Brutus: Open-Source Offensive Security Tool for Credential Testing
▼ Summary
– Brutus is an open-source, credential testing tool written in Go that ships as a single binary with zero external dependencies, designed to replace legacy tools with integration problems.
– It solves workflow issues by natively integrating with JSON-based reconnaissance pipelines, allowing operators to pipe discovered services directly into testing without manual parsing.
– The tool supports 22 protocols and includes an embedded SSH bad key testing feature, automatically checking services against known-compromised keys from major vendors.
– It features experimental AI integration that uses vision capabilities to automatically identify and test default credentials for unidentified web admin panels and appliances.
– Future development focuses on optimizing AI features for scale, building a community-driven templating system, and reliably adding support for protocols like RDP.
In the world of penetration testing and offensive security, credential testing is a fundamental yet often cumbersome task. Brutus is an open-source, multi-protocol credential testing tool written in pure Go, designed to solve the workflow problems that plague legacy tools. It ships as a single binary with zero external dependencies, offering native integration with modern JSON-based reconnaissance pipelines. This eliminates the dependency headaches and platform-specific issues that have long frustrated security professionals, allowing them to focus on actual testing rather than tool wrangling.
The core problem Brutus addresses is the broken link in structured reconnaissance workflows. Modern tools like naabu for port scanning and fingerprintx for service identification output structured JSON data. Credential testing was historically the manual, disruptive step. With Brutus, operators can seamlessly pipe discovered services directly into the tool for testing and receive structured results in return. There is no need for format conversion, manual parsing, or writing glue scripts, creating a smooth and efficient end-to-end process.
A standout feature of Brutus is its embedded SSH bad key testing capability. The tool includes the Rapid7 ssh-badkeys and HashiCorp Vagrant key collections compiled directly into its binary. This means every SSH service discovered is automatically tested against known-compromised keys from vendors like F5 BIG-IP, ExaGrid, and Barracuda, complete with default usernames and associated CVE tracking. What was once a tedious, often-skipped manual task on internal assessments now happens automatically, turning a half-day project into an effortless part of the standard workflow.
Beyond its powerful command-line interface, Brutus also functions as a Go library. This allows developers to import it directly into custom security automation tools, enabling deeper integration without the need to shell out to external processes, which enhances performance and control.
One of the tool’s most ambitious components is its experimental AI integration. It tackles the persistent challenge of unidentified web admin panels, those login pages on non-standard ports for switches, storage appliances, or monitoring tools. Brutus automates the entire discovery cycle: it renders a page in a headless browser, uses AI vision to identify the product, researches probable default credentials, and then controls the browser to test them. This approach successfully handles JavaScript-rendered forms, CSRF tokens, and multi-step logins, overcoming the limitations of traditional form-filling tools. For HTTP Basic Auth targets, it analyzes server headers and authentication realm data to identify the device and test relevant credentials.
Looking ahead, the development team is focused on scaling the AI features efficiently. While per-target discovery works, testing hundreds of services introduces latency and cost concerns with LLM calls. Efforts are underway to implement smarter batching, device identification caching, and reduce redundant API calls to make the feature more practical for large-scale engagements.
Another key initiative is the creation of a community-driven templating system, inspired by tools like Nuclei. The vision is for practitioners to define default credentials for specific appliances in shareable templates. AI would then act as a fallback for uncatalogued targets, with the potential to generate new templates dynamically as it encounters unknown devices, making the tool increasingly intelligent and comprehensive over time.
On the protocol support front, reliable RDP testing remains a top priority. The team previously built an implementation but chose not to ship it due to reliability concerns, upholding their core promise that every feature in Brutus simply works. Future development will focus on robust NLA detection and testing for common internal findings like Sticky Keys backdoors.
As an open-source project available on GitHub, Brutus actively welcomes community contributions, especially additional SSH bad keys from appliances and vendor products encountered in real-world assessments.
(Source: HelpNet Security)
