Brutespray

Created by: Shane Young/@t1d3nio && Jacob Robles/@shellfail

Inspired by: Leon Johnson/@sho-luv

Description

Brutespray automatically attempts default credentials on discovered services. It takes scan output from Nmap (GNMAP/XML), Nessus, Nexpose, JSON, and lists, then brute-forces credentials across 30+ protocols in parallel. Built in Go with an interactive terminal UI, embedded wordlists, and resume capability.

<img src="https://i.imgur.com/6fQI6Qs.png" width="500">

Quick Install

go install github.com/x90skysn3k/brutespray/v2@latest

Release Binaries | Build from Source | Docker

Quick Start

# From Nmap scan output
brutespray -f nmap.gnmap -u admin -p password

# Target a specific host
brutespray -H ssh://192.168.1.1:22 -u admin -p passlist.txt

# CIDR range
brutespray -H ssh://10.1.1.0/24:22 -u root -p passlist.txt

# Combo credentials
brutespray -H ssh://10.0.0.1:22 -C root:root

See all examples for more usage patterns.

Demo

<img src="brutespray.gif" width="512">

Features

• 30+ protocols — SSH, FTP, RDP, SMB, MySQL, PostgreSQL, Redis, LDAP, WinRM, and more
• Module parameters — Per-module settings via -m KEY:VALUE (auth type, target path, NTLM domain, etc.)
• Multi-auth support — HTTP Digest/NTLM auto-detection, SMTP PLAIN/LOGIN, IMAP/POP3 SASL, SMB pass-the-hash
• Interactive TUI — Tabbed views, live settings, pause/resume hosts (details)
• Multiple input formats — Nmap GNMAP/XML, Nessus, Nexpose, JSON, lists (details)
• Password spray mode — Lockout-aware spraying with configurable delays (details)
• SOCKS5 proxy — Full proxy support with authentication (details)
• Resume & checkpoint — Interrupt with Ctrl+C, resume later (details)
• Embedded wordlists — Layered manifest system compiled into the binary (details)
• Summary reports — JSON, CSV, Metasploit RC, NetExec scripts (details)
• Performance tuning — Dynamic threading, circuit breaker, rate limiting (details)
• YAML config files — Per-engagement settings (details)

Supported Services

ssh ftp ftps telnet smtp smtp-vrfy imap pop3 mysql postgres mssql mongodb redis vnc snmp smbnt rdp http https vmauthd teamspeak asterisk nntp oracle xmpp ldap ldaps winrm rexec rlogin rsh wrapper

Full details and service-specific notes: docs/services.md

Print discovered services from a scan file with -P -q:

<img src="https://i.imgur.com/97ENS23.png" width="500">

Documentation

| Guide | Description | |-------|-------------| | Installation | Go install, release binaries, build from source, Docker | | Usage | CLI flags, config files, input formats | | Services | All 32 protocols with ports, status, and notes | | Examples | Common usage patterns and recipes | | Interactive TUI | Keybindings, tabs, live settings | | Advanced | Spray mode, proxy, resume, performance tuning | | Wordlists | Manifest system, layers, overrides, customization | | Output & Reporting | Summary reports, Metasploit/NetExec integration |

Star History