BruteSpray – Automatically Brute Force Services from NMAP GNMAP/XML with Default Credentials


BruteSpray takes nmap GNMAP/XML output or newline separated JSONS and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap.


pip install -r requirements.txt

On Kali:

apt-get install brutespray


First do an nmap scan with -oG nmap.gnmap or -oX nmap.xml.

Command: python -h

Command: python --file nmap.gnmap

Command: python --file nmap.xml

Command: python --file nmap.xml -i


Using Custom Wordlists:

python --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5

Brute-Forcing Specific Services:

python --file nmap.gnmap --service ftp,ssh,telnet --threads 5 --hosts 5

Specific Credentials:

python --file nmap.gnmap -u admin -p password --threads 5 --hosts 5

Continue After Success:

python --file nmap.gnmap --threads 5 --hosts 5 -c

Use Nmap XML Output

python --file nmap.xml --threads 5 --hosts 5

Use JSON Output

python --file out.json --threads 5 --hosts 5

Interactive Mode

python --file nmap.xml -i

Supported Services

  • ssh
  • ftp
  • telnet
  • vnc
  • mssql
  • mysql
  • postgresql
  • rsh
  • imap
  • nntp
  • pcanywhere
  • pop3
  • rexec
  • rlogin
  • smbnt
  • smtp
  • svn
  • vmauthd
  • snmp

Data Specs


Combo Option

When you specify a combo option -C, it will read the specified file and attempt the host:user:pass on each discovered service from Nmap. If you just want to specify only a username and password leave the host blank as shown below.




Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *