
Advanced LLM-powered brute-force tool combining AI intelligence with automated login attacks
Features • Installation • Usage • Examples • Configuration • License
BruteForceAI is an advanced penetration testing tool that revolutionizes traditional brute-force attacks by integrating Large Language Models (LLM) for intelligent form analysis. The tool automatically identifies login form selectors using AI, then executes sophisticated multi-threaded attacks with human-like behavior patterns.
# Python 3.8 or higher
python --version
# Install Playwright browsers
playwright install chromium
pip install -r requirements.txt
Required packages:
- playwright - Browser automation
- requests - HTTP requests
- PyYAML - YAML parsing for update checks
# Install Ollama
curl -fsSL https://ollama.ai/install.sh | sh
# Pull recommended model
ollama pull llama3.2:3b
--llm-provider groq --llm-api-key YOUR_KEYOllama (Local):
- llama3.2:3b - Default, good balance of speed and quality
- llama3.2:1b - Fastest, smaller model for quick analysis
- qwen2.5:3b - Alternative with good performance
Groq (Cloud):
- llama-3.3-70b-versatile - Default & Best - Latest model with superior quality (1 attempt)
- llama3-70b-8192 - Fast and reliable alternative (1 attempt)
- gemma2-9b-it - Lightweight option, good for simple forms (1 attempt)
- llama-3.1-8b-instant - ⚠️ Not recommended (rate limiting issues, 3+ attempts)
# Best quality (recommended for complex forms)
python main.py analyze --urls targets.txt --llm-provider groq --llm-model llama-3.3-70b-versatile --llm-api-key YOUR_KEY
# Fast and reliable
python main.py analyze --urls targets.txt --llm-provider groq --llm-model llama3-70b-8192 --llm-api-key YOUR_KEY
# Lightweight for simple forms
python main.py analyze --urls targets.txt --llm-provider groq --llm-model gemma2-9b-it --llm-api-key YOUR_KEY
# Local processing (no API key needed)
python main.py analyze --urls targets.txt --llm-provider ollama --llm-model llama3.2:3b
python main.py analyze --urls urls.txt --llm-provider ollama
python main.py attack --urls urls.txt --usernames users.txt --passwords passwords.txt --threads 10
python main.py <command> [options]
analyze - Analyze login forms with LLMattack - Execute brute-force attacksclean-db - Clean database tablescheck-updates - Check for software updates# Step 1: Analyze forms
python main.py analyze --urls targets.txt --llm-provider ollama --llm-model llama3.2:3b
# Step 2: Attack with 20 threads
python main.py attack --urls targets.txt --usernames users.txt --passwords passwords.txt --threads 20 --delay 5 --jitter 2
python main.py attack \
--urls targets.txt \
--usernames users.txt \
--passwords passwords.txt \
--mode passwordspray \
--threads 15 \
--delay 10 \
--jitter 3 \
--success-exit \
--user-agents user_agents.txt \
--verbose \
--output results.txt
python main.py attack \
--urls targets.txt \
--usernames users.txt \
--passwords passwords.txt \
--discord-webhook "https://discord.com/api/webhooks/..." \
--slack-webhook "https://hooks.slack.com/services/..." \
--threads 10
python main.py analyze \
--urls targets.txt \
--show-browser \
--browser-wait 5 \
--debug \
--llm-provider ollama
# Check for software updates
python main.py check-updates
# Check with output to file
python main.py check-updates --output update_check.txt
# Check for updates manually (same as automatic but can save to file)
python main.py check-updates
# Check with output to file
python main.py check-updates --output update_check.txt
# Skip version check completely for faster startup
python main.py analyze --urls targets.txt --skip-version-check
python main.py attack --urls targets.txt --usernames users.txt --passwords passwords.txt --skip-version-check
# Also works as global flag (before subcommand)
python main.py --skip-version-check analyze --urls targets.txt
| Parameter | Description | Default |
|---|---|---|
--llm-provider |
LLM provider (ollama/groq) | ollama |
--llm-model |
Model name | llama3.2:3b (ollama), llama-3.3-70b-versatile (groq) |
--llm-api-key |
API key for Groq | None |
--selector-retry |
Retry attempts for selectors | 10 |
--force-reanalyze |
Force re-analysis | False |
| Parameter | Description | Default |
|---|---|---|
--mode |
Attack mode (bruteforce/passwordspray) | bruteforce |
--threads |
Number of threads | 1 |
--delay |
Delay between attempts (seconds) | 0 |
--jitter |
Random jitter (seconds) | 0 |
--success-exit |
Stop after first success | False |
--force-retry |
Retry existing attempts | False |
| Parameter | Description | Default |
|---|---|---|
--dom-threshold |
DOM difference threshold | 100 |
--retry-attempts |
Network retry attempts | 3 |
| Parameter | Description | Default |
|---|---|---|
--user-agents |
User-Agent file | None |
--proxy |
Proxy server | None |
--show-browser |
Show browser window | False |
--browser-wait |
Wait time when visible | 0 |
| Parameter | Description | Default |
|---|---|---|
--verbose |
Detailed timestamps | False |
--debug |
Debug information | False |
--output |
Save output to file | None |
--no-color |
Disable colors | False |
| Parameter | Description |
|---|---|
--discord-webhook |
Discord webhook URL |
--slack-webhook |
Slack webhook URL |
--teams-webhook |
Teams webhook URL |
--telegram-webhook |
Telegram bot token |
--telegram-chat-id |
Telegram chat ID |
BruteForceAI includes simple update checking to keep you informed about new releases.
--skip-version-check flag# Check for updates manually (same as automatic but can save to file)
python main.py check-updates
# Check with output to file
python main.py check-updates --output update_check.txt
✅ BruteForceAI v1.0.0 is up to date🔄 Update available: v1.0.0 → v1.1.0 | Download: https://github.com/...Updates are checked against: https://mordavid.com/md_versions.yaml
BruteForceAI uses SQLite database (bruteforce.db) with two main tables:
Stores LLM analysis results for each URL.
Logs all attack attempts with results and metadata.
# Clean all data
python main.py clean-db
# View database
sqlite3 bruteforce.db
.tables
.schema
--discord-webhook--slack-webhook--teams-webhook--telegram-webhook TOKEN --telegram-chat-id CHAT_IDFOR EDUCATIONAL AND AUTHORIZED TESTING ONLY
This tool is designed for: - ✅ Authorized penetration testing - ✅ Security research and education - ✅ Testing your own applications - ✅ Bug bounty programs with proper scope
DO NOT USE FOR: - ❌ Unauthorized access to systems - ❌ Illegal activities - ❌ Attacking systems without permission
Users are responsible for complying with all applicable laws and regulations. The author assumes no liability for misuse of this tool.
Mor David - Offensive Security Specialist & AI Security Researcher
I specialize in offensive security with a focus on integrating Artificial Intelligence and Large Language Models (LLM) into penetration testing workflows. My expertise combines traditional red team techniques with cutting-edge AI technologies to develop next-generation security tools.
Join our cybersecurity community for the latest in offensive security, AI integration, and advanced penetration testing techniques:
RootSec is a community of security professionals, researchers, and enthusiasts sharing knowledge about: - Advanced penetration testing techniques - AI-powered security tools - Red team methodologies - Security research and development - Industry insights and discussions
This project is licensed under the Non-Commercial License.
See the LICENSE.md file for complete terms and conditions.
⭐ Star this repository if you find it useful!
Made with ❤️ by Mor David | Join RootSec Community
$ claude mcp add BruteForceAI \
-- python -m otcore.mcp_server <graph>