force resistance testing
2. 🔑 Password Generator
Generate cryptographically secure passwords with customizable complexity.
Features:
- Cryptographic randomness (crypto.randomInt)
- Customizable length and character sets
- Special character inclusion
- Bulk password generation
- Password strength analysis (8-point scale)
- Strength ratings: Very Strong/Strong/Medium/Weak
- Statistical distribution analysis
Configuration:
{
"passwordGenerator": {
"length": 16,
"count": 10,
"includeSpecialChars": true
}
}
Strength Analysis:
- Lowercase letters check
- Uppercase letters check
- Number inclusion
- Special characters
- Length validation
- Overall strength score
3. ⏱️ Rate Limit Checker
Detect and analyze API rate limiting mechanisms.
Features:
- Automatic rate limit detection
- Response time tracking
- Rate limit header extraction (10+ header types)
- Request success/failure statistics
- HTTP 429 detection
- Status code distribution analysis
Configuration:
{
"rateLimitChecker": {
"targetUrl": "https://api.example.com/endpoint",
"maxRequests": 100,
"interval": 1000,
"useProxy": false
}
}
Detection Methods:
- HTTP 429 status codes
- X-RateLimit-* headers
- Error message analysis
- Response pattern recognition
4. 📝 Wordlist Optimizer
Optimize and clean password/wordlists for efficient testing.
Features:
- Duplicate removal
- Length-based filtering
- Smart sorting (by length or alphabetically)
- Statistical analysis (min/max/avg length)
- Length distribution breakdown
- Before/After comparison
- Reduction percentage calculation
Configuration:
{
"wordlistOptimizer": {
"inputFile": "wordlist.txt",
"outputFile": "optimized_wordlist.txt",
"minLength": 6,
"removeDuplicates": true,
"sortByLength": true
}
}
Optimization Process:
- Read and parse wordlist
- Filter by minimum length
- Remove duplicates
- Sort (by length or alphabetically)
- Save optimized list
5. 🔍 API Fuzzer
Comprehensive API security testing with automatic vulnerability detection.
Features:
- Multiple HTTP methods (GET, POST, PUT, DELETE, PATCH)
- Custom payload injection
- Automatic vulnerability detection
- Server error identification (500)
- Payload reflection detection
- Error disclosure analysis
- Response pattern matching
Configuration:
{
"apiFuzzer": {
"targetUrl": "https://api.example.com/endpoint",
"methods": ["GET", "POST", "PUT"],
"payloads": ["test", "admin", "1' OR '1'='1"],
"maxAttempts": 50,
"delay": 500,
"useProxy": false
}
}
Vulnerability Detection:
- Server errors (500)
- Payload reflection in responses
- Error message disclosure
- Suspicious response patterns
6. 💉 SQL Injection Tester
Automated SQL injection vulnerability detection with advanced pattern matching.
Features:
- 10+ default SQL injection payloads
- Custom payload file support
- 18+ SQL error pattern detection
- Multi-field testing
- Vulnerability severity classification
- Error-based detection
- Blind SQLi indicators
Configuration:
{
"sqlInjection": {
"targetUrl": "https://example.com/login",
"payloadFile": "payloads/sql_payloads.json",
"fields": ["username", "password", "id"],
"maxAttempts": 20,
"delay": 1000,
"useProxy": false
}
}
Detection Patterns:
- SQL syntax errors
- MySQL/PostgreSQL/Oracle errors
- Database-specific error messages
- Suspicious response patterns
- Server error triggers
Default Payloads:
- Boolean-based:
' OR '1'='1 - Union-based:
1' UNION SELECT NULL-- - Error-based:
' AND 1=0 UNION ALL SELECT - Time-based:
' WAITFOR DELAY '00:00:05'--
7. 💥 DDoS Tester
Load testing and stress analysis for web applications.
Features:
- Concurrent request simulation
- Configurable request rates (requests/second)
- Batch processing
- Response time tracking
- Success/failure statistics
- Status code distribution
- Actual RPS calculation
Configuration:
{
"ddosTester": {
"targetUrl": "https://example.com",
"requestCount": 1000,
"concurrentRequests": 10,
"requestsPerSecond": 50,
"method": "GET",
"payload": {},
"useProxy": false
}
}
Metrics:
- Total requests sent
- Successful/failed requests
- Average response time
- Actual requests per second
- Status code breakdown
8. 🔐 JWT Analyzer
Advanced JWT security testing with multiple attack vectors.
Features:
- Complete JWT token parsing and decoding
- Security vulnerability detection
- None Algorithm Attack
- HMAC secret bruteforce (HS256/384/512)
- Key Confusion Attack (RS256→HS256)
- Claims manipulation testing
- Expiration validation
- Sensitive data detection in payloads
Configuration:
{
"jwtAnalyzer": {
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"targetUrl": "https://api.example.com/protected",
"wordlistFile": "wordlists/jwt_secrets.txt",
"publicKeyFile": "keys/public.pem",
"testClaims": {
"role": "admin",
"isAdmin": true
},
"useProxy": false
}
}
Attack Vectors:
- None Algorithm: Bypass signature verification
- Secret Bruteforce: Test 500+ attempts/second
- Key Confusion: RS256 to HS256 conversion
- Claims Manipulation: Role elevation attempts
Vulnerability Detection:
- Weak HMAC secrets
- Missing expiration (exp claim)
- Long-lived tokens (>1 year)
- Sensitive data in payload
- Algorithm vulnerabilities
9. 🔬 Header Injection Tester
Comprehensive HTTP header vulnerability scanner.
Features:
- CRLF Injection testing (10+ payloads)
- Host Header Injection (9 attack scenarios)
- X-Forwarded-For manipulation (11 payloads × 5 headers)
- Header Value Injection (6 headers × 7 payloads)
- Automatic vulnerability detection
- 116+ total test combinations
Configuration:
{
"headerInjection": {
"targetUrl": "https://example.com",
"testTypes": ["all"],
"delay": 500,
"useProxy": false
}
}
Test Types:
"all"- Run all tests"crlf"- CRLF injection only"host"- Host header only"xff"- X-Forwarded-For only"value"- Header value injection only
Vulnerability Detection:
- CRLF Injection (HIGH)
- Host Header Poisoning (HIGH)
- IP Spoofing (MEDIUM)
- XSS via headers (HIGH)
- SQLi via headers (HIGH)
10. 🔌 WebSocket Security Tester
Advanced WebSocket vulnerability scanner with real-time testing.
Features:
- Connection security testing (ws:// vs wss://)
- Origin validation bypass (8 malicious origins)
- Message injection (15+ payloads)
- CSRF protection validation
- Rate limiting analysis
- Authentication bypass testing (5 techniques)
- DoS testing (large messages, connection flooding)
- Real-time message logging
Configuration:
{
"websocketTester": {
"targetUrl": "wss://example.com/ws",
"testTypes": ["all"],
"delay": 500,
"rateLimitTest": {
"maxMessages": 100,
"interval": 10
}
}
}
Test Types:
- Connection security
- Origin validation
- M
