thc-hydra
thc-hydra thc-hydra is the multi-protocol credential stuffer that sprays wordlists against HTTP forms, SSH, or RDP for rapid login validation across services with threading for scale. Configure modules via CLI, feeding breached lists for targeted attempts, and log hits for pivots without lockouts. Open-source from THC, it's the spray specialist for pentesters templating mass auth tests ethically.
Explore →Patator
Patator Patator is the modular stuffer with plugins for HTTP/SOAP logins, wordlisting combos from breaches against APIs or forms with anti-detection delays and response parsing. Define attacks in CLI with dicts, running parallel sessions for efficiency on valid creds. Open-source from lanpano, it's the plugin powerhouse for researchers customizing stuffing workflows.
Explore →Medusa
Medusa Medusa is the threaded credential tester for FTP, HTTP, and SNMP, stuffing lists against remote services with proxy support for distributed evasion in large-scale validations. Set modules in XML, launch on hosts with user/pass files, and capture successes for follow-up chains. Open-source from jmk-foofus, it's the service sprayer for network pentesters templating multi-protocol blasts.
Explore →CrackMapExec
CrackMapExec CrackMapExec's spray module stuffs NTLM hashes or creds across AD domains, validating without full logons for efficient breach list testing in enterprise hunts. Run Python CLI on ranges with --users and --passwords, outputting live hosts with hashes. Open-source from byt3bl33d3r, it's the domain driller for AD pentesters templating credential validation at scale.
Explore →WPScan
WPScan WPScan's brute module stuffs user/pass lists against WordPress logins via XML-RPC or REST, detecting weak creds with rate limiting for stealthy CMS enumeration. Configure via Ruby CLI with --usernames and --passwords, logging valid combos for escalation. Open-source from wpscanteam, it's the WP word warrior for CMS pentesters templating auth sprays on blogs.
Explore →BruteSpray
BruteSpray BruteSpray parses Nmap XML for open ports, stuffing creds against SSH/FTP services with wordlists for automated validation in recon-to-exploit chains. Feed it scan results via CLI, customizing dicts for targeted sprays. Open-source from x90skqpb09, it's the port pounder for network pentesters templating brute on discovered auth doors.
Explore →CredStuffer
CredStuffer CredStuffer is the Python credential stuffer for web forms, spraying breached lists against login pages with proxy rotation and CAPTCHA bypass hooks for persistent attempts. Script custom targets in config, run sessions for hit logs with timestamps. Open-source from m4ll0k, it's the form filler for web pentesters templating stuffing on e-commerce or portals.
Explore →Sn1per
Sn1per Sn1per's auth modules stuff creds against web panels and services discovered in recon, integrating Hydra for automated login validation in full-scope pentests. Configure profiles via bash, running on domains for combined enum and brute. Open-source from 1N3, it's the recon raider for pentesters templating credential tests post-discovery.
Explore →WPForce
WPForce WPForce is the WordPress brute-forcer that stuffs user lists against XML-RPC or wp-json for login enum and validation, detecting valid accounts with minimal noise. Run its Python CLI with dicts and proxies, outputting confirmed creds for follow-up. Open-source from n00py, it's the WP whisperer for CMS pentesters templating targeted auth probes.
Explore →custom-stuffer