Comprehensive Brutus multi-protocol credential testing tool commands for penetration testing and security assessments.
Installation
| Command | Description |
|---|
go install github.com/praetorian-inc/brutus@latest | Install via Go |
| Download from GitHub Releases | Pre-built single binary |
brutus --version | Show Brutus version |
brutus --help | Show help and available commands |
chmod +x brutus | Make downloaded binary executable |
Basic Usage
| Command | Description |
|---|
brutus ssh --host 192.168.1.1 | Test SSH credentials |
brutus ssh --host 192.168.1.1 -u admin -p passwords.txt | SSH with user and wordlist |
brutus mysql --host 192.168.1.1 -u root | Test MySQL credentials |
brutus rdp --host 192.168.1.1 -u administrator | Test RDP credentials |
brutus smb --host 192.168.1.1 -u admin | Test SMB credentials |
brutus ftp --host 192.168.1.1 -u anonymous | Test FTP credentials |
Supported Protocols
| Protocol | Description |
|---|
ssh | Secure Shell authentication |
mysql | MySQL database authentication |
postgresql | PostgreSQL database authentication |
redis | Redis authentication |
mongodb | MongoDB authentication |
smb | Server Message Block |
rdp | Remote Desktop Protocol |
ftp | File Transfer Protocol |
telnet | Telnet authentication |
vnc | VNC authentication |
snmp | SNMP community string testing |
ldap | LDAP authentication |
mssql | Microsoft SQL Server |
http-basic | HTTP Basic authentication |
http-form | HTTP form-based authentication |
smtp | SMTP authentication |
pop3 | POP3 email authentication |
imap | IMAP email authentication |
cassandra | Cassandra database authentication |
oracle | Oracle database authentication |
Credential Options
| Flag | Description |
|---|
-u <user> | Single username |
-U <file> | Username wordlist file |
-p <pass> | Single password |
-P <file> | Password wordlist file |
-C <file> | Combo file (user:pass per line) |
--default-creds | Test common default credentials |
--empty-password | Test empty passwords |
--user-as-pass | Test username as password |
--reverse-user | Test reversed username as password |
Connection Options
| Flag | Description |
|---|
--host <ip> | Target host IP or hostname |
--port <port> | Custom port (overrides default) |
--hosts-file <file> | File with list of target hosts |
-t <threads> | Number of concurrent threads |
--timeout <seconds> | Connection timeout per attempt |
--delay <ms> | Delay between attempts |
--retry <count> | Number of retries on failure |
--proxy <url> | Route through proxy |
Output Options
| Flag | Description |
|---|
-o <file> | Output results to file |
--json | Output in JSON format |
--json-pretty | Pretty-printed JSON output |
--quiet | Suppress verbose output |
--verbose | Increase output verbosity |
--no-color | Disable colored output |
--found-only | Only show successful logins |
SSH-Specific Options
| Flag | Description |
|---|
--ssh-key <file> | Test with SSH private key |
--ssh-badkeys | Test known bad/default SSH keys |
--ssh-agent | Use SSH agent for keys |
--ssh-vagrant | Test Vagrant insecure key |
--ssh-key-passphrase <pass> | Passphrase for encrypted key |
Pipeline Integration
| Command | Description |
|---|
naabu -host 192.168.1.0/24 -p 22 -json | brutus ssh | Pipe naabu port scan results |
fingerprintx -json | brutus auto | Auto-detect protocol from fingerprint |
brutus ssh --json | jq '.[] | select(.success)' | Filter successful logins with jq |
echo '{"host":"192.168.1.1","port":22}' | brutus ssh | Pipe single target as JSON |
brutus ssh --json -o results.json | Save JSON results to file |
Advanced Usage
| Command | Description |
|---|
brutus ssh -t 50 --delay 100 | Rate-limited testing (50 threads, 100ms delay) |
brutus auto --hosts-file targets.txt | Auto-detect and test multiple targets |
brutus http-form --url <url> --form-data "user=^USER^&pass=^PASS^" | HTTP form brute force |
brutus http-basic --url <url> | HTTP Basic auth testing |
brutus ssh --default-creds --hosts-file iot-devices.txt | IoT default credential scan |
Default Credential Testing
| Command | Description |
|---|
brutus ssh --default-creds | Test SSH default credentials |
brutus mysql --default-creds | Test MySQL defaults (root/blank, etc.) |
brutus postgresql --default-creds | Test PostgreSQL defaults |
brutus redis --default-creds | Test Redis defaults |
brutus snmp --default-creds | Test SNMP community strings |
Bad Key Testing (SSH)
| Command | Description |
|---|
brutus ssh --ssh-badkeys | Test all known bad SSH keys |
| Includes Rapid7 ssh-badkeys | Known leaked private keys |
| Includes HashiCorp Vagrant key | Default Vagrant insecure key |
| Keys compiled into binary | No external key files needed |
brutus ssh --ssh-badkeys --hosts-file servers.txt | Batch bad key testing |
Safety and Rate Limiting
| Flag | Description |
|---|
-t 1 | Single thread (gentlest) |
--delay 1000 | 1 second between attempts |
--max-attempts 3 | Stop after 3 failures per host |
--lockout-threshold 5 | Stop after 5 lockout detections |
--timeout 10 | 10 second connection timeout |
Tips and Best Practices
| Tip | Description |
|---|
| Always have authorization | Only test systems you’re authorized to test |
| Start with default creds | Most effective for initial access |
| Use rate limiting | Avoid triggering account lockouts |
| Pipe from reconnaissance | Chain with naabu and fingerprintx |
| Use JSON output | Structured data for reporting |
| Test bad SSH keys | Quick wins on misconfigured servers |
| Check before brute forcing | Try default creds and bad keys first |
| Monitor for lockouts | Watch for account lockout responses |
