Modular credential spraying tool
for authorized security testing
Give it targets and credentials. It scans ports, detects services, discovers domains, and tests authentication across everything it finds.
Every protocol uses a native Python library — impacket, paramiko, pymysql, redis-py. No shelling out to CLI tools. Faster execution, richer errors.
Automatic nmap port and service scanning on all targets. Detected ports are mapped to the correct module. Domains discovered via SMB.
3 consecutive timeouts skip that endpoint. 5 total timeouts on a host skip the entire host. No wasted time on dead targets.
NT hash support across SMB, RDP, WinRM, MSSQL, LDAP, and Kerberos. Mix passwords and hashes freely in credential files.
--verify runs post-auth commands — list SMB shares, whoami over WinRM, query database versions, fetch Redis info.
Per-service timeout multipliers. RDP gets 3x, WinRM/Kerberos get 2x the base timeout. Slow protocols get enough time without penalizing fast ones.
Native library modules plus optional NetExec wrappers. Use --nxc to swap. Both share the same interface.
Full Mocha palette — gradient ASCII banner, color-coded status, Rich tables with semantic styling. Your terminal never looked better.
Every module is a native Python implementation. No external tool dependencies for core functionality.
Each protocol is an independent module with a two-method interface. The engine handles concurrency, adaptive skipping, and result collection.
ModuleRegistry discovers modules via pkgutil.iter_modules(). Drop a file in modules/ and it's available instantly. No wiring needed.
ThreadPoolExecutor with configurable concurrency. Per-service timeout multipliers, hard timeout safety nets, and adaptive endpoint skipping.
Every module implements test_credential() for authentication and optionally verify_access() for proof-of-access. Clean separation of concerns.
Nmap XML import, CIDR expansion, port-to-service mapping, automatic domain discovery via SMB, and mixed password/hash credential files.
From single targets to entire subnets. Passwords, hashes, or mixed credential files. Rapids adapts to what you throw at it.
Clone, install, spray. No build step, no configuration files, no Docker.
Rapids auto-scans targets with nmap to discover open ports and services, then maps each port to the correct protocol module. No manual service specification needed.
Domains are discovered automatically via SMB on hosts with port 445 open. Use -d to set a domain manually, or --no-auto-domain to disable discovery.
Use --verify to execute proof-of-access commands after each successful login — list shares, run whoami, query database versions.