thc-hydra
thc-hydra thc-hydra is the parallelized login cracker that blasts wordlists against SSH, HTTP forms, or databases, templating modules for custom auth fuzzing with rate controls for stealthy sprays. Configure targets via CLI, feeding user/pass dicts for multi-protocol attacks, and log successes for pivots. Open-source from THC, it's the credential cyclone for pentesters templating brute-force across services without mercy.
Explore →Medusa
Medusa Medusa is the modular brute-forcer for remote services like FTP or RDP, wordlisting creds with threading for speed while supporting SOCKS proxies for evasion in targeted tests. Define modules in XML, run on hosts for parallel logins, and output hits with timestamps for chaining. Open-source from jmk-foofus, it's the service slammer for auditors hammering auth walls systematically.
Explore →Patator
Patator Patator is the flexible brute-forcer with plugins for HTTP, SSH, or SQL logins, templating attacks with wordlists and delays for anti-detection in auth enumeration. Script custom modules in Python, run on endpoints for credential spraying, and parse responses for valid combos. Open-source from lanpano, it's the pattern pounder for pentesters customizing brute campaigns across protocols.
Explore →Crowbar
Crowbar Crowbar is the Kerberos-focused cracker that wordlists tickets and hashes for AD logins, supporting RC4/NTLM modes for offline or online attacks on domain creds. Compile from C, feed dicts via CLI for spraying, and output cracked pairs for escalation. Open-source from mandiant, it's the ticket tamperer for AD pentesters templating golden ticket hunts.
Explore →CeWL
CeWL CeWL is the custom wordlist generator that spiders sites for login-related terms, brute-forcing auth with context-aware dicts from page content for smarter sprays. Run its Ruby CLI on URLs with depth limits, outputting tailored lists for Hydra chains. Open-source from digininja, it's the context crafter for web pentesters building targeted brute wordbooks.
Explore →BruteSpray
BruteSpray BruteSpray is the Nmap-integrated sprayer that parses vuln ports for auth fuzzing, wordlisting logins on SSH/FTP with multi-threaded efficiency for rapid credential hunts. Feed it XML outputs, configure dicts via CLI, and log positives for follow-up. Open-source from x90, it's the port pounder for network pentesters templating brute on discovered services.
Explore →WPForce
WPForce WPForce is the WordPress-specific brute-forcer for user enum and login spraying, leveraging XML-RPC or REST APIs with wordlists for stealthy auth attempts on CMS. Run its Python script with proxies, customizing delays for evasion, and capturing valid combos. Open-source from n00py, it's the WP word warrior for CMS pentesters templating admin access quests.
Explore →RouterSploit
RouterSploit RouterSploit's auth module brute-forces router logins with wordlists, targeting HTTP/HTTPS panels for default creds or weak pass recoveries in device pentests. Explore modules via Python console, running sprays on IPs with custom dicts. Open-source from threat9, it's the router raider for IoT pentesters templating firmware auth cracks.
Explore →cme
CrackMapExec CrackMapExec's spray module wordlists NTLM hashes or logins across AD domains, checking validity without full auth for efficient credential validation in networks. Run via Python on ranges with user/pass files, outputting live hosts for pivots. Open-source from byt3bl33d3r, it's the domain driller for AD pentesters templating mass auth tests.
Explore →bruteforce-wallet