x90skysn3k

x90skysn3k/brutespray

Go MIT Security

Fast, multi-protocol credential brute-forcer. Parses Nmap, Nessus, and Nexpose output to automatically test default and custom credentials across 30+ protocols.

2.5k stars
434 forks
active
GitHub +1 / week

2.5k

Stars

434

Forks

15

Open issues

11

Contributors

v2.6.3 28 Jun 2026

AI Analysis

Brutespray is a high-performance credential brute-forcer written in Go that automates testing of default and custom credentials across 40+ protocols. It excels at parsing scan output from Nmap, Nessus, and Nexpose to orchestrate parallel attacks, making it purpose-built for penetration testers and red teamers during active security assessments. General-purpose security professionals and infrastructure auditors benefit most; it is not suitable for casual users or those unfamiliar with offensiv...

Security Security Tool Discovery value: 5/10
Documentation 9/10
Activity 9/10
Community 8/10
Code quality 7/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

credential-testing multi-protocol-brute-force penetration-testing go-based-tool interactive-tui
Actively maintained Well documented MIT licensed Niche/specialized use case Production ready
Deep Analysis · Based on README and public signals
1w ago

Go-based parallel credential brute-forcer with Nmap/Nessus integration and interactive UI for security assessments

Brutespray automates credential testing across 40+ protocols by parsing Nmap, Nessus, and Nexpose output. Built for penetration testers and red teamers who need to quickly validate default and weak credentials at scale. Offers features like spray-mode (lockout-aware), interactive terminal UI, resume capability, and per-protocol parameter tuning. Adoption appears concentrated in professional security assessment workflows rather than mainstream adoption, but is actively maintained and mature.

Origin

Created in 2017 by Shane Young and Jacob Robles, inspired by earlier work. Reflects the shift toward Go-based security tools that prioritize single-binary portability and performance. Has steadily accumulated ~2,500 stars over 9 years, indicating stable, long-term niche adoption among penetration testing practitioners.

Growth

Growth appears linear and modest (~11 stars in last 7 days, ~2,499 total). The trajectory suggests sustained, small-scale adoption within the pen-testing community rather than viral expansion. The tool's value proposition — automating a specific, repetitive assessment task — may cap mainstream visibility but ensures consistent utility for its target audience.

In production

adoption not verified — no case studies, deployment scales, or specific organizational users mentioned in README. The existence of output formats compatible with Metasploit and NetExec suggests integration into professional workflows, but concrete adoption evidence is absent. Professional penetration testing community likely uses it, but verifiable data is not publicly available.

Code analysis
Architecture

Likely implements concurrent brute-forcing via Go goroutines with modular protocol handlers (SSH, FTP, RDP, SMTP, etc.). Appears to use embedded wordlist manifests compiled into the binary, supporting stdin pipelines and multiple input parsers (GNMAP, XML, Nessus, Nexpose, JSON). Interactive TUI suggests use of a terminal UI library. README documents SOCKS5 proxy, checkpoint/resume, rate limiting, and circuit breaker patterns, indicating mature engineering for a specialized tool.

Tests

not documented in README

Maintenance

Last push 2026-07-02 (same day as analysis date) indicates active maintenance. Version 2.6.3 suggests incremental, stable releases. GoReleaser workflow visible in CI/CD badge. No indicators of stagnation; appears to be regularly updated tool. However, specific issue response time and release cadence cannot be assessed from metadata alone.

Honest verdict

ADOPT IF: you are a penetration tester or red teamer conducting credential assessment on known services and want a portable, single-binary tool with TUI, spray-mode, and multi-protocol support that integrates Nmap/Nessus findings. AVOID IF: you need a massively scalable, cloud-native credential testing platform; expect vendor support; or require the broadest possible protocol coverage beyond the documented 40+. MONITOR IF: you rely on hydra or similar legacy tools and want to evaluate modern alternatives, or if you need SOCKS5 proxy chaining and lockout-aware spraying in your assessment pipeline.

Independent dimensions

Mainstream potential

4/10

Technical importance

6/10

Adoption evidence

3/10

Risks
  • Test coverage not documented; unknown code quality and edge-case handling reliability
  • Adoption not verified at scale — no public case studies or organizational references; may have adoption concentrations unknown to project maintainers
  • Competing Rust-based tools (legba, NeuroSploit) may fragment the niche and reduce long-term viability if Rust adoption accelerates in security tools
  • Interactive TUI may require terminal environment not available in all deployment contexts (CI/CD, containerized testing); headless mode necessity unclear from README
  • Embedded wordlists are pre-compiled, potentially limiting customization without recompile; update frequency for embedded credentials unknown
Prediction

Likely to remain a stable, actively-maintained tool for professional pen-testers and red teamers. Modest growth expected; unlikely to reach mainstream adoption or displace hydra/ncrack, but may consolidate its niche as Go-based security tooling matures. Success depends on consistent maintenance and community feedback, not rapid expansion.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Go
98.5%
Shell
1.3%
Dockerfile
0.1%
Makefile
0.1%

Information

Language
Go
License
MIT
Last updated
2d ago
Created
113mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

evilsocket

evilsocket/legba

Legba is a high-performance multi-protocol credentials bruteforcer and password...

1.9k Rust Security
chainreactors

chainreactors/spray

Spray is a high-performance HTTP directory fuzzer written in Go, designed for...

1N3

1N3/Sn1per

Sn1per is an offensive-security platform that consolidates reconnaissance,...

10.3k Shell Security
JoasASantos

JoasASantos/NeuroSploit

NeuroSploit is an autonomous, multi-model penetration testing framework that...

1.2k Rust Security
RedTeamPentesting

RedTeamPentesting/pretender

pretender is a specialized penetration testing tool for executing...

1.3k Go Security
vs. alternatives
hydra

Older, widely-known brute-forcer. Brutespray claims advantages: single binary, interactive TUI, checkpoint/resume, spray mode, and per-attempt JSONL output. Hydra has broader mind-share but lacks modern UX and some advanced features.

legba (Rust)

Similar scope (multi-protocol, ~1,900 stars). Legba is written in Rust; Brutespray in Go. README comparison table is not present for legba, so relative feature parity is unclear. Legba may appeal to different audience preferences (Rust vs. Go ecosystem).

ncrack

Focused brute-forcer from Nmap suite. Narrower protocol support (14 vs. 40+). Lacks TUI, spray mode, and checkpoint features. Brutespray is more feature-rich and flexible, though ncrack has tighter Nmap integration by default.

spray (Go, 1049 stars)

Appears to be another Go-based credential sprayer. Direct comparison not available from README. Similar star count suggests parallel tool adoption but different positioning or feature set.

DefaultCreds-cheat-sheet (Python, 6637 stars)

Wordlist/reference, not an active tool. Brutespray likely uses or complements such resources. Different category (reference vs. executor).