Important
Modular credential spraying tool for authorized security testing. 28 native protocol modules with automatic port scanning, scan caching, domain discovery, adaptive skip logic, pass-the-hash support, and connect command generation — no external tool dependencies for core functionality.
Rapids are fast, narrow channels where water accelerates through constraints. Felt fitting for a tool that pushes credentials through every service on a network — fast, focused, and relentless.
Rapids is a modular credential spraying framework built entirely on native Python libraries. Point it at an IP, CIDR range, or target file, give it credentials, and it automatically scans open ports, maps them to protocol modules, discovers domain names via SMB, and tests authentication across every service it finds — all without shelling out to external tools for core functionality.
Every protocol runs through its native library: impacket for SMB, MSSQL, Kerberos, and RDP; paramiko for SSH; pywinrm for WinRM; pymysql, psycopg2, redis-py, and pymongo for databases. Native implementations provide richer error reporting and faster execution than CLI wrappers. Scan results cache in .rapids/scans/ so subsequent runs against the same hosts skip the nmap scan entirely.
The spray engine uses adaptive skip logic to avoid wasting time on unreachable endpoints — three consecutive timeouts drops an endpoint; five total timeouts on a host marks it unreachable. Results include copy-pasteable connect commands, optional proof-of-access verification, and pass-the-hash support across SMB, RDP, WinRM, MSSQL, LDAP, and Kerberos.
Authorization Required: Designed exclusively for authorized security testing with explicit written permission.
| KEY | VALUE |
|---|---|
| MODULES | 28 native protocols · SMB · SSH · RDP · WinRM · MSSQL · LDAP · Kerberos + databases |
| SPRAYING | Adaptive skip · 3-timeout endpoint · 5-timeout host · ThreadPoolExecutor |
| TRANSPORT | PTH support · NT hash across SMB/RDP/WinRM/MSSQL/LDAP/Kerberos |
| DISCOVERY | Auto nmap scan · scan caching · domain discovery via SMB |
| OUTPUT | Connect commands · proof-of-access verify · Catppuccin Mocha · JSON export |
| PLATFORM | Python 3.10+ · Linux · macOS · Windows · pipx install |
| STACK | impacket · paramiko · pywinrm · Rich · Click · pymysql · psycopg2 |
Architecture in §5 below.
git clone https://github.com/Real-Fruit-Snacks/Rapids.git
cd Rapids
pipx install -e .# Auto-scan ports, discover domain, test all detected services
rapids -t 192.168.1.0/24 -u admin -p 'Password123'
# Multiple credentials from file
rapids -t 10.10.10.50 -C creds.txt
# Spray with proof-of-access verification
rapids -t 192.168.1.100 -u admin -p 'Pass123' --verify
# Show connect commands for valid creds (ssh, evil-winrm, impacket, etc.)
rapids -t 10.10.10.50 -C creds.txt --commands
# Pass-the-hash with NT hash
rapids -t 10.10.10.50 -u administrator -p ':aad3b435b51404eeaad3b435b51404ee'
# Dry run — preview what would be tested
rapids -t 192.168.1.0/24 -C creds.txt --dry-runRequires Python 3.10+ and nmap for auto-scanning. NetExec optional for --nxc mode.
FLAGS
-t, --target Target (IP, IP:port, IP:port:service, CIDR)
-T, --targets-file File with targets (one per line)
-n, --nmap Nmap XML file for auto-discovery
--no-scan Disable automatic nmap scan
--rescan Force fresh nmap scan (ignore cache)
-u, --user Single username
-p, --pass Single password or NT hash (prefix :)
-C, --creds Credentials file (user:pass per line)
-s, --services Comma-separated services to test (default: all)
-w, --threads Concurrent threads (default: 10)
--timeout Connection timeout in seconds (default: 5)
--delay Delay between attempts in seconds (default: 0.0)
-d, --domain Domain for AD protocols (auto-discovered)
--verify Run proof-of-access after successful auth
--commands Show connect commands for valid credentials
--nxc Use NetExec modules instead of native
--mask-creds Mask credentials in output for screen sharing
--dry-run Preview without sending traffic
-o, --output Write results to JSON file
CREDENTIAL FILE FORMATS
# -C / --creds (user:pass per line)
admin:Password123
administrator:aad3b435b51404eeaad3b435b51404ee
sa:SQLServer2024!
# NT hash pass-the-hash (: prefix)
administrator::aad3b435b51404eeaad3b435b51404ee
EXAMPLES
rapids -t 10.0.0.5 -u admin -p pass -s smb,ssh,rdp
rapids -t 10.0.0.0/24 -u admin -p pass --rescan
rapids -t 10.10.10.50 -C creds.txt --commands --verify
rapids -t 10.0.0.5 -u admin -p pass --nxc
rapids -t targets.txt -C creds.txt -o results.json
rapids/
rapids.py CLI entry point (Click)
core/
engine.py SprayEngine — ThreadPoolExecutor, adaptive skip
models.py Target, Credential, SprayResult dataclasses
input_parser.py Target/credential parsing, nmap XML, port scanning
output.py Rich tables, banner, summary, JSON export
theme.py Catppuccin Mocha color palette
modules/
base.py ServiceModule abstract base class
nxc_base.py NxcModule base (NetExec wrapper)
smb.py impacket SMBConnection
ssh.py paramiko
rdp.py xfreerdp + nxc fallback + impacket CredSSP
winrm_mod.py pywinrm (NTLM)
mssql.py impacket TDS
mysql.py pymysql
postgres.py psycopg2
ldap_mod.py ldap3
kerberos_mod.py impacket getTGT
... + 18 more native modules
nxc_smb.py NXC wrapper modules (9 total)
| Layer | Implementation |
|---|---|
| Language | Python 3.10+ |
| CLI | Click |
| AD protocols | impacket (SMB, MSSQL, Kerberos, RDP) |
| SSH | paramiko |
| WinRM | pywinrm |
| Databases | pymysql · psycopg2 · redis-py · pymongo · oracledb |
| Output | Rich (Catppuccin Mocha) |
| Scanning | nmap (auto-discovery with caching) |
Each module implements test_credential() for authentication and verify_access() for proof-of-access. The spray engine handles concurrency via ThreadPoolExecutor (10 threads default), adaptive skipping, and result collection. Per-service timeout multipliers — 3× for RDP, 2× for WinRM/Kerberos — prevent slow protocols from penalizing fast ones.
| Capability | Linux | macOS | Windows |
|---|---|---|---|
| Core spray engine | Full | Full | Full |
| Auto nmap scan | Full | Full | Full |
| Native modules (28) | Full | Full | Full |
| NetExec modules | Full | Full | Partial |
| RDP (xfreerdp) | Full | Full | — |
| Evil-WinRM | Full | Full | — |
| Catppuccin theme | Full | Full | Full |
License: MIT · Part of Real-Fruit-Snacks — building offensive security tools, one wave at a time.