BruteSpray v1.6.0 - Brute-Forcing from Nmap output (Automatically attempts default creds on found services)

BruteSpray takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap.

pip install -r requirements.txt
On Kali:
apt-get install brutespray

First do an nmap scan with -oG nmap.gnmap or -oX nmap.xml.

python brutespray.py -h
python brutespray.py --file nmap.gnmap
python brutesrpay.py --file nmap.xml
python brutespray.py --file nmap.xml -i


Using Custom Wordlists:
python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5

Brute-Forcing Specific Services:
python brutespray.py --file nmap.gnmap --service ftp,ssh,telnet --threads 5 --hosts 5

Specific Credentials:
python brutespray.py --file nmap.gnmap -u admin -p password --threads 5 --hosts 5

Continue After Success:
python brutespray.py --file nmap.gnmap --threads 5 --hosts 5 -c

Use Nmap XML Output
python brutespray.py --file nmap.xml --threads 5 --hosts 5

Interactive Mode
python brutespray.py --file nmap.xml -i

Supported Services
  • ssh
  • ftp
  • telnet
  • vnc
  • mssql
  • mysql
  • postgresql
  • rsh
  • imap
  • nntp
  • pcanywhere
  • pop3
  • rexec
  • rlogin
  • smbnt
  • smtp
  • svn
  • vmauthd
  • snmp


  • v1.6.0
    • added support for SNMP
  • v1.5.3
    • adjustments to wordlists
  • v1.5.2
    • change tmp and output directory behavior
  • v1.5.1
    • added check for no services
  • v1.5
    • added interactive mode
  • v1.4
    • added ability to use nmap XML
  • v1.3
    • added the ability to stop on success
    • added the ability to reference custom userlists and passlists
    • added the ability to specify specific users & passwords

Disqus Comments