// the find
netxfly/x-crack
x-crack - Weak password scanner, Support: FTP/SSH/SNMP/MSSQL/MYSQL/PostGreSQL/REDIS/ElasticSearch/MONGODB
A credential brute-forcer for common services — FTP, SSH, SNMP, MSSQL, MySQL, PostgreSQL, Redis, Elasticsearch, MongoDB, SMB, Oracle. It was written as a teaching example for a Chinese security development book, not as a standalone tool. If you want to audit your own infrastructure for weak passwords, this covers the usual suspects.
Clean plugin architecture — each service lives in its own file with a corresponding test file, so adding a new target is mechanical. Go is a sensible choice here: goroutine-based concurrency, single static binary, easy cross-compilation. There's a cache layer (models/cache.go) that avoids hammering the same credential pair twice. The fact that it's a teaching artifact means the code is deliberately readable rather than optimized-to-the-bone.
The README is entirely in Chinese with no English content, which cuts out most of its potential audience. It's a book example, not a maintained project — the bundled dictionaries (pass.dic, user.dic) are almost certainly too small for real use and you'll need to BYO wordlist. There's no mention of account-lockout awareness or delay tuning, which means running it against anything with a lockout policy will burn accounts before you get results. No Docker image or install instructions; you have to build from source and figure out the flags yourself.