BruteForceAI, an innovative penetration testing framework developed by Mor David, integrates large language models (LLMs) with browser automation to autonomously identify login forms and conduct sophisticated brute-force attacks.
By combining AI-driven form analysis with evasion techniques and comprehensive logging, BruteForceAI streamlines credential-testing workflows, enabling security teams to uncover weak authentication mechanisms rapidly and efficiently.
At the core of BruteForceAI lies its two-stage process. In Stage 1, the tool leverages an LLM (via Ollama or Groq) to parse HTML content and pinpoint login form elements and selectors with remarkable accuracy up to 95% in real-world tests.
The model examines page structures, input fields, and submission endpoints, automatically generating the precise CSS selectors needed for subsequent exploitation.
Stage 2, the Smart Attack phase, initiates multi-threaded credential testing using the AI-discovered selectors. Users can choose between two modes:
- Brute-Force Mode: Exhaustively cycles through username/password combinations.
- Password-Spray Mode: Tests each password against a set of usernames to reduce lockouts.
Intelligent retry logic incorporates feedback learning and DOM-change detection to validate successful logins, while synchronized delays, jitter, and human-like timing patterns mimic genuine user behavior to evade detection.
BruteForceAI Tool Features
BruteForceAI’s advanced feature set elevates standard brute-force tools with comprehensive evasion and operational capabilities:
| Feature Category | Capabilities |
|---|---|
| Multi-Threading | 1–100+ threads with synchronized delays between attempts |
| Evasion Techniques | Random User-Agent rotation, proxy support, configurable jitter, browser visibility control |
| Notifications & Logs | Real-time webhook alerts (Discord/Slack/Teams/Telegram), SQLite database logging, verbose output |
| Operational Tools | Automatic update checks, network retry mechanism, database cleanup, colored terminal interface |
Webhook integration ensures immediate notification upon credential success, while comprehensive SQLite logging maintains detailed records of every attempt.
BruteForceAI also supports output capture to files and offers a suite of database management commands, including clean-up and schema inspection.
Installation requires Python 3.8+, Playwright browsers, and standard libraries (requests, PyYAML). After cloning the repository from GitHub and running pip install -r requirements.txt, users configure their preferred LLM:
- Local (Ollama): Pull
llama3.2:3borllama3.2:1bfor balanced or speed-optimized analysis. - Cloud (Groq): Authenticate with an API key and select from models such as
llama-3.3-70b-versatile(recommended) or alternatives likegemma2-9b-itfor lightweight tasks.
To analyze targets:
textpython main.py analyze --urls targets.txt --llm-provider ollama --llm-model llama3.2:3b
To execute attacks:
textpython main.py attack --urls targets.txt --usernames users.txt --passwords passwords.txt --threads 20 --delay 5 --jitter 2
Ethical Considerations
BruteForceAI is explicitly designed for authorized penetration testing, security research, and educational purposes; misuse against unauthorized systems is illegal and unethical. Organizations should ensure proper scope and permission before deployment. The author disclaims liability for illicit use.
By automating form detection and enriching brute-force methodology with AI-driven intelligence and evasion, BruteForceAI marks a significant evolution in credential-testing toolsets enabling red teams and security auditors to identify authentication weaknesses with speed and precision.
Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!
Source link
