finds.dev← search

// the find

netxfly/x-crack

★ 1,281 · Go · updated May 2024

x-crack - Weak password scanner, Support: FTP/SSH/SNMP/MSSQL/MYSQL/PostGreSQL/REDIS/ElasticSearch/MONGODB

A credential brute-forcer for common services — FTP, SSH, SNMP, MSSQL, MySQL, PostgreSQL, Redis, Elasticsearch, MongoDB, SMB, Oracle. It was written as a teaching example for a Chinese security development book, not as a standalone tool. If you want to audit your own infrastructure for weak passwords, this covers the usual suspects.

Clean plugin architecture — each service lives in its own file with a corresponding test file, so adding a new target is mechanical. Go is a sensible choice here: goroutine-based concurrency, single static binary, easy cross-compilation. There's a cache layer (models/cache.go) that avoids hammering the same credential pair twice. The fact that it's a teaching artifact means the code is deliberately readable rather than optimized-to-the-bone.

The README is entirely in Chinese with no English content, which cuts out most of its potential audience. It's a book example, not a maintained project — the bundled dictionaries (pass.dic, user.dic) are almost certainly too small for real use and you'll need to BYO wordlist. There's no mention of account-lockout awareness or delay tuning, which means running it against anything with a lockout policy will burn accounts before you get results. No Docker image or install instructions; you have to build from source and figure out the flags yourself.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →