Brutus is a modern tool for credential auditing and network security testing. It can test passwords on different services, web panels, and Windows login screens directly from Termux on Android, allowing you to explore password security, learn ethical hacking techniques, and practice auditing safely in a controlled environment without needing a computer. Here’s what you can do with Brutus:
- Test password security of different protocols and services.
- Learn ethical hacking and credential auditing techniques.
- Perform brute-force testing in a controlled environment.
- Understand password vulnerabilities in networks and systems.
Installation Commands
Update Termux packages:
pkg update && pkg upgrade -y
Install Go language:
pkg install golang -y
Install Brutus using Go:
go install github.com/praetorian-inc/brutus/cmd/brutus@latest
Add Go binaries to Termux PATH (if not already added):
echo 'export PATH=$PATH:~/go/bin' >> ~/.bashrc
source ~/.bashrc
Check Brutus installation:
brutus -h
Brutus Commands & Subcommands
- creds : Test passwords on SSH, databases, SMB, and other non-HTTP services.
- web : Check login credentials on web panels and HTTP services.
- snmp : Test SNMP community strings on devices.
- badkeys : Check weak or compromised SSH keys.
- logon : Detect Windows login-screen backdoors.
- help : Show help for Brutus commands.
- completion : Generate shell autocompletion for easier use.
Common Flags
- -t, –threads : Set number of threads (default 10).
- -m, –mode : Choose credential tier: default, extended, full.
- –target : Specify a single host:port.
- –targets-file : Use a file with multiple targets.
- -o, –output : Save results in JSON file.
- –rate-limit : Limit requests per second.
- –timeout : Set timeout per target (default 10s).
- –json : Output results in JSON format.
- –quiet : Show only successful logins.
- –verbose : Show detailed progress.
Usage Commands
Test default credentials on SSH, SMB, or databases:
brutus creds --target 192.168.1.10:22 --threads 10 --mode default
Audit HTTP/web panel credentials:
brutus web --targets-file web_targets.txt --threads 5 --mode extended
Test SNMP community strings:
brutus snmp --target 192.168.1.20:161
Check for weak SSH keys:
brutus badkeys --targets-file ssh_targets.txt
Detect Windows logon-screen backdoors:
brutus logon --targets-file windows_targets.txt
Stop Brutus at any time:
Press
CTRL + C
How to use Brutus for Beginners
For someone new to Brutus, here’s a safe way to start testing on your own environment:
- Prepare a local test server
- You can run an SSH server or a simple web panel on your own device or VM.
- Create username and password lists
- Keep small lists for testing, e.g.,
userlist.txtandpasslist.txt.
- Keep small lists for testing, e.g.,
- Run Brutus safely
brutus creds --target 127.0.0.1:22 --threads 5 --mode default
- This will test your local SSH server without affecting anyone else.
- Check results
- Brutus will display successful logins in the terminal or JSON output if you use
-o output.json.
- Brutus will display successful logins in the terminal or JSON output if you use
- Experiment with web panel testing
brutus web --targets-file local_web.txt --threads 5 --mode extended
- Test login forms or HTTP Basic Auth only on your local web panel.
This workflow helps beginners safely learn how Brutus works while avoiding legal issues.
Note: Brutus is intended for educational and ethical hacking purposes only. Using it on unauthorized systems or networks is illegal. Always perform testing on your own systems or in a controlled lab environment.
