finds.dev← search

// the find

evilsocket/legba

★ 1,908 · Rust · NOASSERTION · updated Jul 2026

The fastest and more comprehensive multiprotocol credentials bruteforcer / password sprayer and enumerator. 🥷

Legba is a credential bruteforcer and password sprayer written in Rust, covering an unusually wide range of protocols — SSH, RDP, HTTP, SMTP, Kerberos, LDAP, a dozen databases, and more. It's aimed at pentesters and red teamers who want one tool instead of five. The async Tokio runtime gives it a genuine performance edge over Python-based equivalents like Hydra.

The protocol breadth is real — 25+ plugins each with their own options, not thin wrappers. The session save/restore system means you can interrupt a long scan without losing progress, which Hydra never bothered with. The YAML recipe system for complex multi-step auth flows is a practical addition that other tools skip entirely. The test-servers directory with Docker setups for each protocol means you can actually validate your flags before pointing it at a target.

GPL3 license is a dealbreaker for anyone embedding this in a commercial product or proprietary engagement toolchain — that's a real constraint worth knowing upfront. The REST API and MCP server surface area feels like scope creep; a bruteforcer with an always-on HTTP API is an interesting attack surface on your own pentest box. The plugin architecture means quality varies — the port scanner sitting alongside credential plugins is an odd fit that suggests the scope isn't fully settled. No built-in proxy rotation or per-target throttling means you will trip account lockout policies on any hardened target without careful manual tuning.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →