nikit0s/brutus
1
0
Fork 0
mirror of https://github.com/praetorian-inc/brutus.git synced 2026-06-20 09:27:34 +00:00
Code Issues Projects Releases Packages Wiki Activity
Page: LLM Analyzers
Pages
Architecture Bad Keys Configuration Home LLM Analyzers Pipeline Integration Plugins Wordlists and Defaults
1 LLM Analyzers
nsportsman edited this page 2026-02-12 14:17:42 -06:00
Table of Contents

LLM Analyzers

Navigation: Home | Plugins | Bad Keys | Wordlists and Defaults | Configuration | Pipeline Integration | Architecture

Overview

Brutus can optionally use LLM-powered banner analysis to suggest service-specific default credentials for HTTP services. When a non-standard service banner is detected, Brutus sends the sanitized banner to an LLM, which identifies the application (e.g., Grafana, Jenkins, Tomcat) and returns vendor-specific default passwords.

LLM analysis is only available for HTTP-based protocols: http, https, couchdb, elasticsearch, influxdb.

Analyzer Reference

Analyzer Provider Default Model API Format Cost Estimate
claude Anthropic claude-3-haiku-20240307 Anthropic Messages API ~$0.36/1000 scans
deepseek DeepSeek deepseek-chat OpenAI-compatible ~$0.04/1000 scans

How It Works

Banner Analysis Flow

1. Connect to HTTP target with dummy credential
2. Capture HTTP response (headers + body)
3. Build banner from Server, X-Powered-By, WWW-Authenticate headers + body identifiers
4. Check if banner matches known standard patterns
5. If non-standard: sanitize banner and send to LLM
6. LLM returns JSON array of suggested passwords (max 4)
7. Validate suggestions (length <= 32, character whitelist)
8. Test LLM suggestions first (priority)
9. Fall back to default wordlist

Standard Banner Detection

Known standard banners are skipped to avoid unnecessary LLM API calls:

Protocol Standard Patterns
ssh SSH-2.0-OpenSSH, SSH-2.0-libssh, SSH-2.0-dropbear
telnet Ubuntu, Debian, Linux, FreeBSD
ftp 220 ProFTPD, 220 (vsFTPd, 220-FileZilla, 220 Pure-FTPd
mysql MySQL 5., MySQL 8., MariaDB 10., Percona Server
snmp Linux, Cisco IOS, Windows, net-snmp, HP ETHERNET

HTTP protocols always trigger LLM analysis because they have application-specific banners that benefit from intelligent credential suggestion.

Security Measures

Banner Sanitization

Before sending to the LLM, banners are sanitized to prevent prompt injection:

  1. Null byte removal -- strips \x00 characters
  2. ANSI escape removal -- strips \x1b[...m sequences
  3. Triple quote removal -- prevents prompt escape via """
  4. Length limiting -- truncated to 500 characters maximum

Output Validation

LLM-suggested passwords are validated before use:

  1. Non-empty -- empty strings rejected
  2. Length limit -- maximum 32 characters
  3. Character whitelist -- only a-zA-Z0-9!@#$%^&*()-_=+[]{}
  4. Count limit -- maximum 4 suggestions per analysis

Analyzer Implementations

claude

Uses the Anthropic Messages API with the claude-3-haiku model (cost-optimized).

  • Endpoint: https://api.anthropic.com/v1/messages
  • Auth header: x-api-key
  • Max tokens: 100 (short JSON response)
  • Timeout: 30 seconds
  • Response parsing: Direct JSON unmarshal from content[0].text

deepseek

Uses the DeepSeek API with OpenAI-compatible format.

  • Endpoint: https://api.deepseek.com/v1/chat/completions
  • Auth header: Authorization: Bearer <key>
  • Default model: deepseek-chat
  • Timeout: 30 seconds
  • Response parsing: Regex extraction of JSON array from response (handles extra text around JSON)
  • Custom endpoint support: Configurable BaseURL for self-hosted or proxy deployments

Analyzer Registration

Analyzers register themselves via RegisterAnalyzer in their init() functions:

// claude/claude.go
func init() {
    brutus.RegisterAnalyzer("claude", func(cfg *brutus.LLMConfig) brutus.BannerAnalyzer {
        return &Client{APIKey: cfg.APIKey, Model: cfg.Model}
    })
}

// deepseek/deepseek.go
func init() {
    brutus.RegisterAnalyzer("deepseek", func(cfg *brutus.LLMConfig) brutus.BannerAnalyzer {
        return &Client{APIKey: cfg.APIKey, Model: cfg.Model}
    })
}

Usage

CLI

# Explicit provider selection
brutus -target 192.168.1.100:80 -protocol http --defaults --llm deepseek

# With explicit API key
brutus -target 192.168.1.100:80 -protocol http --defaults --llm claude --llm-key sk-ant-...

# Auto-detection from environment variables
export ANTHROPIC_API_KEY="sk-ant-..."
brutus -target 192.168.1.100:80 -protocol http --defaults

Auto-Detection Priority

When no --llm flag is specified:

  1. ANTHROPIC_API_KEY -> uses claude provider
  2. DEEPSEEK_API_KEY -> uses deepseek provider
  3. Neither set -> LLM disabled (default wordlist only)

Library API

config := &brutus.Config{
    Target:    "192.168.1.100:80",
    Protocol:  "http",
    Usernames: []string{"admin"},
    Passwords: []string{"admin", "password"},
    LLMConfig: &brutus.LLMConfig{
        Enabled:  true,
        Provider: "deepseek",
        APIKey:   os.Getenv("DEEPSEEK_API_KEY"),
    },
}
results, err := brutus.Brute(config)

Result Tracking

Results include LLM attribution:

type Result struct {
    // ...
    LLMSuggested      bool     // Was this credential suggested by LLM?
    LLMSuggestedCreds []string // All LLM suggestions for this service
}

AI Provider Disclaimer

The DeepSeek integration is provided as a cost-effective option for hobbyists, bug bounty hunters, and independent security researchers. Praetorian does not use DeepSeek's cloud platform in any production services or customer engagements.

Custom providers (OpenAI, Azure OpenAI, Ollama, vLLM, etc.) can be added via the plugin-based analyzer architecture. See Architecture for implementation guidance.

Navigation: Home | Plugins | Bad Keys | Wordlists and Defaults | Configuration | Pipeline Integration | Architecture