To brute force my all private keys an attacker should have both key master public key + a private key?
Correct. An attacker would need access to both.
You should obviously never purposefully share any of your private keys, but people will often export their master public key to either create watch only wallets, or to import in to some services to generate a new receiving address each time. Should you accidentally leak a single private key from this wallet, the combination of one private key and the master public key is enough to derive all the private keys in that wallet.
If an attacker knows one of my private keys there is any chance that he could bruit force my other private keys?
Not without also having your master public key.
A slightly more technical explanation follows. Let:
k = private key
K = public key
c = chain code
i = index
n = order of the secp256k1 curve
The steps for calculating an unhardened child key are
Calculate HMAC-SHA512(K
parent, c
parent, i)
Take the left 256 bits of the result, and add to k
parent (modulo n)
In simple English, this means to calculate a child private key, you first concatenate (join together) the parent public key, the parent chain code and the address index, hash the result, take the left 256 bits of the result, and add it to the parent private key.
We can simplify that equation to essentially the following:
Child private key = Hash calculation + Parent private key
In this scenario, an attacker knows a child private key, and can work out the "Hash calculation" from the master public key (which includes the parent public key and the parent chain code; the index can be brute forced). The only thing he doesn't know is the parent private key. So he rearranges the equation to:
Parent private key = Child private key - Hash calculation
Once he knows the parent private key, it is trivial to calculate every child private key in your wallet.