New BruteForceAI Tool Targets Login Pages with Smart Attacks

A cutting-edge tool has emerged in the penetration testing landscape: BruteForceAI, an advanced framework that leverages Large Language Models (LLMs) to automate and optimize brute-force login attacks.

Developed by cybersecurity researcher Mor David, BruteForceAI sets new standards in form analysis, attack customization, and evasion techniques, combining AI-driven intelligence with robust automation.

Intelligent Multi-Stage Attack Workflow

At the core of BruteForceAI is its two-stage pipeline:

1. AI-Driven Form Analysis – In Stage 1, an LLM inspects raw HTML to accurately identify login form elements (username, password, submit button), reducing manual selector configuration. Supported providers include local Ollama models (llama3.2:3b, qwen2.5:3b) and cloud-based Groq models (llama-3.3-70b-versatile).
2. Smart Brute-Force Execution – Stage 2 orchestrates high-velocity attacks using the discovered selectors. Attack modes include classic Brute-force (all username/password combos) and Password Spray (single password across multiple usernames).

This modular approach ensures that even dynamically generated login portals can be targeted with minimal human intervention, while real-time feedback learning refines retries on network or selector failures.

Feature Comparison Table

Feature	Description	Default Setting
LLM Provider	Ollama/Groq with model selection	ollama, llama3.2:3b
Attack Modes	bruteforce, passwordspray	bruteforce
Thread Support	Multi-threaded execution (1–100+ threads)	1 thread
Delay & Jitter	Configurable delays with random jitter	0s delay, 0s jitter
Selector Retry	Automatic retry attempts for failed selectors	10 retries
Webhook Integrations	Discord, Slack, Teams, Telegram	None configured
Database Logging	SQLite database logs form analysis and brute-force attempts	bruteforce.db
Evasion Techniques	User-Agent rotation, proxy support, human-like timing patterns	Disabled

The table above highlights BruteForceAI’s key operational parameters, enabling security teams to quickly compare default configurations and adjust tactics based on target environments.

BruteForceAI also integrates comprehensive logging with a timestamped SQLite database, allowing testers to audit every attempt, skip duplicates, and trigger immediate notifications via popular communication platforms.

Colorful terminal output and an optional browser-visible debug mode further improve situational awareness during live engagements.

Mor David emphasizes ethical usage: “BruteForceAI is intended strictly for authorized security assessments, bug bounty programs, and educational research.

Unauthorized attacks remain illegal and outside our scope.”

A non-commercial license governs distribution, requiring attribution and prohibiting profit-driven redistribution.

With over 390 stars and 55 forks on GitHub, BruteForceAI has swiftly gained traction among penetration testers seeking to harness AI for more intelligent credential-based attack strategies.

As LLMs continue to evolve, tools like BruteForceAI are poised to redefine red team methodologies by automating tedious reconnaissance steps and focusing human effort on strategic decision-making.

BruteForceAI v1.0.0 is publicly available on GitHub under a non-commercial license. Installation requires Python 3.8+, Playwright browsers, and simple pip dependencies.

Security practitioners can choose between fast local inference (Ollama) or max-quality cloud models (Groq) to tailor performance to mission requirements

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post New BruteForceAI Tool Targets Login Pages with Smart Attacks appeared first on Cyber Security News.