Modular credential spraying tool for authorized security testing.
Sprays credentials across 28 protocols simultaneously using native Python libraries. Point it at a network, give it credentials, and it automatically scans ports, detects services, discovers domains, and tests authentication across everything it finds. No external tool dependencies for core functionality.
Authorization Required: Designed exclusively for authorized security testing with explicit written permission.
git clone https://github.com/Real-Fruit-Snacks/Rapids.git
cd Rapids
pipx install -e .# Auto-scan ports, discover domain, test all detected services
rapids -t 192.168.1.0/24 -u admin -p 'Password123'
# Multiple credentials from file
rapids -t 10.10.10.50 -C creds.txt
# Spray with proof-of-access verification
rapids -t 192.168.1.100 -u admin -p 'Pass123' --verify
# Show connect commands for valid creds (ssh, evil-winrm, impacket, etc.)
rapids -t 10.10.10.50 -C creds.txt --commands
# Pass-the-hash with NT hash
rapids -t 10.10.10.50 -u administrator -p ':aad3b435b51404eeaad3b435b51404ee'
# Dry run -- preview what would be tested
rapids -t 192.168.1.0/24 -C creds.txt --dry-runRequires Python 3.10+ and nmap for auto-scanning. NetExec optional for --nxc mode.
Every protocol is implemented with a native Python library -- impacket for SMB/MSSQL/Kerberos, paramiko for SSH, pywinrm for WinRM, pymysql/psycopg2/redis for databases. No shelling out to CLI tools means faster execution and richer error handling.
rapids -t 10.0.0.5 -u admin -p pass -s smb,ssh,rdp
rapids -t 10.0.0.5 -u admin -p pass --nxc # Swap to NetExec modulesPoint Rapids at IP addresses and it runs an nmap service scan automatically. Detected ports are mapped to the correct module, domains are discovered via SMB, and HTTP ports on different ports are kept separate (no deduplication across web apps).
Scan results are cached in .rapids/scans/ so subsequent runs against the same hosts skip the nmap scan entirely. Use --rescan to force a fresh scan when the target environment has changed.
rapids -t 10.0.0.0/24 -u admin -p pass1 # scans and caches
rapids -t 10.0.0.0/24 -u admin -p pass2 # uses cached scan
rapids -t 10.0.0.0/24 -u admin -p pass3 --rescan # forces fresh scanTracks timeouts per endpoint and per host. After 3 consecutive timeouts on a port, that endpoint is skipped. After 5 total timeouts across all ports on a host, the entire host is marked unreachable.
Use --commands to get copy-pasteable connect commands for every valid credential. Supports pass-the-hash variants for SMB, WinRM, RDP, MSSQL, WMI, and Kerberos.
rapids -t 10.10.10.50 -C creds.txt --commands
# Output:
# Connect Commands
# # admin@10.10.10.50 (ssh, smb)
# ssh admin@10.10.10.50 -p 22
# impacket-smbexec CORP/admin:'Password1'@10.10.10.50
# impacket-psexec CORP/admin:'Password1'@10.10.10.50Use --verify to execute proof-of-access commands after successful authentication -- list SMB shares, run whoami over WinRM, query database versions, fetch Redis server info.
Pass-the-hash across SMB, RDP, WinRM, MSSQL, LDAP, and Kerberos. Credentials can be passwords or NT hashes (prefixed with :). Hash and password credentials can be mixed freely in credential files.
Each supported protocol has a native library module and an optional NetExec wrapper. Use --nxc to swap to NetExec-backed modules for protocols where nxc provides better compatibility.
RDP and WinRM connections are inherently slower than SSH or SMB. Rapids automatically applies timeout multipliers -- 3x for RDP, 2x for WinRM/Kerberos -- so slow protocols get enough time without penalizing fast ones.
Use --mask-creds to hide passwords in all output for safe screen sharing during live engagements.
rapids/
rapids.py # CLI entry point (Click)
core/
engine.py # SprayEngine -- ThreadPoolExecutor, adaptive skip
models.py # Target, Credential, SprayResult dataclasses
input_parser.py # Target/credential parsing, nmap XML, port scanning
output.py # Rich tables, banner, summary, JSON export
theme.py # Catppuccin Mocha color palette
modules/
base.py # ServiceModule abstract base class
nxc_base.py # NxcModule base (NetExec wrapper)
smb.py # impacket SMBConnection
ssh.py # paramiko
rdp.py # xfreerdp + nxc fallback + impacket CredSSP
winrm_mod.py # pywinrm (NTLM)
mssql.py # impacket TDS
mysql.py # pymysql
postgres.py # psycopg2
ldap_mod.py # ldap3
kerberos_mod.py # impacket getTGT
... # + 18 more native modules
nxc_smb.py # NXC wrapper modules (9 total)
...
Each module implements test_credential() for authentication and verify_access() for proof-of-access. The spray engine handles concurrency via ThreadPoolExecutor (10 threads default), adaptive skipping, and result collection.
| Layer | Technology |
|---|---|
| Language | Python 3.10+ |
| CLI | Click |
| AD protocols | impacket (SMB, MSSQL, Kerberos, RDP) |
| SSH | paramiko |
| WinRM | pywinrm |
| Databases | pymysql, psycopg2, redis-py, pymongo, oracledb |
| Output | Rich (Catppuccin Mocha) |
| Scanning | nmap (auto-discovery) |
| Flag | Description | Default |
|---|---|---|
-t, --target |
Target (IP, IP:port, IP:port:service, CIDR) | -- |
-T, --targets-file |
File with targets (one per line) | -- |
-n, --nmap |
Nmap XML file for auto-discovery | -- |
--no-scan |
Disable automatic nmap scan | -- |
--rescan |
Force fresh nmap scan (ignore cache) | -- |
-u, --user |
Single username | -- |
-p, --pass |
Single password or NT hash (prefix :) |
-- |
-C, --creds |
Credentials file (user:pass per line) | -- |
-s, --services |
Comma-separated services to test | all |
-w, --threads |
Concurrent threads | 10 |
--timeout |
Connection timeout (seconds) | 5 |
--delay |
Delay between attempts (seconds) | 0.0 |
-d, --domain |
Domain for AD protocols (auto-discovered) | -- |
--verify |
Run proof-of-access after successful auth | -- |
--commands |
Show connect commands for valid credentials | -- |
--nxc |
Use NetExec modules instead of native | -- |
--mask-creds |
Mask credentials in output | -- |
--dry-run |
Preview without sending traffic | -- |
-o, --output |
Write results to JSON file | -- |
# -C / --creds (user:pass per line)
admin:Password123
administrator:aad3b435b51404eeaad3b435b51404ee
sa:SQLServer2024!
# -U / --userfile (one username per line)
admin
administrator
# -P / --passfile (one password/hash per line)
Password123
:aad3b435b51404eeaad3b435b51404ee| Feature | Linux | macOS | Windows |
|---|---|---|---|
| Core spray engine | Full | Full | Full |
| Auto nmap scan | Full | Full | Full |
| Native modules (28) | Full | Full | Full |
| NetExec modules | Full | Full | Partial |
| RDP (xfreerdp) | Full | Full | -- |
| Evil-WinRM | Full | Full | -- |
| Catppuccin theme | Full | Full | Full |
Report vulnerabilities via SECURITY.md or GitHub Security Advisories. Do not open public issues for security concerns.
Rapids does not:
- Store or cache credentials beyond the current session
- Exfiltrate data from authenticated services
- Exploit vulnerabilities (only tests credential validity)
- Bypass network access controls or firewalls
- Persist on target systems
MIT -- Copyright 2026 Real-Fruit-Snacks