BruteForceAI is an open-source penetration testing utility that applies large language models to the long-standing problem of web login testing, automating selector discovery and accelerating both reconnaissance and credential validation.
Built with Python and Playwright, it analyzes login forms with an LLM, stores results, and then executes synchronized brute-force or password spray campaigns with human-like timing. The project is maintained by security researcher Mor David.
MorDavid
User
BruteForceAI
Advanced LLM-powered brute-force tool combining AI intelligence with automated login attacksWhat problem it solves
Security teams routinely face two time sinks during web assessments: finding the right login form elements and safely testing credentials across multiple targets. BruteForceAI addresses this in two stages.
First, it uses an LLM to identify the most likely username, password, and submit-button selectors directly from page HTML.
Second, it coordinates multi-threaded credential attempts while mimicking human behavior with delays, jitter, and randomized User-Agent selection. This reduces manual DOM inspection and improves the repeatability of tests that would otherwise require careful per-site tuning.
Key Features at a Glance
- LLM-powered form analysis with Ollama or Groq, including retry with feedback; see BruteForceCore.py and README.md.
- Two-stage flow: selector discovery, then attack execution with brute-force or password spray modes; defined in BruteForceAI.py.
- Playwright-driven browser automation, headless or visible, with proxy and User-Agent rotation support (Microsoft, 2025).
- Multi-threaded orchestration with synchronized per-username delays and jitter for human-like pacing.
- Success heuristics that compare DOM length against a failed reference, plus fallback keyword checks.
- Comprehensive logging to SQLite, so you can analyze attempts and tune thresholds later (SQLite, 2025).
- Webhook notifications for Discord, Slack, Teams, and Telegram, triggered only on successful login.
- Built-in update checks and simple database maintenance via commands.
Why it stood out to me
Two design choices make this repository notable. One, the LLM loop includes validation and retry with feedback when selectors fail, which is more robust than a one-shot guess.
Two, the tool persists analysis and attempts in SQLite, so runs can be resumed, audited, and tuned over time. Those practical touches - like synchronized per-user delays in multi-threaded mode and webhook notifications for successes - show attention to real assessment workflows.
Under the hood
The command-line interface resides in BruteForceAI.py. It defines subcommands - analyze, attack, clean-db, and check-updates - and delegates the core logic to BruteForceCore.py.
During analysis, Playwright loads the target URL, the tool extracts login-related HTML, and an LLM proposes CSS selectors. Validation happens live in the browser context by attempting to type test values and click the button. If a selector fails, BruteForceAI composes structured feedback and asks the LLM for alternatives, accumulating working selectors across attempts.
For attacks, BruteForceAI retrieves the last successful analysis from SQLite and drives Playwright to submit credentials. It measures the post-submission DOM length and compares it to the reference failed length from the analysis stage. A significant difference suggests a state change such as a redirect or authenticated view. Where that reference is missing, the tool falls back to simple content heuristics.
Persistence is handled via an on-disk database with two tables, form_analysis and brute_force_attempts, created automatically on first run.
The repo targets Python 3.8+ and relies on requirements.txt for Playwright, Requests, PyYAML, and SQLite bindings. For LLMs, it supports either local models via Ollama (Ollama, 2025) or cloud models via Groq (Groq, 2025), with model defaults that favor quality on Groq and balanced speed locally.
Update checks fetch a YAML manifest from mordavid.com to inform about new releases.
How to run it
# 1) Install dependencies and browsers
pip install -r requirements.txt
playwright install chromium
# 2) Analyze login forms with a local LLM
python BruteForceAI.py analyze --urls urls.txt --llm-provider ollama --llm-model llama3.2:3b
# 3) Execute a password spray with jitter and 10 threads
python BruteForceAI.py attack \
--urls urls.txt \
--usernames users.txt \
--passwords passwords.txt \
--mode passwordspray \
--threads 10 \
--delay 5 \
--jitter 2Use cases
BruteForceAI fits into red team assessments, bug bounty workflows, and security research labs where teams need to test login protections at scale under strict authorization.
In particular, password spraying helps expose accounts with reused or weak credentials while minimizing lockout events when paired with conservative delays and jitter. The ability to store and reuse selectors accelerates retests and continuous monitoring across a known target list.
For defenders, the same tool can be repurposed in a lab to verify that rate-limits, lockout thresholds, login banners, or CAPTCHA challenges behave as expected under realistic conditions; see OWASP's summary of password spraying to understand the defensive context (OWASP, 2024).
For a higher-level narrative of how these capabilities streamline real work, see this overview which echoes the two-stage flow and practical ergonomics, including multi-threading, evasion tactics, and webhook integration (Berkowitz, 2025).
Community and contribution
At the time of writing, there are no open issues in the repository and development is concentrated in the two main modules. Contributions typically start with reviewing the README.md to match style and usage patterns, exploring BruteForceCore.py for extension points like selector validation, or proposing new detection heuristics. Given the sensitivity of the domain, contributors should add clear safety checks and reinforce legal disclaimers in help text and documentation.
License and responsible use
The project ships under a Non-Commercial license. Personal, educational, research, and authorized testing are allowed; commercial use is prohibited without written permission, and attribution is required. There is no warranty, and users are responsible for legal compliance. Refer to LICENSE.md for exact terms.
About the author
BruteForceAI is built by Mor David, a security expert and team lead focused on offensive security and AI-enabled tooling. His background spans red teaming, web and cloud assessments, and building automation that blends traditional tradecraft with modern ML. Learn more on his website and profiles (Mor David, 2025).
Impact and what comes next
Credential testing remains a high-friction step in many assessments, often bottlenecked by site-specific DOM quirks and manual retries. BruteForceAI turns those rough edges into a data-driven loop: discover, validate, log, and iterate.
It is not a replacement for authorization, situational awareness, or careful rate management, but it does raise the floor on repeatability and speed. Future enhancements could include pluggable success detectors, richer anti-automation evasion (within ethical bounds), and formal test suites that simulate more web frameworks to harden selector discovery.
Explore the code
Dive into the repository and start with these files: README.md, BruteForceAI.py, BruteForceCore.py, and LICENSE.md. If you use Groq or Ollama models, review provider docs for configuration specifics (Groq, 2025; Ollama, 2025), and see Playwright's documentation for browser automation details (Microsoft, 2025).
AI-Powered Brute-Force Automation: Inside BruteForceAI