Fast, multi-protocol credential brute-forcer. Parses Nmap, Nessus, and Nexpose output to automatically test default and custom credentials across 30+ protocols.
2.5k
Stars
434
Forks
15
Open issues
11
Contributors
AI Analysis
Brutespray is a high-performance credential brute-forcer written in Go that automates testing of default and custom credentials across 40+ protocols. It excels at parsing scan output from Nmap, Nessus, and Nexpose to orchestrate parallel attacks, making it purpose-built for penetration testers and red teamers during active security assessments. General-purpose security professionals and infrastructure auditors benefit most; it is not suitable for casual users or those unfamiliar with offensiv...
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Go-based parallel credential brute-forcer with Nmap/Nessus integration and interactive UI for security assessments
Brutespray automates credential testing across 40+ protocols by parsing Nmap, Nessus, and Nexpose output. Built for penetration testers and red teamers who need to quickly validate default and weak credentials at scale. Offers features like spray-mode (lockout-aware), interactive terminal UI, resume capability, and per-protocol parameter tuning. Adoption appears concentrated in professional security assessment workflows rather than mainstream adoption, but is actively maintained and mature.
Created in 2017 by Shane Young and Jacob Robles, inspired by earlier work. Reflects the shift toward Go-based security tools that prioritize single-binary portability and performance. Has steadily accumulated ~2,500 stars over 9 years, indicating stable, long-term niche adoption among penetration testing practitioners.
Growth appears linear and modest (~11 stars in last 7 days, ~2,499 total). The trajectory suggests sustained, small-scale adoption within the pen-testing community rather than viral expansion. The tool's value proposition — automating a specific, repetitive assessment task — may cap mainstream visibility but ensures consistent utility for its target audience.
adoption not verified — no case studies, deployment scales, or specific organizational users mentioned in README. The existence of output formats compatible with Metasploit and NetExec suggests integration into professional workflows, but concrete adoption evidence is absent. Professional penetration testing community likely uses it, but verifiable data is not publicly available.
Likely implements concurrent brute-forcing via Go goroutines with modular protocol handlers (SSH, FTP, RDP, SMTP, etc.). Appears to use embedded wordlist manifests compiled into the binary, supporting stdin pipelines and multiple input parsers (GNMAP, XML, Nessus, Nexpose, JSON). Interactive TUI suggests use of a terminal UI library. README documents SOCKS5 proxy, checkpoint/resume, rate limiting, and circuit breaker patterns, indicating mature engineering for a specialized tool.
not documented in README
Last push 2026-07-02 (same day as analysis date) indicates active maintenance. Version 2.6.3 suggests incremental, stable releases. GoReleaser workflow visible in CI/CD badge. No indicators of stagnation; appears to be regularly updated tool. However, specific issue response time and release cadence cannot be assessed from metadata alone.
ADOPT IF: you are a penetration tester or red teamer conducting credential assessment on known services and want a portable, single-binary tool with TUI, spray-mode, and multi-protocol support that integrates Nmap/Nessus findings. AVOID IF: you need a massively scalable, cloud-native credential testing platform; expect vendor support; or require the broadest possible protocol coverage beyond the documented 40+. MONITOR IF: you rely on hydra or similar legacy tools and want to evaluate modern alternatives, or if you need SOCKS5 proxy chaining and lockout-aware spraying in your assessment pipeline.
Independent dimensions
Mainstream potential
4/10
Technical importance
6/10
Adoption evidence
3/10
- Test coverage not documented; unknown code quality and edge-case handling reliability
- Adoption not verified at scale — no public case studies or organizational references; may have adoption concentrations unknown to project maintainers
- Competing Rust-based tools (legba, NeuroSploit) may fragment the niche and reduce long-term viability if Rust adoption accelerates in security tools
- Interactive TUI may require terminal environment not available in all deployment contexts (CI/CD, containerized testing); headless mode necessity unclear from README
- Embedded wordlists are pre-compiled, potentially limiting customization without recompile; update frequency for embedded credentials unknown
Likely to remain a stable, actively-maintained tool for professional pen-testers and red teamers. Modest growth expected; unlikely to reach mainstream adoption or displace hydra/ncrack, but may consolidate its niche as Go-based security tooling matures. Success depends on consistent maintenance and community feedback, not rapid expansion.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- Go
- License
- MIT
- Last updated
- 2d ago
- Created
- 113mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Top contributors
Recent releases
Similar repos
chainreactors/spray
Spray is a high-performance HTTP directory fuzzer written in Go, designed for...
JoasASantos/NeuroSploit
NeuroSploit is an autonomous, multi-model penetration testing framework that...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
2.5k | +1 | Go | 8/10 | 2d ago |
|
|
1.9k | — | Rust | 8/10 | 4d ago |
|
|
1k | — | Go | 8/10 | 5d ago |
|
|
10.3k | — | Shell | 7/10 | 6d ago |
|
|
1.2k | — | Rust | 7/10 | 10h ago |
|
|
1.3k | — | Go | 8/10 | 1w ago |
Older, widely-known brute-forcer. Brutespray claims advantages: single binary, interactive TUI, checkpoint/resume, spray mode, and per-attempt JSONL output. Hydra has broader mind-share but lacks modern UX and some advanced features.
Similar scope (multi-protocol, ~1,900 stars). Legba is written in Rust; Brutespray in Go. README comparison table is not present for legba, so relative feature parity is unclear. Legba may appeal to different audience preferences (Rust vs. Go ecosystem).
Focused brute-forcer from Nmap suite. Narrower protocol support (14 vs. 40+). Lacks TUI, spray mode, and checkpoint features. Brutespray is more feature-rich and flexible, though ncrack has tighter Nmap integration by default.
Appears to be another Go-based credential sprayer. Direct comparison not available from README. Similar star count suggests parallel tool adoption but different positioning or feature set.
Wordlist/reference, not an active tool. Brutespray likely uses or complements such resources. Different category (reference vs. executor).