Hackers and penetration testers use brute force attack tools to crack login credentials and encryption keys through systematic trial and error. These tools automatically test various combinations of numbers, letters, and special characters to uncover passwords. Most brute force tools are automated bots that can run between 10,000 and 1 billion combinations per second using powerful machines.
Threat actors use brute force tools to guess login credentials and encryption keys to fulfill their malicious purposes, such as taking over an account, stealing data, encrypting data, and stealing money. Conversely, penetration testers and security researchers employ brute force tools to identify login credentials and encryption keys’ vulnerabilities. Pentesters also use brute forcing to find hidden subdomains and directories associated with main domains.
Disclaimer: Using brute force attack tools to guess passwords to gain unauthorized access to accounts is a criminal offense worldwide. The tools listed below are for ethical penetration testing only.
- Gobuster – Best for Brute Forcing Subdomains and Directories
- BruteX – Best for Brute Forcing Services
- Dirsearch – Best for Discovering Web Path
- THC-Hydra – THC-Hydra: Best for Port Scanner
- Burp Suite – Best for Web Security Testing Suite
- Patator – Multi-Purpose Brute Forcer
- Pydictor – Dictionary Builder
- Hashcat – GPU-Accelerated Password Cracking
- JWT Cracker – Best for JWT Token
- Nettracker – Best for Automated Pentest
- SocialBox – Best for Social Media Testing
- CMSeek – Best for CMS Testing
- Show less
Geekflare has researched and compiled a list of the top brute force attack tools based on key features such as protocol support, error handling, and logging capabilities.
Gobuster
Best for Brute Forcing Subdomains and Directories
Gobuster is a leading tool for brute-forcing URLs (directories and files) on websites, DNS subdomains (with wildcard support), open Amazon S3 buckets, virtual host names, TFTP servers, and more. Its speed and efficiency, driven by the Go programming language and dedicated modes for DNS and directory brute-forcing, make it one of the best tools for subdomains and directories.
Gobuster also allows customization through options like defining HTTP methods, specifying wordlists, using patterns, and proxy configurations. It is frequently updated with improvements such as range support for status codes, TLS 1.0 and 1.1 support, and advanced DNS enumeration features.
The best use cases for Gobuster include discovering hidden web directories, subdomains, unsecured S3 and Google Cloud buckets, virtual hosts, TFTP files, and fuzzing HTTP inputs to enhance security testing. It is available via binaries, Docker, or by building from the source with Go 1.19 or higher.
BruteX
Best for Brute Forcing Services
BruteX is a powerful tool for brute-forcing services on a target. It can target open ports, IP addresses, usernames, passwords, and more. Available on GitHub, It can also be run in a Docker environment for added flexibility.
It supports brute-forcing SSH, FTP, and other network services to help identify weak passwords and insecure systems.
Dirsearch
Best for Discovering Web Path
Dirsearch is a command-line website directory scanner. It has many useful features, such as multi-threading, recursive brute-forcing, HTTP proxy support, detection of invalid web pages, and more. You can install it through various methods, including Git, ZIP, Docker, and PyPi.
Dirsearch offers various useful dictionary settings for efficient brute forcing, such as custom wordlists, adding extensions to the end of every wordlist entry, adding custom prefixes to all wordlist entries, and more. It also allows you to pause the scanning progress, save the progress, skip the current target, and more.
THC-Hydra
Best for Port Scanner
Hydra is a versatile brute-force tool for security testing developed by Van Hauser of THC. It supports a wide range of protocols, including FTP, HTTP, SSH, SMTP, MYSQL, Telnet, POP3, RDP, IMAP, LDAP, and many more.
Hydra is super fast and flexible, allowing you to add new modules easily. What’s more, it lets you have parallelized connections, enhancing its speed and efficiency.
Hydra is compatible with platforms like Linux, MacOS, Solaris, and Windows/Cygwin. For convenience, it can also be deployed using Docker on any operating system.
Burp Suite
Best for Web Security Testing Suite
Burp Suite is a powerful web application vulnerability scanner that helps pentsters to find a range of vulnerabilities in an application, including directory reversal, OWASP Top 10, HTTP Desync attacks, and more.
Though it is a vulnerability scanner, Burp Suite comes with various features to help you brute force the password of a given user using a dictionary attack and try every permutation of a character set.
Burp Enterprise Edition has custom pricing, while Burp Professional Edition costs $449 per user per year. The Burp Community Edition is free, and Burp Scanner offers a full-featured trial for evaluation.
Patator
Multi-Purpose Brute Forcer
Patator is the top choice for multi-purpose brute forcing. It can help you brute force logins for FTP, SSH, Telnet, SMTP, RDP, IMAP, Lightweight Directory Access Protocol (LDAP), Oracle, MySQL, and many more.
Written in Python, Patator is highly valued for its role in password discovery, vulnerability scanning, and reconnaissance. Available for free on GitHub, it’s a powerful tool for cybersecurity professionals looking for efficient and customizable brute-force capabilities.
Pydictor
Dictionary Builder
Pydictor is a versatile wordlist generator tool developed by LandGrey and available on GitHub. It allows you to create general, custom, or social engineering wordlists to carry out brute-force attacks.
Key features of Pydictor include but are not limited to creating custom character wordlist, permutation and combination wordlist, configuration file based wordlist, extending wordlist based on rules, wordlist based on web page keywords, and many more.
Pydictor supports Python 2.7 and Python 3.x version, and you can run it on Linux, Windows, and Mac. You can download it from GitHub.
Hashcat
GPU-Accelerated Password Cracking
Hashcat is an advanced password-cracking tool that supports five unique modes of attack: dictionary attack, combinator attack, brute force attack, hybrid attack, and association attack. It allows you to attack over 300 highly optimized hashing algorithms and lets you crack multiple hashes simultaneously.
Hashcat supports various hardware accelerators on Linux, Windows, and macOS, including central processing units (CPUs), graphic processing units (GPUs), and more. It also allows you to enable distributed password cracking.
Hashcat offers various utilities, such as cap2hccapx to generate .hccapx files, cleanup-rule, combinator, and more, for advanced cracking of password hashes. If you are stuck and want some help, the Hashcat forum offers tons of information. You can download Hashcat from GitHub.
JWT Cracker
Best for JWT Token
JWT Cracker is designed to brute-force JSON Web Tokens (JWT) using the S256, HS384, or HS512 algorithms. It can effectively brute-force tokens with weak secrets.
You can install JWT Cracker via Node Package Manager (NPM) with a simple command; it requires Node.js version 16.0.0 or higher. After the installation, you can run JWT Craker from the command line to target specific JWT tokens.
Nettracker
Best for Automated Pentest
Nettacker is a powerful tool for automated penetration testing. It offers various modules for information gathering and pen testing. You can conduct vulnerability scanning, brute force, check misconfigurations, and more. It uses various protocols, including ACK, SYN, TCP, ICMP, and more, to identify and bypass IDS/IPS/Firewall services.
Nettracker offers three modules: scan modules, vuln modules, and brute modules. Its brute modules allow you to brute force FTP users, HTTP basic auth users, SMTP ports, SSH (port 22) users, WordPress users, and more. You have an option to specify extra users/parameters. If you don’t specify, it will use its default parameters.
You can install OWASP Nettacker directly on a Linux system. Alternatively, you can run it on any operating system using a Docker image.
Best for Social Media Testing
SocialBox is a popular attack framework to brute force social media accounts like Facebook, Instagram, and Gmail. It was coded by Belahsan Ouerghi. It allows you to automate the process of attempting access to these platforms by systematically trying different password combinations.
You can install SocialBox on various Linux distributions, such as Ubuntu and Kali Linux, using a straightforward command-line installation process. You can install it from GitHub.
Using SocialBox to brute force others’ social media accounts is illegal. So you should never do this. Use this tool only when you want to assess the security of your social media accounts.
CMSeek
Best for CMS Testing
CMSeek is best known for scanning content management systems and brute forcing them using its pre-built or custom-made brute forcing modules. It can detect around 180 different CMS platforms and comes with advanced scanning capabilities for popular CMS, including WordPress, Drupal, and Joomla.
When scanning for content management systems, CMSeek offers the flexibility to skip certain CMS platforms and avoid scanning targets whose CMS platforms have already been identified.
CMSeek employs various methods for detecting CMS, including Directory check, HTTP headers, generator meta tag, page source code, and robot.txt. It stores CMS scanning results in a JSON file and brute forcing results in a Txt file.
CMSeek is an open-source tool built using Python 3. Therefore, you will need Python 3 to run it. At present, it works only on Unix-based operating systems. To enforce auto-update, you need to install Git on your system.
Types of Brute Force Attacks
There are six key types of brute force attacks, including simple brute force attacks, dictionary attacks, hybrid brute force attacks, reverse brute force attacks, password spraying attacks, and credential stuffing attacks.
Knowing about these different types of attacks can help you better secure company accounts by enforcing strict password policies. Below, we have explained briefly common types of brute force methods.
- Simple Brute Force Attacks: Simple brute force attacks involve guessing actual passwords using combinations of commonly used, weak passwords like 123456789. Though hackers employ brute attack tools to carry out simple brute force attacks, they can also do it manually if the actual passwords are not long or complex.
- Dictionary Attacks: Hackers use a premade list of words and phrases like those found in a dictionary to run against a single username. Dictionary attacks leverage known combinations or words rather than random letters to brute-force a password. For example, sunshine.
- Hyrbrid Attacks: Threat actors combine the elements of both simple brute force attacks and dictionary attacks to carry out hybrid attacks. For example, they can use password12345 or shine098765 to run against a username.
- Reverse Brute Force Attacks: Hackers run reverse brute force attacks to find the usernames of accounts whose passwords they already know. They often scout around various dark web forums that publish leaked data to collect passwords.
- Password Spraying Attacks: In password spraying attacks, threat actors attempt to gain access to multiple user accounts by using a small set of commonly used passwords. They hope that some users have chosen these weak passwords, which could allow the attackers to infiltrate the corporate network. A hacker, for example, targets multiple employee accounts using a single password like “Password123.” If this doesn’t give any success, they will use another password and spray against multiple users.
- Credential Stuffing Attacks: Hackers use stolen credentials to access other accounts, betting that some victims may reuse the same login details. For example, a hacker may get an email and password from a data breach and try them on bank accounts or social media platforms like X or Facebook, hoping the user uses the same credentials elsewhere.
As you can see, using common passwords is the root cause of various types of brute-force attacks. Therefore, you should ensure that everyone in your organization creates strong passwords and stops using common passwords.
How Fast Can a Brute Force Attack Crack a Password?
According to Hive Systems, an 8-character bcrypt hash using numbers, uppercase and lowercase letters, and symbols with 32 iterations can take up to 5 days to crack with an A100 x 10,000 GPU.
The speed at which a brute force attack cracks a password depends on various factors, including password length and complexity and the computational power of a brute forcing machine.
To make your password immune to brute force attacks, you should create complex, at least 18-character long passwords. To add additional layers of security to your company accounts, you can also implement multifactor authentication and an account lockout policy after certain failed login attempts.
Why We Need Penetration Testing Tools
We need penetration testing tools to identify vulnerabilities, simulate real-time attacks to evaluate how an application’s defense performs, and ensure compliance, as many industries, such as finance, require regular security assessments. As penetration testing tools help you identify vulnerabilities that hackers can exploit, they also help you take proactive steps to fix those. So, they improve security posture.
How To Prevent Brute Force Attacks
Weak passwords are easy security holes hackers can crack to cause a network breach. Once inside, they can carry out various malicious activities, such as installing malicious software and stealing data to cause a data breach or reputational damage. So, you should take proactive steps to mitigate brute-force attacks.
The following are key strategies you can implement to mitigate brute force attacks and other password attacks:
- Set Account Lockout Policies: Ensure that accounts are locked after a predefined number of failed login attempts to deter repeated guessing.
- Enforce the Use of Complex Passwords: Instruct users to create at least 18 characters long and strong passwords that combine letters, numbers, and symbols.
- Enable Two-Factor Authentication (2FA): Add an extra layer of security to your company accounts by implementing a second form of verification, such as a text message code.
- Monitor Login Attempts: Track failed login attempts and flag accounts that show unusual activity.
- Introduce Delays: Add random delays between login attempts to slow down automated attacks.
- Limit Login Attempts from an IP Address: Enforce a temporary block on an IP address after a certain number of failed login attempts.
- Use CAPTCHA: Implement CAPTCHAs to distinguish between human users and automated bots during the login process.
- Vary Error Messages: Change error messages for failed login attempts to confuse automated tools.
- Restrict Access by IP Address: Allow users to log in only from specific, trusted IP addresses for added security.
- Use Rate Limiting: Limit the number of login requests per user or IP address over a certain time period to mitigate attacks.
You should also encourage users to follow best practices for password security, such as not reusing passwords and changing them regularly. Using a password manager can make password management easier in an organization.
You can check these best password managers to find the right solution for your organization.
Frequently Asked Questions
A brute force username and password tool is a security tool used by researchers, penetration testers, and hackers to crack username and password combinations through trial-and-error methods.
The most effective way to block brute force attacks is to set an account lockout policy after a certain number of failed login attempts. This prevents hackers from gaining unauthorized access to your company accounts by perpetually brute-forcing passwords. Other methods to significantly lower success rates of brute force attacks include creating complex passwords and enabling multi-factor authentication on all your company accounts.
THC Hydra is an effecinet tool to brute force RDP. It is available on Linus, macOS, and Windows/Cygwin. You can also use it on any device deploying it in the Docker environment. However, using Hydra to brute force RDP other than for testing or educational purposes is a criminal offense.