Created by: Shane Young/@x90sky && Jacob Robles/@shellfail
Inspired by: Leon Johnson/@sho-luv
Brutespray automatically attempts default credentials on discovered services. It takes scan output from Nmap (GNMAP/XML), Nessus, Nexpose, JSON, and lists, then brute-forces credentials across 40+ protocols in parallel. Built in Go with an interactive terminal UI, embedded wordlists, and resume capability.
go install github.com/x90skysn3k/brutespray/v2@latestRelease Binaries | Build from Source | Docker
# From Nmap scan output
brutespray -f nmap.gnmap -u admin -p password
# Target a specific host
brutespray -H ssh://192.168.1.1:22 -u admin -p passlist.txt
# CIDR range
brutespray -H ssh://10.1.1.0/24:22 -u root -p passlist.txt
# Combo credentials
brutespray -H ssh://10.0.0.1:22 -C root:rootSee all examples for more usage patterns.
- 40+ protocols — SSH, FTP, RDP, SMB, MySQL, PostgreSQL, Redis, LDAP, WinRM, and more
- Module parameters — Per-module settings via
-m KEY:VALUE(auth type, target path, NTLM domain, etc.) - Multi-auth support — HTTP Digest/NTLM auto-detection, SMTP PLAIN/LOGIN, IMAP/POP3 SASL, SMB pass-the-hash
- Interactive TUI — Tabbed views, live settings, pause/resume hosts (details)
- Multiple input formats — Nmap GNMAP/XML, Nessus, Nexpose, JSON, lists (details)
- Password spray mode — Lockout-aware spraying with configurable delays (details)
- SOCKS5 proxy — Full proxy support with authentication (details)
- Resume & checkpoint — Interrupt with Ctrl+C, resume later (details)
- Embedded wordlists — Layered manifest system compiled into the binary (details)
- Summary reports — JSON, CSV, Metasploit RC, NetExec scripts (details)
- Performance tuning — Dynamic threading, circuit breaker, rate limiting (details)
- YAML config files — Per-engagement settings (details)
| Feature | brutespray | hydra | medusa | ncrack | brutus |
|---|---|---|---|---|---|
| Single static binary | ✅ | ❌ | ❌ | ❌ | ✅ |
| Interactive TUI | ✅ | ❌ | ❌ | ❌ | ❌ |
| Checkpoint / resume | ✅ | ❌ | ❌ | ✅ | ❌ |
| Spray mode (lockout-aware) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Per-attempt JSONL output | ✅ | ❌ | ❌ | ❌ (success-only) | |
| SOCKS5 + proxy rotation | ✅ | ❌ | ❌ | ❌ | |
| Embedded SSH bad-keys (CVE-tagged) | ✅ | ❌ | ❌ | ❌ | ✅ |
| Pipeline stdin (naabu / fingerprintx / masscan) | ✅ | ❌ | ❌ | ❌ | ✅ |
| Pre-auth RDP recon (NLA / sticky-keys) | ✅ | ❌ | ❌ | ❌ | ✅ |
| Nmap gnmap + XML / Nessus / Nexpose import | ✅ | ❌ | ❌ | ||
Per-module params (-m KEY:VAL) |
✅ | ❌ | ❌ | ❌ | partial |
| Service count | 41 | 50+ | 34 | 14 | 23 |
Symbols reflect documented behavior at PR time. Competing tools change quickly.
ssh ftp ftps telnet smtp smtp-vrfy imap pop3 mysql postgres mssql mongodb redis vnc snmp smbnt rdp http https vmauthd teamspeak asterisk nntp oracle xmpp ldap ldaps winrm rexec rlogin rsh wrapper
Full details and service-specific notes: docs/services.md
Print discovered services from a scan file with -P -q:
| Guide | Description |
|---|---|
| Installation | Go install, release binaries, build from source, Docker |
| Usage | CLI flags, config files, input formats |
| Services | All 40+ protocols with ports, status, and notes |
| Examples | Common usage patterns and recipes |
| Interactive TUI | Keybindings, tabs, live settings |
| Advanced | Spray mode, proxy, resume, performance tuning |
| Wordlists | Manifest system, layers, overrides, customization |
| Output & Reporting | Summary reports, Metasploit/NetExec integration |
