A cutting-edge penetration testing tool called BruteForceAI has arrived, bringing automation and artificial intelligence to the art of login page detection and brute-force attacks.
Designed for security professionals and researchers, BruteForceAI streamlines two critical stages of a login attack: finding login forms and executing credential trials.
Its blend of Large Language Model (LLM) analysis and sophisticated attack features sets it apart from traditional brute-force tools.
In the first stage, BruteForceAI uses an LLM to scan web pages and automatically identify login form elements and selectors. This intelligent form analysis removes the manual effort typically spent inspecting HTML code for username and password fields.
Users simply provide a list of target URLs, and the tool pinpoints the correct form elements in seconds. This AI-driven approach improves accuracy and speeds up the reconnaissance process.
Once forms are detected, BruteForceAI moves into attack mode. It supports two main strategies: a classic brute-force approach that tries all username and password combinations, and a password spray mode that tests each password against all usernames.
Both modes run in a multi-threaded environment, allowing dozens of simultaneous attempts while maintaining human-like delays and random jitter.
This timing variation helps avoid detection by web application firewalls and intrusion prevention systems.
Key features of BruteForceAI include:
- LLM-Powered Form Analysis: Automatically discovers form fields and selectors using models like Ollama and Groq.
- Multi-Threaded Attacks: Scale up to 100+ threads for rapid credential testing without manual coordination.
- Attack Modes: Choose between full brute-force or password-spray modes to optimize testing strategies.
- Evasion Techniques: Randomize User-Agent strings, use proxy rotation, and simulate human-like timing patterns.
- Webhook Notifications: Real-time alerts via Discord, Slack, Microsoft Teams, or Telegram upon successful logins.
- Comprehensive Logging: Detailed SQLite database records every attempt, including timestamps, errors, and successes.
- Configurable Delays & Jitter: Fine-tune pause durations and randomness to blend in with legitimate traffic.
- Automatic Update Checker: Stay current with the latest release using a built-in version check against a central repository.
- Browser Visibility Control: Run attacks headless or with a visible browser for debugging and demonstration purposes.
- Feedback-Based Retries: Intelligent retry logic that learns from previous failures to improve success rates.
Installation is quick and simple:
- Install prerequisites:
- Python 3.8+
- Playwright browsers:
pip install playwright
playwright install chromium- Clone and install BruteForceAI:
git clone https://github.com/MorDavid/BruteForceAI.git
cd BruteForceAI
pip install -r requirements.txtAfter installation, configure an LLM provider—either local via Ollama or cloud via Groq—and you’re ready to analyze and attack login forms with just two commands.
A clear legal disclaimer reminds users that BruteForceAI is intended strictly for authorized penetration testing and educational purposes.
The non-commercial license enforced on GitHub ensures the tool remains available to security professionals without enabling illicit use.
With its intelligent form analysis, robust feature set, and flexible attack options, BruteForceAI represents the next generation of brute-force tools.
Security teams can accelerate testing workflows, reduce manual overhead, and maintain stealthy operations against modern login pages. BruteForceAI is now available under a non-commercial license on GitHub.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
