Nmap GNMAP input:
brutespray -f nmap.gnmap -u admin -p passwordNmap XML input:
brutespray -f nmap.xml -u admin -p passwordNessus input:
brutespray -f scan.nessus -u admin -p passwordJSON input:
brutespray -f hosts.json -u admin -p passwordSingle host:
brutespray -H ssh://192.168.1.1:22 -u admin -p passlist.txtCIDR range:
brutespray -H ssh://10.1.1.0/24:22 -u root -p passlist.txtMultiple targets:
brutespray -H ssh://10.0.0.1:22 -H rdp://10.0.0.2:3389 -u admin -p passlist.txtCombo credentials:
brutespray -H ssh://10.0.0.1:22 -C root:rootCustom user and password lists:
brutespray -f nmap.gnmap -u /usr/share/wordlists/users.txt -p /usr/share/wordlists/pass.txtCombo wordlist (user:pass per line):
brutespray -f nmap.gnmap -C combos.txtSpecific services only:
brutespray -f nmap.gnmap -u admin -p password -s ftp,ssh,telnetPrint discovered services before attacking:
brutespray -f nmap.gnmap -P -qHigh-performance (50 threads/host, 10 hosts):
brutespray -f nmap.gnmap -u admin -p password -t 50 -T 10Conservative (5 threads/host, 2 hosts):
brutespray -f nmap.gnmap -u admin -p password -t 5 -T 2Rate-limited (10 attempts/sec per host):
brutespray -f nmap.gnmap -u admin -p password -rate 10Spray with 15-minute delay between rounds:
brutespray -f nmap.gnmap -u userlist.txt -p passlist.txt -spray -spray-delay 15mSOCKS5 proxy:
brutespray -H ssh://10.1.1.0/24:22 -socks5 127.0.0.1:1080SOCKS5 with authentication:
brutespray -H ssh://10.1.1.0/24:22 -socks5 socks5://user:pass@proxy:1080Bind to specific interface:
brutespray -H ssh://10.1.1.0/24:22 -iface tun0Resume an interrupted scan:
brutespray -f nmap.gnmap -u admin -p passlist.txt -resume brutespray-checkpoint.jsonCustom checkpoint path:
brutespray -f nmap.gnmap -u admin -p passlist.txt -checkpoint myengagement.jsonRDP with domain:
brutespray -H rdp://192.168.1.100:3389 -u admin -p passlist.txt -d CORPLDAP with DN:
brutespray -H ldap://10.0.0.1:389 -u "cn=admin,dc=example,dc=com" -p passlist.txtGenerate summary reports:
brutespray -f nmap.gnmap -u admin -p password -summarySilent mode (successes only):
brutespray -f nmap.gnmap -u admin -p password -silentLog every 100th attempt:
brutespray -f nmap.gnmap -u admin -p password -log-every 100Use a YAML config:
brutespray -config engagement.yamlOverride config values with flags:
brutespray -config engagement.yaml -t 50 -T 20Stop testing a host after finding valid credentials:
brutespray -f nmap.gnmap -u admin -p passlist.txt -stop-on-successLogin form with failure detection:
brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
-m "url:/login" -m "body:username=%U&password=%W" -m "fail:Invalid credentials"Login form with success detection:
brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
-m "url:/login" -m "body:user=%U&pass=%W" -m "success:Dashboard"GET-based login with redirect following:
brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
-m "url:/login" -m "body:user=%U&pass=%W" -m "method:GET" \
-m "follow:true" -m "success:Welcome"With custom cookie:
brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
-m "url:/login" -m "body:user=%U&pass=%W" -m "fail:Invalid" \
-m "cookie:PHPSESSID=abc123"Digest auth:
brutespray -H http://10.0.0.1:8080 -u admin -p passlist.txt -m auth:DIGESTNTLM auth:
brutespray -H http://10.0.0.1:8080 -u admin -p passlist.txt -m auth:NTLMbrutespray -H smtp://10.0.0.1:25 -u admin -p passlist.txt -m auth:NTLMAll 4-digit PINs (0000-9999):
brutespray -H ssh://10.0.0.1:22 -u admin -x 4:4:11-4 character lowercase passwords:
brutespray -H ssh://10.0.0.1:22 -u admin -x 1:4:a3-6 character alphanumeric:
brutespray -H ssh://10.0.0.1:22 -u admin -x 3:6:aA1Try blank password, username-as-password, and reversed username:
brutespray -f nmap.gnmap -u admin -p passlist.txt -e nsrAuto-detected PwDump format:
brutespray -H smbnt://10.0.0.1:445 -p hashdump.txtTest SSH keys:
brutespray -H ssh://10.0.0.1:22 -u root -p /path/to/id_rsa -m key:truebrutespray -H svn://10.0.0.1:3690 -u admin -p passlist.txt -m path:/svn/repoCustom command execution:
brutespray -H wrapper://10.0.0.1:8080 -u admin -p passlist.txt \
-m "cmd:curl -s -o /dev/null -w '%{http_code}' -u %U:%W http://%H:%P/" \
--allow-wrapperPer-attempt JSONL output for tool integration:
brutespray -f nmap.gnmap -u admin -p passlist.txt --output-format json --no-tuiRotate through multiple SOCKS5 proxies:
brutespray -f nmap.gnmap -u admin -p passlist.txt --proxy-list proxies.txtWhere proxies.txt contains one proxy per line:
socks5://proxy1:1080
socks5://user:pass@proxy2:1080
proxy3:1080
brutespray -H ftps://10.0.0.1:990 -u admin -p passlist.txtMD5 auth (default):
brutespray -H snmp://10.0.0.1:161 -u snmpuser -p authpass -m version:3SHA auth with AES privacy:
brutespray -H snmp://10.0.0.1:161 -u snmpuser -p authpass \
-m version:3 -m auth:SHA -m priv:AES -m privpass:privpass123Auto-extract CSRF token before login:
brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
-m "url:/login" -m "body:user=%U&pass=%W&token=%C" \
-m "fail:Invalid" -m "csrf:csrf_token"CSRF with separate form page:
brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
-m "url:/api/login" -m "body:user=%U&pass=%W&_token=%C" \
-m "fail:Unauthorized" -m "csrf:_token" -m "form-url:/login"brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
-m 'url:/api/auth' -m 'body:{"credentials":"%U64:%W64"}' \
-m 'content-type:application/json' -m 'fail:invalid'Force keyboard-interactive auth (for servers that disable password auth):
brutespray -H ssh://10.0.0.1:22 -u root -p passlist.txt -m auth:keyboard-interactiveBrute-force SOCKS5 proxy credentials:
brutespray -H socks5-auth://10.0.0.1:1080 -u admin -p passlist.txtbrutespray -H postgres://10.0.0.1:5432 -u admin -p passlist.txt -m dbname:mydbbrutespray -H mysql://10.0.0.1:3306 -u admin -p passlist.txt -m dbname:webappbrutespray -H mssql://10.0.0.1:1433 -u sa -p passlist.txt -m domain:CORPbrutespray -H redis://10.0.0.1:6379 -u default -p passlist.txt -m db:3Force APOP auth:
brutespray -H pop3://10.0.0.1:110 -u admin -p passlist.txt -m auth:APOPForce CRAM-MD5 auth:
brutespray -H imap://10.0.0.1:143 -u admin -p passlist.txt -m auth:CRAM-MD5