Skip to content

Latest commit

 

History

History
385 lines (289 loc) · 8 KB

File metadata and controls

385 lines (289 loc) · 8 KB

Examples

Basic Usage

Nmap GNMAP input:

brutespray -f nmap.gnmap -u admin -p password

Nmap XML input:

brutespray -f nmap.xml -u admin -p password

Nessus input:

brutespray -f scan.nessus -u admin -p password

JSON input:

brutespray -f hosts.json -u admin -p password

Targeting

Single host:

brutespray -H ssh://192.168.1.1:22 -u admin -p passlist.txt

CIDR range:

brutespray -H ssh://10.1.1.0/24:22 -u root -p passlist.txt

Multiple targets:

brutespray -H ssh://10.0.0.1:22 -H rdp://10.0.0.2:3389 -u admin -p passlist.txt

Combo credentials:

brutespray -H ssh://10.0.0.1:22 -C root:root

Wordlists

Custom user and password lists:

brutespray -f nmap.gnmap -u /usr/share/wordlists/users.txt -p /usr/share/wordlists/pass.txt

Combo wordlist (user:pass per line):

brutespray -f nmap.gnmap -C combos.txt

Service Filtering

Specific services only:

brutespray -f nmap.gnmap -u admin -p password -s ftp,ssh,telnet

Print discovered services before attacking:

brutespray -f nmap.gnmap -P -q

Threading and Performance

High-performance (50 threads/host, 10 hosts):

brutespray -f nmap.gnmap -u admin -p password -t 50 -T 10

Conservative (5 threads/host, 2 hosts):

brutespray -f nmap.gnmap -u admin -p password -t 5 -T 2

Rate-limited (10 attempts/sec per host):

brutespray -f nmap.gnmap -u admin -p password -rate 10

Password Spraying

Spray with 15-minute delay between rounds:

brutespray -f nmap.gnmap -u userlist.txt -p passlist.txt -spray -spray-delay 15m

Proxy and Network

SOCKS5 proxy:

brutespray -H ssh://10.1.1.0/24:22 -socks5 127.0.0.1:1080

SOCKS5 with authentication:

brutespray -H ssh://10.1.1.0/24:22 -socks5 socks5://user:pass@proxy:1080

Bind to specific interface:

brutespray -H ssh://10.1.1.0/24:22 -iface tun0

Resume and Checkpoints

Resume an interrupted scan:

brutespray -f nmap.gnmap -u admin -p passlist.txt -resume brutespray-checkpoint.json

Custom checkpoint path:

brutespray -f nmap.gnmap -u admin -p passlist.txt -checkpoint myengagement.json

Domain Authentication

RDP with domain:

brutespray -H rdp://192.168.1.100:3389 -u admin -p passlist.txt -d CORP

LDAP with DN:

brutespray -H ldap://10.0.0.1:389 -u "cn=admin,dc=example,dc=com" -p passlist.txt

Output and Reporting

Generate summary reports:

brutespray -f nmap.gnmap -u admin -p password -summary

Silent mode (successes only):

brutespray -f nmap.gnmap -u admin -p password -silent

Log every 100th attempt:

brutespray -f nmap.gnmap -u admin -p password -log-every 100

Config File

Use a YAML config:

brutespray -config engagement.yaml

Override config values with flags:

brutespray -config engagement.yaml -t 50 -T 20

Stop on Success

Stop testing a host after finding valid credentials:

brutespray -f nmap.gnmap -u admin -p passlist.txt -stop-on-success

HTTP Form Brute Forcing

Login form with failure detection:

brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
  -m "url:/login" -m "body:username=%U&password=%W" -m "fail:Invalid credentials"

Login form with success detection:

brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
  -m "url:/login" -m "body:user=%U&pass=%W" -m "success:Dashboard"

GET-based login with redirect following:

brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
  -m "url:/login" -m "body:user=%U&pass=%W" -m "method:GET" \
  -m "follow:true" -m "success:Welcome"

With custom cookie:

brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
  -m "url:/login" -m "body:user=%U&pass=%W" -m "fail:Invalid" \
  -m "cookie:PHPSESSID=abc123"

HTTP Authentication Methods

Digest auth:

brutespray -H http://10.0.0.1:8080 -u admin -p passlist.txt -m auth:DIGEST

NTLM auth:

brutespray -H http://10.0.0.1:8080 -u admin -p passlist.txt -m auth:NTLM

SMTP NTLM Authentication

brutespray -H smtp://10.0.0.1:25 -u admin -p passlist.txt -m auth:NTLM

Password Generation

All 4-digit PINs (0000-9999):

brutespray -H ssh://10.0.0.1:22 -u admin -x 4:4:1

1-4 character lowercase passwords:

brutespray -H ssh://10.0.0.1:22 -u admin -x 1:4:a

3-6 character alphanumeric:

brutespray -H ssh://10.0.0.1:22 -u admin -x 3:6:aA1

Extra Credential Checks

Try blank password, username-as-password, and reversed username:

brutespray -f nmap.gnmap -u admin -p passlist.txt -e nsr

Pass-the-Hash with PwDump

Auto-detected PwDump format:

brutespray -H smbnt://10.0.0.1:445 -p hashdump.txt

SSH Key Authentication

Test SSH keys:

brutespray -H ssh://10.0.0.1:22 -u root -p /path/to/id_rsa -m key:true

SVN Repository

brutespray -H svn://10.0.0.1:3690 -u admin -p passlist.txt -m path:/svn/repo

Wrapper Module

Custom command execution:

brutespray -H wrapper://10.0.0.1:8080 -u admin -p passlist.txt \
  -m "cmd:curl -s -o /dev/null -w '%{http_code}' -u %U:%W http://%H:%P/" \
  --allow-wrapper

JSON Output

Per-attempt JSONL output for tool integration:

brutespray -f nmap.gnmap -u admin -p passlist.txt --output-format json --no-tui

Proxy List Rotation

Rotate through multiple SOCKS5 proxies:

brutespray -f nmap.gnmap -u admin -p passlist.txt --proxy-list proxies.txt

Where proxies.txt contains one proxy per line:

socks5://proxy1:1080
socks5://user:pass@proxy2:1080
proxy3:1080

FTPS (FTP over TLS)

brutespray -H ftps://10.0.0.1:990 -u admin -p passlist.txt

SNMPv3

MD5 auth (default):

brutespray -H snmp://10.0.0.1:161 -u snmpuser -p authpass -m version:3

SHA auth with AES privacy:

brutespray -H snmp://10.0.0.1:161 -u snmpuser -p authpass \
  -m version:3 -m auth:SHA -m priv:AES -m privpass:privpass123

HTTP-Form with CSRF Token

Auto-extract CSRF token before login:

brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
  -m "url:/login" -m "body:user=%U&pass=%W&token=%C" \
  -m "fail:Invalid" -m "csrf:csrf_token"

CSRF with separate form page:

brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
  -m "url:/api/login" -m "body:user=%U&pass=%W&_token=%C" \
  -m "fail:Unauthorized" -m "csrf:_token" -m "form-url:/login"

HTTP-Form with Base64 Credentials

brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
  -m 'url:/api/auth' -m 'body:{"credentials":"%U64:%W64"}' \
  -m 'content-type:application/json' -m 'fail:invalid'

SSH Keyboard-Interactive

Force keyboard-interactive auth (for servers that disable password auth):

brutespray -H ssh://10.0.0.1:22 -u root -p passlist.txt -m auth:keyboard-interactive

SOCKS5 Proxy Authentication

Brute-force SOCKS5 proxy credentials:

brutespray -H socks5-auth://10.0.0.1:1080 -u admin -p passlist.txt

Postgres with Custom Database

brutespray -H postgres://10.0.0.1:5432 -u admin -p passlist.txt -m dbname:mydb

MySQL with Custom Database

brutespray -H mysql://10.0.0.1:3306 -u admin -p passlist.txt -m dbname:webapp

MSSQL with Domain Authentication

brutespray -H mssql://10.0.0.1:1433 -u sa -p passlist.txt -m domain:CORP

Redis with Custom Database

brutespray -H redis://10.0.0.1:6379 -u default -p passlist.txt -m db:3

POP3 APOP Authentication

Force APOP auth:

brutespray -H pop3://10.0.0.1:110 -u admin -p passlist.txt -m auth:APOP

IMAP CRAM-MD5 Authentication

Force CRAM-MD5 auth:

brutespray -H imap://10.0.0.1:143 -u admin -p passlist.txt -m auth:CRAM-MD5