Home How To How to Use Bruteforcer – A Client-Server Multithreaded Tool To Crack RAR File Passwords

How to Use Bruteforcer – A Client-Server Multithreaded Tool To Crack RAR File Passwords

by Unallocated Author
BruteForcer is a client-server multithreaded application for bruteforcing RAR file passwords. Actually, this tool is not limited to the RAR files, it is just that the tool comes with a RAR archive plugin. If you have a suitable plugin, it will support any file you want. But unfortunately there are no such plugins, if you find or create one, let me know.
This tool can crack RAR archive passwords faster than any RAR Password Cracker. But you have to use two or more machines to achieve that level of efficiency.
REMEMBER: The more clients connected to the server, the faster the cracking.

How To Use BruteForcer

First, download BruteForcer (BruteForcer_091.7z) onto your computer, then extract the file. Then open the “Server” folder and then run the “BFS.exe” file. You will see a window as shown below.
Click on Tools icon on the window.
Then set the minimum and  maximum password length, include symbols and randomize dictionary if you want. After configuring the dictionary, click on “OK“.

Now enter the name of the file you want to crack (in the main window). If that file is accessible by all clients on a network you can specify the complete path to it. Otherwise, you have to place a copy of the file on each client (just copy the file to the client folder).

Then click on the radar icon, this should start the server.

Now open the client folder and then run BFC.exe. You will see a window as shown below.

Now enter the server IP, port, and username. If the server and the client is running on the same machine, just leave it as default.

If you want to start a dictionary attack, check the “Enable wordlist attack” option and select the dictionary file (English.bfw) and then set the wordlist attack level and priority, and select the plugin (BF_Rar3.bfl), then click on “Connect“.

The wordlist attack operates at 3 different modes:

  • Level 1 – It is fastest and skips most of the combinations. It looks only for complete match with the wordlist. It can be useful only if you know that the password is just a single word.
  • Level 2 – It ignores the symbols that are not letters, and looks for a match with the wordlist. It is useful when you know that the password is a single word, surrounded by numbers or other symbols.
  • Level 3 – It checks if the current combination of symbols contains at least one meaningful word from the wordlist. This is the best mode, i suggest you use it always. The password of the test archive (test.rar) can be found only by this method (or by pure bruteforce of course).

To start a search attack, just select the plugin and set the priority and then click on the “Connect” button. This attack method is more time consuming than the dictionary attack.
Wait for completion…

The password will show up on the server window.

That’s all. I hope you guys liked this article. If you did, please share this article with your friends….

If you have any doubts, feel free to ask me.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid