| Flag | Description | Example |
|---|---|---|
-f |
Input file (Nmap, Nessus, Nexpose, JSON, lists) | -f nmap.gnmap |
-H |
Target as service://host:port (CIDR supported, repeatable) | -H ssh://10.1.1.0/24:22 |
-u |
Username or user list | -u admin or -u users.txt |
-p |
Password or password list | -p password or -p pass.txt |
-C |
Combo wordlist (user:pass per line) | -C combos.txt |
-s |
Service filter (comma-separated) | -s ssh,ftp |
-S |
List all supported services and exit | -S |
-t |
Threads per host (default: 10) | -t 20 |
-T |
Concurrent hosts (default: 5) | -T 10 |
-w |
Connection timeout (default: 5s) | -w 10s |
-r |
Retry count on connection failure (default: 3) | -r 5 |
-o |
Output directory (default: brutespray-output) | -o results |
-d |
Domain for RDP/SMB authentication | -d CORP |
-socks5 |
SOCKS5 proxy | -socks5 127.0.0.1:1080 |
-iface |
Bind to network interface | -iface tun0 |
-rate |
Per-host rate limit (attempts/sec, 0 = unlimited) | -rate 10 |
-spray |
Password spray mode (avoids lockouts) | -spray |
-spray-delay |
Delay between spray rounds (default: 30m) | -spray-delay 15m |
-stop-on-success |
Stop testing host after first valid credential | -stop-on-success |
-resume |
Resume from checkpoint file | -resume brutespray-checkpoint.json |
-checkpoint |
Checkpoint file path (default: brutespray-checkpoint.json) | -checkpoint myrun.json |
-config |
YAML config file (CLI flags override) | -config engagement.yaml |
-summary |
Generate summary reports (JSON, CSV, TXT, MSF, NXC) | -summary |
-silent |
Suppress per-attempt logs (successes still recorded) | -silent |
-log-every |
Print every N attempts (default: 1) | -log-every 100 |
-no-stats |
Disable statistics tracking for performance | -no-stats |
-nc |
Disable colored output | -nc |
-q |
Suppress banner | -q |
-P |
Print parsed hosts before execution | -P |
--no-tui |
Disable interactive TUI, use legacy output | --no-tui |
-m |
Module parameter in KEY:VALUE format (repeatable) | -m auth:NTLM |
-e |
Extra credential checks: n=blank, s=user-as-pass, r=reversed | -e nsr |
-x |
Generate passwords: MIN:MAX:CHARSET | -x 4:4:1 |
--allow-wrapper |
Allow wrapper module to execute commands | --allow-wrapper |
--output-format |
Per-attempt output format: text (default) or json | --output-format json |
--proxy-list |
File with proxy list for rotation (one per line) | --proxy-list proxies.txt |
--no-badkeys |
Skip the embedded SSH bad-keys pre-pass | --no-badkeys |
--badkeys-only |
Run the embedded SSH bad-keys pre-pass only; skip passwords | --badkeys-only |
--no-rdp-scan |
Skip pre-auth RDP recon (NLA + sticky-keys) | --no-rdp-scan |
-c, --creds |
Inline credential pairs, comma-separated: admin:admin,root:toor |
-c admin:admin,root:toor |
Use -config to load per-engagement settings. CLI flags always override config values.
# engagement.yaml
user: "admin"
password: "passlist.txt"
output: "results"
threads: 20
host_parallelism: 10
timeout: "10s"
retry: 5
socks5: "socks5://127.0.0.1:9050"
stop_on_success: true
summary: true
spray: true
spray_delay: "30m"
hosts:
- "ssh://10.0.0.0/24:22"
- "rdp://10.0.0.0/24:3389"All fields are optional. Any CLI flag takes precedence over the config file value.
Pass service-specific parameters using -m KEY:VALUE (repeatable):
# HTTP Digest auth
brutespray -H http://10.0.0.1:8080 -u admin -p passlist.txt -m auth:DIGEST
# HTTP NTLM auth
brutespray -H http://10.0.0.1:8080 -u admin -p passlist.txt -m auth:NTLM
# SMTP NTLM auth
brutespray -H smtp://10.0.0.1:25 -u admin -p passlist.txt -m auth:NTLM
# HTTP Form brute forcing
brutespray -H "http-form://10.0.0.1:8080" -u admin -p passlist.txt \
-m "url:/login" -m "body:username=%U&password=%W" -m "fail:Invalid"
# SSH key authentication
brutespray -H ssh://10.0.0.1:22 -u admin -p /path/to/key -m key:true
# Wrapper module (requires --allow-wrapper)
brutespray -H wrapper://10.0.0.1 -u admin -p passlist.txt \
-m "cmd:sshpass -p %W ssh %U@%H -p %P" --allow-wrapperModule params can also be set in YAML config:
module_params:
auth: NTLM
dir: /admin| Flag | Description |
|---|---|
-e n |
Try blank/empty password |
-e s |
Try username as password |
-e r |
Try reversed username as password |
-e ns |
Try both blank and username-as-password |
-e nsr |
Try all three extra checks |
Generate passwords on-the-fly without a wordlist:
# All 4-digit PINs (0000-9999)
brutespray -H ssh://10.0.0.1:22 -u admin -x 4:4:1
# 1-6 char lowercase + digits
brutespray -H ssh://10.0.0.1:22 -u admin -x 1:6:a1
# 2-4 char all charsets
brutespray -H ssh://10.0.0.1:22 -u admin -x 2:4:aA1!| Charset | Characters |
|---|---|
a |
lowercase (a-z) |
A |
uppercase (A-Z) |
1 |
digits (0-9) |
! |
symbols |
Max length is capped at 8 to prevent excessive generation.
Password files in PwDump format (username:uid:LM_hash:NTLM_hash:::) are auto-detected. Users and NTLM hashes are extracted automatically for pass-the-hash attacks:
brutespray -H smbnt://10.0.0.1:445 -p hashdump.txtBrutespray auto-detects the format from file contents.
Scan with -oA or -oG / -oX:
nmap -sV -oA scan_results 10.0.0.0/24Both GNMAP (.gnmap) and XML (.xml) formats are supported.
Export your scan as a .nessus file from the Nessus web interface.
Use the XML Export template when exporting from Nexpose.
One JSON object per line:
{"host":"127.0.0.1","port":"3306","service":"mysql"}
{"host":"127.0.0.10","port":"22","service":"ssh"}ssh:127.0.0.1:22
ftp:192.168.1.1:21
mysql:10.0.0.5:3306
For use with -C:
root:root
admin:admin
user1:password123
When -f is not supplied and stdin is a pipe, brutespray reads targets
from stdin and auto-detects the input format (naabu line, Nerva URI,
Nerva JSON, fingerprintx JSON, masscan JSON). The target list is
appended to whatever -H arguments were given on the CLI.
naabu -host 10.0.0.0/24 -p 22 -silent | brutespray -u root -P wordlist/ssh/password
masscan -p22,3389 10.0.0.0/24 -oJ - | brutespray -u admin -p admin
fingerprintx -t 10.0.0.0/24 --json | brutespray --no-badkeys