Created by Maksim Radaev/@vflame6
bruter is a fast, concurrent network services bruteforce tool written in Go. It supports 54 protocols, scan file auto-detection, and flexible wordlist options — built for pentesters who need reliable credential testing at scale.
- Scan file auto-detection — feed nmap (GNMAP/XML), Nessus, or Nexpose output directly
- Built-in default wordlists — usernames and passwords with
--defaults - Parallel execution — configurable per-host threading and concurrent hosts
- Smart probing — auto-detects TLS and tests default credentials before brute
- SOCKS5 proxy support — with optional proxy authentication
- Interface binding — bind to a specific network interface with
-I
| Category | Modules |
|---|---|
| Remote Access | ssh, sshkey, rdp, winrm, telnet, rexec, rlogin, rsh, vnc, radmin, vmauthd |
| Databases | mysql, mssql, postgres, oracle, mongo, redis, clickhouse, cassandra, neo4j, etcd, influxdb, firebird, memcached, couchdb, elasticsearch |
smtp, smtp-enum, imap, pop3, nntp |
|
| Web / HTTP | http-basic, http-form, http-proxy, vault |
| Directory | ldap |
| File Sharing | ftp, smb, svn |
| Messaging | irc, xmpp, smpp, amqp |
| Network | socks5, snmp, rtsp, rpcap |
| VoIP | asterisk, teamspeak, sip |
| Cisco | cisco, cisco-enable |
| Industrial | s7 |
| Other | cobaltstrike |
bruter -h
This will display help for the tool. Here are all the switches it supports.
usage: bruter [<flags>] <command> [<args> ...]
bruter is a network services bruteforce tool.
Flags:
-h, --[no-]help Show context-sensitive help (also try --help-long and --help-man).
-t, --target=TARGET Target host or file with targets. Format host or host:port, one per line
-n, --input-file=INPUT-FILE Scan output file (nmap GNMAP/XML, Nessus .nessus, Nexpose XML — auto-detected). Use with 'all' command.
-u, --username=USERNAME Username or file with usernames
-p, --password=PASSWORD Password or file with passwords
--combo=COMBO Combo wordlist file with user:pass pairs, one per line
--[no-]defaults Use built-in default username and password wordlists (user-specified -u/-p take priority)
--[no-]user-as-pass Try username as password for each user
--[no-]blank Try blank/empty password for each user
--[no-]reversed Try reversed username as password for each user
-N, --concurrent-services=4 Number of services to scan on host in parallel ('all' only)
-C, --concurrent-hosts=32 Number of hosts in parallel
-c, --concurrent-threads=10 Number of parallel threads per service
--[no-]no-stats Disable progress bar for better performance
-d, --delay=0s Delay between each attempt. Will always use single thread if set
--timeout=10s Connection timeout in seconds
-f, --[no-]stop-on-success Stop bruteforcing current host when first valid credentials found (-f per host, -F global)
-F, --[no-]stop-on-success-global
Stop the entire run on first successful login across all hosts
--max-retries=30 Number of connection errors to stop bruteforce the host. Specify 0 to disable this behavior
--proxy="" SOCKS-proxy address to use for connection in format IP:PORT
--proxy-auth="" Proxy username and password in format username:password
-I, --iface="" Network interface to bind outgoing connections to (e.g. eth0)
--user-agent="..." User-Agent for HTTP connections
-s, --service="" Filter services in 'all' mode (comma-separated, e.g. ftp,ssh,smb)
-L, --[no-]list-services List all supported services and exit
-q, --[no-]quiet Enable quiet mode, print results only
-D, --[no-]debug Enable debug mode, print all logs
-v, --[no-]verbose Enable verbose mode, log every attempt with timestamp
-j, --[no-]json Output results as JSONL (one JSON object per line)
-o, --output="" Filename to write output in raw format
--[no-]version Show application version.
Commands: all amqp asterisk cassandra cisco cisco-enable clickhouse cobaltstrike couchdb elasticsearch etcd firebird ftp http-basic http-form http-proxy imap influxdb irc ldap ldaps memcached mongo mssql mysql neo4j nntp oracle pop3 postgres radmin rdp redis rexec rlogin rpcap rsh rtsp s7 sip smb smpp smtp smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet vault vmauthd vnc winrm xmpp Brute-force SSH with a password list:
bruter ssh -t 192.168.1.10 -u root -p /usr/share/wordlists/passwords.txtMultiple targets from a file:
bruter ssh -t targets.txt -u users.txt -p passwords.txt -C 50 -c 5Use built-in default wordlists:
bruter mysql -t 10.0.0.5:3306 --defaultsAuto-detect from nmap scan:
nmap -sV -oG scan.gnmap 10.0.0.0/24
bruter all -n scan.gnmap --defaultsFilter specific services from scan results:
bruter all -n scan.gnmap --defaults -s ssh,ftp,rdpQuick credential checks (username as password, blank, reversed):
bruter ssh -t 10.0.0.5 -u users.txt --user-as-pass --blank --reversedList all supported services:
bruter -LComma-separated targets:
bruter ssh -t 192.168.1.1,192.168.1.2,192.168.1.3 -u root --defaultsTargets use host or host:port format. If port is omitted, the module default is used. Multiple targets can be comma-separated or listed in a file (one per line).
192.168.0.11
192.168.0.12:2222
10.0.0.1,10.0.0.2,10.0.0.3
bruter requires Go 1.25+ to install successfully.
go install -v github.com/vflame6/bruter@latestPre-compiled binaries are available on the Releases page.
Build from source:
git clone https://github.com/vflame6/bruter.git
cd bruter
go build -o bruter main.goBuild with Docker:
docker build -t bruter .
docker run --rm bruter ssh -t 10.0.0.1 -u admin -p passwords.txtContributions are welcome! Feel free to open an issue or submit a pull request. New module ideas, bug reports, and feature requests are all appreciated.
