Although a brute-force attack may be able to gain access to an account eventually, these attacks can take several hours, days, months, and even years to run. The time to complete an attack depend on the password, the strength of the encryption, how well the attacker knows the target, and the strength of the computer(s) used to conduct the attack.
To help prevent dictionary brute-force attacks many systems only allow a user to make a mistake by entering their username or password three or four times. If the user exceeds these attempts, the system will either lock them out of the system or prevent any future attempts for a set amount of time.
In my opinion, here are the best brute force attack tools list:
  • HydraTHC-Hydra is a very fast (multi-threaded) network logon cracker which supports many different services: afp, cisco, cisco-enable, cvs, firebird, ftp, http-get, http-head, http-proxy, https-get, https-head, httpsform-get, https-form-post, icq, imap, imap-ntlm, ldap2, ldap3, mssql, mysql, ncp, nntp, oracle-listener, pcanywhere, pcnfs, pop3, pop3-ntlm, postgres, rexec, rlogin, rsh, sapr3, sip, smb, smbnt, smtp-auth, smtp-authntlm, snmp, socks5, ssh2, svn, teamspeak, telnet, vmauthd, vnc.
    Download

  • MedusaMedusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing. Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.
    Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, MS-SQL, POP3, RDP, SSHv2, among others).
    Download
  • patatorPatator is a multi-purpose brute-forcer, with a modular design and a flexible usage.Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors.Currently it supports the following modules: 
    * ftp_login     : Brute-force FTP
* ssh_login     : Brute-force SSH
* telnet_login  : Brute-force Telnet
* smtp_login    : Brute-force SMTP
* smtp_vrfy     : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt     : Enumerate valid users using the SMTP RCPT TO command
* finger_lookup : Enumerate valid users using Finger
* http_fuzz     : Brute-force HTTP/HTTPS
* ajp_fuzz      : Brute-force AJP
* pop_login     : Brute-force POP
* pop_passd     : Brute-force poppassd (not POP3)
* imap_login    : Brute-force IMAP
* ldap_login    : Brute-force LDAP
* smb_login     : Brute-force SMB
* smb_lookupsid : Brute-force SMB SID-lookup
* rlogin_login  : Brute-force rlogin
* vmauthd_login : Brute-force VMware Authentication Daemon
* mssql_login   : Brute-force MSSQL
* oracle_login  : Brute-force Oracle
* mysql_login   : Brute-force MySQL
* mysql_query   : Brute-force MySQL queries
* rdp_login     : Brute-force RDP (NLA)
* pgsql_login   : Brute-force PostgreSQL
* vnc_login     : Brute-force VNC
* dns_forward   : Brute-force DNS
* dns_reverse   : Brute-force DNS (reverse lookup subnets)
* ike_enum      : Enumerate IKE transforms
* snmp_login    : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass    : Brute-force the password of encrypted ZIP files
* keystore_pass : Brute-force the password of Java keystore files
* umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes