Mastodon Hillbilly StoryTime: Tool Review - BruteSpray

Monday, January 22, 2018

Tool Review - BruteSpray



Shane Young/@x90skysn3k & Jacob Robles/@shellfail


BruteSpray is a python script that takes a Nmap gnmap/xml output as an input file and automatically starts brute-forcing services with default credentials using Medusa.



How to Install

On most Linux systems, the user will need to download the source from GitHub:
git clone
and then they will need to ensure all dependencies are installed:
pip install -r requirements.txt
On Kali Linux, it is much easier. Simple install from apt:
apt-get install brutespray 

Sample Usage

As with most Linux tools, brutespray comes with the typical "-h" flag to display the help/usage:

That shows the syntax to execute brutespray is: -f <input file> -t <# of threads> -T <# of simultaneous hosts> -u/-U <username/UsernameFile> -p/-P <password/PasswordFile> -c -i
Not all of those command line options are necessary.  At the very minimum, the user will need to enter: -f <input file>
Beyond the that simple command, the user can specify any of the other options as well, depending on their needs.
Of these other command line options, the most interesting is the "-i (interactive)" flag. When using this option, the user is prompted for all of the other information in a "Wizard" like manner:


No comments: