MCPcopy
hub / github.com/x90skysn3k/brutespray

github.com/x90skysn3k/brutespray @v2.6.3 sqlite

repository ↗ · DeepWiki ↗ · release v2.6.3 ↗
834 symbols 2,884 edges 146 files 323 documented · 39%
README

Brutespray

VersiongoreleaserGo Report Card

Created by: Shane Young/@x90sky && Jacob Robles/@shellfail

Inspired by: Leon Johnson/@sho-luv

Description

Brutespray automatically attempts default credentials on discovered services. It takes scan output from Nmap (GNMAP/XML), Nessus, Nexpose, JSON, and lists, then brute-forces credentials across 40+ protocols in parallel. Built in Go with an interactive terminal UI, embedded wordlists, and resume capability.

Quick Install

go install github.com/x90skysn3k/brutespray/v2@latest

Release Binaries | Build from Source | Docker

Quick Start

# From Nmap scan output
brutespray -f nmap.gnmap -u admin -p password

# Target a specific host
brutespray -H ssh://192.168.1.1:22 -u admin -p passlist.txt

# CIDR range
brutespray -H ssh://10.1.1.0/24:22 -u root -p passlist.txt

# Combo credentials
brutespray -H ssh://10.0.0.1:22 -C root:root

See all examples for more usage patterns.

Demo

Features

  • 40+ protocols — SSH, FTP, RDP, SMB, MySQL, PostgreSQL, Redis, LDAP, WinRM, and more
  • Module parameters — Per-module settings via -m KEY:VALUE (auth type, target path, NTLM domain, etc.)
  • Multi-auth support — HTTP Digest/NTLM auto-detection, SMTP PLAIN/LOGIN, IMAP/POP3 SASL, SMB pass-the-hash
  • Interactive TUI — Tabbed views, live settings, pause/resume hosts (details)
  • Multiple input formats — Nmap GNMAP/XML, Nessus, Nexpose, JSON, lists (details)
  • Password spray mode — Lockout-aware spraying with configurable delays (details)
  • SOCKS5 proxy — Full proxy support with authentication (details)
  • Resume & checkpoint — Interrupt with Ctrl+C, resume later (details)
  • Embedded wordlists — Layered manifest system compiled into the binary (details)
  • Summary reports — JSON, CSV, Metasploit RC, NetExec scripts (details)
  • Performance tuning — Dynamic threading, circuit breaker, rate limiting (details)
  • YAML config files — Per-engagement settings (details)

How Brutespray Compares

Feature brutespray hydra medusa ncrack brutus
Single static binary
Interactive TUI
Checkpoint / resume
Spray mode (lockout-aware)
Per-attempt JSONL output ⚠️ ❌ (success-only)
SOCKS5 + proxy rotation ⚠️
Embedded SSH bad-keys (CVE-tagged)
Pipeline stdin (naabu / fingerprintx / masscan)
Pre-auth RDP recon (NLA / sticky-keys)
Nmap gnmap + XML / Nessus / Nexpose import ⚠️ ⚠️ (nmap only)
Per-module params (-m KEY:VAL) partial
Service count 41 50+ 34 14 23

Symbols reflect documented behavior at PR time. Competing tools change quickly.

Supported Services

ssh ftp ftps telnet smtp smtp-vrfy imap pop3 mysql postgres mssql mongodb redis vnc snmp smbnt rdp http https vmauthd teamspeak asterisk nntp oracle xmpp ldap ldaps winrm rexec rlogin rsh wrapper

Full details and service-specific notes: docs/services.md

Print discovered services from a scan file with -P -q:

Documentation

Guide Description
Installation Go install, release binaries, build from source, Docker
Usage CLI flags, config files, input formats
Services All 40+ protocols with ports, status, and notes
Examples Common usage patterns and recipes
Interactive TUI Keybindings, tabs, live settings
Advanced Spray mode, proxy, resume, performance tuning
Wordlists Manifest system, layers, overrides, customization
Output & Reporting Summary reports, Metasploit/NetExec integration

Star History

Star History Chart

Extension points exported contracts — how you extend this code

EventSink (Interface)
EventSink is the interface that bridges worker goroutines and the UI layer. Workers call Send() with structured messages [3 …
tui/state.go
WorkerPoolController (Interface)
WorkerPoolController is implemented by WorkerPool to allow the TUI to pause/resume hosts and adjust settings without cre [1 …
tui/model.go
BruteFunc (FuncType)
BruteFunc is the unified signature for all brute-force modules.
brute/registry.go

Core symbols most depended-on inside this repo

Close
called by 159
tui/state.go
NewConnectionManager
called by 77
modules/connections.go
Write
called by 52
modules/sessionlog.go
Register
called by 48
brute/registry.go
String
called by 42
brutespray/config.go
Set
called by 41
brutespray/config.go
Dial
called by 35
brute/postgres.go
Get
called by 25
modules/wordlist.go

Shape

Function 560
Method 160
Struct 103
TypeAlias 8
Interface 2
FuncType 1

Languages

Go100%

Modules by API surface

modules/output.go38 symbols
brutespray/wordlist_cmd.go32 symbols
brutespray/pool.go31 symbols
tui/model.go29 symbols
modules/parse.go27 symbols
brutespray/config_test.go16 symbols
brute/run.go16 symbols
brutespray/wordlist_cmd_test.go15 symbols
modules/connections.go13 symbols
brutespray/config.go13 symbols
brute/httpform_test.go13 symbols
tui/view_settings.go12 symbols

Dependencies from manifests, versioned

atomicgo.dev/cursorv0.2.0 · 1×
filippo.io/edwards25519v1.2.0 · 1×
github.com/Azure/go-ntlmsspv0.1.1 · 1×
github.com/ChrisTrenkamp/goxpathv0.0.0-2021040402055 · 1×
github.com/aymanbagabas/go-osc52/v2v2.0.1 · 1×
github.com/bodgit/ntlmsspv0.0.0-2024050623042 · 1×
github.com/bodgit/windowsv1.0.1 · 1×
github.com/cespare/xxhash/v2v2.3.0 · 1×
github.com/charmbracelet/bubblesv1.0.0 · 1×

Datastores touched

(mysql)Database · 1 repos
(mongodb)Database · 1 repos
adminDatabase · 1 repos

For agents

$ claude mcp add brutespray \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact