Sixteen protocols
SSH, FTP, FTPS, HTTP/HTTPS forms, SMTP, LDAP/LDAPS, SMB, RDP, VNC, MySQL, Postgres, MSSQL, Redis, SNMP, Telnet, IMAP, POP3.
Three front-ends
A clean Rich-powered CLI, a Textual TUI, and a FastAPI web UI with live WebSocket progress and run history.
Operator-friendly
Async core with per-host concurrency caps, global rate limits, retry with jitter, stop-on-success modes, JSON/CSV output, SQLite history, Prometheus /metrics.
Safe by default
Web UI refuses non-loopback binds without an opt-in flag. Bearer-token auth, security headers, CSP. Designed to slot behind a VPN or reverse proxy.
Live demo
A SAFE_DEMO instance of the SprayMaster web UI runs on Render:
spraymaster-web.onrender.com →
The demo's auth token is set as a Render env variable named SPRAYMASTER_AUTH_TOKEN — grab it
from the Render dashboard's Environment tab, then paste it at /login. The first paint may
take ~30 seconds (free-tier cold start). Real attack submissions return 403 demo mode;
history, API, /metrics, and /healthz are live.
Install & run locally
pip install "spraymaster[web]"
# CLI
spraymaster --protocol ssh --target 192.0.2.10 --users users.txt --passwords passwords.txt
# Web UI
spraymaster-web --port 8000 # then open http://127.0.0.1:8000
# TUI
pip install "spraymaster[tui]" && spraymaster-tuiRequires Python 3.9+. For all protocol extras: pip install "spraymaster[all]".
Run with Docker
docker run --rm -p 8000:8000 \
-v spraymaster-data:/home/sprayer/.spraymaster \
-e SPRAYMASTER_AUTH_TOKEN=$(openssl rand -hex 16) \
ghcr.io/yokesh-kumar-m/spraymaster:latest spraymaster-webLegal & scope
SprayMaster is a dual-use security tool. You are responsible for ensuring you have written authorization from the system owner before testing any target. Unauthorized use against systems you do not own or have explicit permission to test is illegal in most jurisdictions. The maintainer accepts no liability for misuse. Apache 2.0 licensed.