BruteForceArtificial Intelligence is a penetration testing framework developed by Mor David that uses large language models alongside browser automation to autonomously locate login forms and perform credential testing. The tool automates form analysis, selector extraction, and attack orchestration to help red teams and security auditors identify weak authentication mechanisms more quickly. The author positions the project for authorized penetration testing, security research, and education, and disclaims liability for illicit use.
The tool operates in two stages. In Stage 1 an LLM (via Ollama or Groq) parses page HTML to identify login form elements, input fields and submission endpoints, and automatically generates precise CSS selectors. The article reports selector detection accuracy of up to 95 percent in real-world tests. Stage 2, the Smart Attack phase, performs multi-threaded credential testing using the AI-discovered selectors and offers two modes: Brute-Force Mode, which exhaustively cycles username and password combinations, and Password-Spray Mode, which tests passwords across multiple usernames to reduce lockouts. Intelligent retry logic, DOM-change detection and feedback learning help validate successful logins.
BruteForceArtificial Intelligence includes a broad evasion and operational feature set: synchronized delays, configurable jitter, random user-agent rotation, proxy support, browser visibility control, and human-like timing patterns to reduce detection. It logs attempts to SQLite, supports real-time webhook notifications to Discord, Slack, Teams and Telegram, and offers output capture, database cleanup and schema inspection tools. Installation requires Python 3.8 or newer, Playwright browsers and standard libraries. After cloning the GitHub repository and installing requirements, users configure an LLM locally with Ollama (for example llama3.2:3b) or in the cloud with Groq (for example llama-3.3-70b-versatile). The article includes command examples for analyze and attack workflows and reiterates that the tool must be used only with proper authorization.
