SkillAgentSearch skills...

Brutus

Fast, zero-dependency credential testing tool in Go. Brute force SSH, MySQL, PostgreSQL, Redis, MongoDB, SMB, and 20+ protocols. Hydra alternative with native nerva/naabu pipeline integration.

GenerateConvertImprove

Install / Use

/learn @praetorian-inc/Brutus
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<img width="2752" height="1536" alt="Brutus - Social" src="https://github.com/user-attachments/assets/d190be41-570c-4f29-87aa-50b9bd4cd6c3" /> <h1 align="center">Brutus</h1> <p align="center"> <em>"Et tu, Brute?" — The last words before credentials fall.</em> </p> <p align="center"> <strong>Modern credential testing tool in pure Go</strong> </p> <p align="center"> <a href="#installation">Installation</a> • <a href="#quick-start">Quick Start</a> • <a href="#pipeline-integration">Pipeline</a> • <a href="#supported-protocols">Protocols</a> • <a href="#library-integration">Library</a> </p>

Overview

Brutus is a multi-protocol authentication testing tool designed to address a critical gap in offensive security tooling: efficient credential validation across diverse network services. While HTTP-focused tools are abundant, penetration testers and red team operators frequently encounter databases, SSH, SMB, and other network services that require purpose-built authentication testing capabilities.

Built in Go as a single binary with zero external dependencies, Brutus integrates seamlessly with Nerva for automated service discovery, enabling operators to rapidly identify and test authentication vectors across entire network ranges.

Key features:

  • Zero dependencies: Single binary, cross-platform (Linux, Windows, macOS)
  • 24 protocols: SSH, RDP, MySQL, PostgreSQL, MSSQL, Redis, SMB, LDAP, WinRM, SNMP, HTTP Basic Auth, and more
  • Pipeline integration: Native support for Nerva and naabu workflows
  • Embedded bad keys: Built-in collection of known SSH keys (Vagrant, F5, ExaGrid, etc.)
  • Go library: Import directly into your security automation tools
  • Production ready: Rate limiting, connection pooling, and comprehensive error handling

Why Brutus?

Traditional tools like THC Hydra have served the security community well, but they come with significant friction: complex dependency chains, platform-specific compilation issues, and no native integration with modern reconnaissance workflows.

Brutus is purpose-built for modern offensive security:

  • True zero-dependency deployment: Download a single binary and run. No libssh-dev, no libmysqlclient-dev, no compilation errors. Works identically on Linux, macOS, and Windows.

  • Native pipeline integration: Brutus speaks JSON and integrates directly with Nerva and naabu. Pipe discovered services straight into credential testing without format conversion or scripting.

  • Embedded intelligence: Known SSH bad keys (Vagrant, F5 BIG-IP, ExaGrid, etc.) are compiled into the binary and tested automatically for SSH targets.

  • Library-first design: Import Brutus directly into your Go security tools. Build custom automation without shelling out to external processes.

# Full network credential audit in one pipeline
naabu -host 10.0.0.0/24 -p 22,3306,5432,6379 -silent | nerva --json | brutus --json

Use Cases

Penetration Testing

  • Validate discovered credentials across multiple services during internal assessments
  • Test password reuse patterns across database and file share services
  • Identify default credentials on newly deployed infrastructure

Red Team Operations

  • Rapid credential validation after password dumps or phishing campaigns
  • Test lateral movement opportunities across network services
  • Validate compromised credentials across heterogeneous environments

Private Key Spraying

Found a private key on a compromised system? Spray it across the network to find where else it grants access:

# Discover SSH services and spray a found private key
naabu -host 10.0.0.0/24 -p 22 -silent | \
  nerva --json | \
  brutus -u root,admin,ubuntu,deploy -k /path/to/found_key --json

This pipeline discovers all SSH services, identifies them with Nerva, and tests the compromised key against common usernames—revealing lateral movement opportunities in seconds.

Web Admin Panel Testing

Discover HTTP services with Basic Auth and test default credentials:

# Discover and test admin panels across a network
naabu -host 10.0.0.0/24 -p 80,443,3000,8080,9090 -silent | \
  nerva --json | \
  brutus --json

Security Validation

  • Test default credentials on newly deployed services
  • Validate password policy enforcement across platforms
  • Generate audit trails for compliance and security assessments

Installation

Pre-built Binaries (Recommended)

Download from GitHub Releases:

# Linux (amd64)
curl -L https://github.com/praetorian-inc/brutus/releases/latest/download/brutus-linux-amd64.tar.gz | tar xz
sudo mv brutus /usr/local/bin/

# macOS (Apple Silicon)
curl -L https://github.com/praetorian-inc/brutus/releases/latest/download/brutus-darwin-arm64.tar.gz | tar xz
sudo mv brutus /usr/local/bin/

# macOS (Intel)
curl -L https://github.com/praetorian-inc/brutus/releases/latest/download/brutus-darwin-amd64.tar.gz | tar xz
sudo mv brutus /usr/local/bin/

# Windows (PowerShell)
Invoke-WebRequest -Uri https://github.com/praetorian-inc/brutus/releases/latest/download/brutus-windows-amd64.zip -OutFile brutus.zip
Expand-Archive -Path brutus.zip -DestinationPath .
Remove-Item brutus.zip

Go Install

go install github.com/praetorian-inc/brutus/cmd/brutus@latest

Quick Start

Basic Usage

# Test SSH with embedded badkeys (tested by default)
brutus --target 192.168.1.100:22 --protocol ssh

# Test with specific credentials
brutus --target 192.168.1.100:22 --protocol ssh -u root -p toor

# Test with username and password lists
brutus --target 192.168.1.100:22 --protocol ssh -U users.txt -P passwords.txt

# Test MySQL database
brutus --target 192.168.1.100:3306 --protocol mysql -u root -p password

# Test SSH with a specific private key
brutus --target 192.168.1.100:22 --protocol ssh -u deploy -k /path/to/id_rsa

# Increase threads for faster testing
brutus --target 192.168.1.100:22 --protocol ssh -t 20

# JSON output for scripting
brutus --target 192.168.1.100:22 --protocol ssh --json

Output Example

$ brutus --target 192.168.1.100:22 --protocol ssh -u root,admin -p toor,password,admin
[*] Loaded 9 badkeys for SSH testing
[+] VALID: ssh root:toor @ 192.168.1.100:22 (1.23s)

With verbose mode (-v):

$ brutus --target 192.168.1.100:22 --protocol ssh -u root -p password,toor -v
[*] Loaded 9 badkeys for SSH testing
[-] FAILED: ssh root:password @ 192.168.1.100:22 (0.45s)
[+] VALID: ssh root:toor @ 192.168.1.100:22 (0.52s)

JSON output for pipeline integration (outputs only successful credentials):

$ brutus --target 192.168.1.100:22 --protocol ssh -u root -p toor --json
{"protocol":"ssh","target":"192.168.1.100:22","username":"root","password":"toor","duration":"1.234567ms","banner":"SSH-2.0-OpenSSH_8.9p1"}

Pipeline Integration

Brutus integrates seamlessly with Nerva and naabu for complete network reconnaissance.

Real-World Scenarios

Scenario 1: Scanning a Corporate /24 Network

# Discover all open ports, identify services, test default credentials
naabu -host 10.10.10.0/24 -p 22,23,21,3306,5432,6379,27017,445 -silent | \
  nerva --json | \
  brutus --json -o results.json

# Review findings (all output is successful credentials)
cat results.json | jq '.'

Scenario 2: Bug Bounty Recon on a Target Domain

# Full pipeline against a single target
naabu -host target.example.com -top-ports 1000 -silent | \
  nerva --json | \
  brutus

# Or scan a list of subdomains
cat subdomains.txt | naabu -silent | nerva --json | brutus

Scenario 3: Database Hunting in an Internal Assessment

# Find and test all databases in a range
naabu -host 192.168.0.0/16 -p 3306,5432,1433,27017,6379,9042 -silent | \
  nerva --json | \
  brutus -t 5 --json | \
  tee database-findings.json

# Extract credentials in readable format
jq -r '"\(.target) \(.username):\(.password)"' database-findings.json

Scenario 4: SSH Key Testing Across Infrastructure

# Test embedded bad keys (Vagrant, F5 BIG-IP, ExaGrid, etc.) across a range
# Badkeys are tested by default for SSH services
naabu -host 10.0.0.0/8 -p 22 -rate 1000 -silent | \
  nerva --json | \
  brutus --json -o ssh-key-findings.json

# Test ONLY bad keys (skip password wordlists and non-SSH protocols)
naabu -host 10.0.0.0/8 -p 22 -rate 1000 -silent | \
  nerva --json | \
  brutus --badkeys-only --json -o ssh-key-findings.json

# Find systems using SSH keys (key field is true)
cat ssh-key-findings.json | jq 'select(.key == true)'

Scenario 5: Targeted Service Testing

# Test only Redis instances found in the network
naabu -host 172.16.0.0/12 -p 6379 -silent | \
  nerva --json | \
  brutus

# Test only MongoDB with custom credentials
naabu -host 10.0.0.0/24 -p 27017 -silent | \
  nerva --json | \
  brutus -u admin,root,mongodb -p admin,password,mongodb

Pipeline Input Format

Brutus accepts input from Nerva in JSON format:

# nerva JSON output
{"ip":"192.168.1.100","port":22,"protocol":"ssh","tls":false,"transport":"tcp","version":"OpenSSH_8.9p1"}
{"ip":"192.168.1.101","port":3306,"protocol":"mysql","tls":false,"transport":"tcp","version":"8.0.32"}
{"ip":"192.168.1.102","port":6379,"protocol":"redis","tls":false,"transport":"tcp","version":"7.0.5"}

Brutus automatically:

  • Parses the JSON stream
  • Maps services to protocols
  • Tests appropriate default credentials
  • Outputs results in matching JSON format

Pipeline Output Format

Brutus outputs only successful credentials in JSONL format (one JSON object per line):

# Brutus JSON output (with --json

praetorian-inc

View profile

View on GitHub
GitHub Stars202
CategoryDevelopment
Updated12h ago
Forks27
praetorian-inc/brutus

Languages

Go

Security Score

100/100

Audited on Mar 28, 2026

No findings