Brutus: Praetorian's Zero-Dependency Credential Testing Tool Takes Aim at Hydra
A modern, single-binary alternative to THC Hydra and Medusa written in pure Go. Supports 23 protocols, embeds known-bad SSH keys, and pipes directly into fingerprintx/naabu reconnaissance workflows.
Fast, zero-dependency credential testing tool in Go. Brute force SSH, MySQL, PostgreSQL, Redis, MongoDB, SMB, and 20+ protocols. Hydra alternative with native fingerprintx/naabu pipeline integration.
Praetorian, the offensive security firm behind tools like fingerprintx, Gato-X, and the Chariot attack surface management platform, has open-sourced Brutus, a multi-protocol credential testing tool written in pure Go. The tool was authored by Adam Crosser, a Staff Security Engineer on Praetorian's red team, and was built to solve a problem every pentester knows: credential testing at scale is tedious with the current tooling.
Tools like THC Hydra and Medusa have been the go-to options for years, but they come with friction. Complex dependency chains that break across platforms, compilation headaches on jump boxes, inconsistent output formats, and zero native integration with modern JSON-based recon pipelines. Brutus addresses all of this by shipping as a single binary with no external dependencies.
// What Is Brutus?
Brutus is a credential testing tool that supports 23 protocols out of the box: SSH, MySQL, PostgreSQL, MSSQL, Redis, MongoDB, SMB, LDAP, WinRM, SNMP, HTTP Basic Auth, and more. It's designed around a library-first architecture, meaning you can import it directly into your own Go security tools without shelling out to external processes.
The core workflow is straightforward: you feed Brutus a target, a protocol, and credentials, and it tells you what works. Where it gets interesting is how it fits into modern offensive pipelines. Brutus natively consumes JSON output from Praetorian's fingerprintx (service identification) and naabu (port scanning) tools, allowing operators to chain an entire network credential audit into a single pipeline.
// Key Features
// Supported Protocols
| Category | Protocols |
|---|---|
| Remote Access | SSH, WinRM, Telnet, VNC |
| Databases | MySQL, PostgreSQL, MSSQL, Redis, MongoDB, Cassandra, Oracle |
| Directory / Auth | LDAP, SNMP, HTTP Basic Auth |
| File Sharing | SMB, FTP |
| Web | HTTP Basic Auth, HTTP Form (experimental via AI) |
RDP is notably absent. According to Praetorian, the team built an RDP implementation using Rust FFI but pulled it because it wasn't reliable enough to ship. They chose to maintain the core promise that everything in the tool works correctly rather than ship a broken protocol. RDP support with NLA detection and Sticky Keys backdoor testing remains the top priority on the roadmap.
// Embedded SSH Bad Keys
One of Brutus's most practical features is the embedded SSH bad key testing. The binary carries known-compromised SSH key collections from the Rapid7 ssh-badkeys repository and HashiCorp Vagrant, compiled directly in with no external key files to manage.
When Brutus encounters an SSH service, it automatically tests every embedded bad key against the target. Each key is paired with its expected default username: root for F5 BIG-IP, vagrant for Vagrant boxes, mateidu for Ceragon FibeAir, and so on. Vendor coverage includes F5 BIG-IP, ExaGrid, Barracuda, Ceragon, and Array Networks, among others.
// Experimental AI Features
Brutus includes two experimental AI-powered features that tackle a problem with no good automated solution: unidentified web admin panels.
LLM-based credential suggestion. When Brutus encounters an HTTP service, it captures the response data (headers, page content, server signatures) and sends it to an LLM for analysis. The model identifies the application (Grafana, Jenkins, Tomcat, a Cisco management interface, etc.) and suggests vendor-specific default credentials. These are tested first, with Brutus falling back to generic wordlists if they don't succeed.
Vision-based admin panel testing. Using Claude's vision capabilities paired with headless Chrome, Brutus renders login pages, uses AI vision to identify the appliance or application, researches likely default credentials, then controls the browser to fill in the login form and test them. This approach handles JavaScript-rendered forms, CSRF tokens, and multi-step logins, all the things that break traditional form-filling tools.
Both features are experimental and depend on external API services.
// Pipeline Usage
The core value proposition is how Brutus fits into existing offensive workflows. A full network credential audit can be expressed as a single pipeline:
Installation is a single command via go install or a direct binary download for Linux, macOS (Intel and Apple Silicon), and Windows. No compilation required.
// About the Name
Praetorian typically names their tools after Roman emperors (Trajan, Augustus, etc.). Brutus breaks that convention because Marcus Junius Brutus was never an emperor. As Praetorian puts it: Brutus doesn't build empires; it tests whether the ones you've built will let a stranger walk right through the front door.
// Bottom Line
Brutus fills a real gap in the offensive security toolkit. Legacy credential testing tools have lagged behind the rest of the modern pentest workflow, and a zero-dependency, pipeline-native alternative from a team that uses it on real engagements is a welcome addition. The embedded SSH bad key testing alone makes it worth adding to your toolkit, and the experimental AI features hint at where credential testing is headed.
The tool is open source under the Apache-2.0 license. Praetorian is actively seeking community contributions, particularly additional SSH bad keys from appliances and vendor products encountered in the wild.
