High-performance reconnaissance, endpoint discovery, and tactical fuzzing engine for authorized security testing.
Engineered for controlled security assessments where throughput, memory safety, and concurrency discipline matter.
Crabkit is a Rust-based offensive security framework focused on high-speed reconnaissance and controlled endpoint discovery.
It is designed for environments where predictable performance, memory safety, and precise concurrency control are critical. Crabkit uses an asynchronous task-based execution model to maximize network throughput while keeping system resource usage predictable and auditable.
The first MVP focuses on:
- Asset enumeration.
- Endpoint discovery.
- High-concurrency HTTP/S probing.
- Response filtering by status code and body length.
- Large-scale wordlist streaming with low memory overhead.
- CLI-first execution for fast operational workflows.
Crabkit is intended strictly for educational research, internal security testing, and authorized penetration testing.
Crabkit is built around a simple engineering principle:
Do more work with less overhead, without sacrificing control.
In high-load reconnaissance workflows, unpredictable runtime pauses and excessive allocations can become bottlenecks. Crabkit reduces those risks through Rust’s ownership model and a carefully controlled asynchronous architecture.
| Principle | Description |
|---|---|
| Memory Safety | Rust’s ownership and borrowing rules reduce entire classes of memory-related bugs. |
| Predictable Performance | No garbage collector, fewer runtime surprises, and tighter control over allocations. |
| Async-first Execution | Tokio-powered task scheduling for high-throughput network operations. |
| Backpressure Control | Semaphore-based throttling to avoid overwhelming the operating system network stack. |
| Typed Error Handling | Explicit error propagation using Rust’s type system instead of silent failures. |
| Streaming IO | Wordlists are processed incrementally to support large files without loading them fully into memory. |
Crabkit follows a modular architecture so each tactical capability can evolve independently.
crabkit/
├── Cargo.toml # Project configuration, dependencies and binary metadata
├── README.md # Project documentation
├── LICENSE # MIT license
└── src/
├── main.rs # CLI entrypoint and application bootstrap
│
├── core/
│ ├── mod.rs # Exposes the core module
│ └── engine.rs # Request orchestration and concurrency control
│
├── net/
│ ├── mod.rs # Exposes the network module
│ └── client.rs # HTTP/S transport abstraction
│
├── io/
│ ├── mod.rs # Exposes the IO module
│ └── streamer.rs # High-performance wordlist reader
│
├── logic/
│ ├── mod.rs # Exposes the logic module
│ └── mutator.rs # Payload generation and mutation logic
│
└── output/
├── mod.rs # Exposes the output module
└── reporter.rs # Structured output and result formatting
| Module | Responsibility | Key Technology |
|---|---|---|
Core::Engine |
Coordinates tasks, concurrency limits, retries, and execution flow. | Tokio Runtime |
Net::Client |
Provides HTTP/S request abstraction and transport configuration. | Reqwest |
IO::Streamer |
Reads large wordlists efficiently with minimal RAM usage. | BufReader |
Logic::Mutator |
Generates candidate paths, payload variants, and controlled mutations. | Rust std / Bitwise Ops |
Output::Reporter |
Normalizes results for terminal and machine-readable formats. | JSON / Stdout |
The current MVP is intentionally focused and performance-oriented.
- Massive parallel execution using lightweight asynchronous tasks.
- Configurable concurrency limit.
- HTTP/S endpoint probing.
- Automatic timeout handling.
- Retry strategy for unstable responses.
- Response filtering by:
- HTTP status code.
- Response body length.
- Latency threshold.
- Large wordlist support through streaming reads.
- CLI-based execution for fast operational use.
- Distributed scanning.
- Authentication-aware crawling.
- Browser-based rendering.
- Exploit execution.
- Persistence mechanisms.
- Automated exploitation chains.
This keeps the first release clean, auditable, and focused on reconnaissance primitives.
- Rust Stable
1.70+ - Cargo
- Linux, macOS, or Windows with a supported Rust toolchain
git clone https://github.com/tu-usuario/crabkit.git
cd crabkitcargo build --releaseTo use Crabkit directly as a terminal command:
cargo install --path .After installation, verify that the CLI is available:
crabkit --helpIf the command is not found, make sure Cargo's binary directory is available in your PATH:
$HOME/.cargo/binBasic execution:
crabkit \
--target <URL> \
--wordlist <PATH> \
--concurrency <INT>Example using a controlled internal target:
crabkit \
--target https://api.internal.example \
--wordlist ./wordlists/endpoints.txt \
--concurrency 100crabkit \
--target https://api.internal.example \
--wordlist ./wordlists/endpoints.txt \
--concurrency 80 \
--timeout 5 \
--retries 2 \
--filter-status 200,204,301,302,403Crabkit is designed to produce both human-readable and pipeline-friendly output.
[200] /api/v1/users 42ms 1842 bytes
[403] /admin 51ms 721 bytes
[301] /dashboard 38ms 128 bytes
{
"target": "https://api.internal.example",
"path": "/api/v1/users",
"status": 200,
"latency_ms": 42,
"content_length": 1842
}Crabkit is engineered around controlled pressure, not blind aggression.
The engine uses semaphore-based throttling to ensure that concurrency remains bounded and predictable.
Wordlist Stream
│
▼
Task Scheduler ──► Semaphore ──► HTTP Client Pool ──► Response Filter
│ │
└──────────────────── Reporter ◄────────────────────┘
Rust is a strong fit for this type of tool because it provides:
- Low-level performance without sacrificing safety.
- No garbage collector pauses.
- Excellent async ecosystem through Tokio.
- Strong compile-time guarantees.
- Efficient binaries suitable for operational environments.
Status: Completed
- Asynchronous execution engine.
- Semaphore-based concurrency management.
- Streaming wordlist reader.
- Basic HTTP/S probing.
- Status and length-based filtering.
Status: In Development
- Controlled payload mutation.
- Bit-level mutation primitives.
- Latency anomaly detection.
- Structured JSON export.
- Improved retry and timeout policies.
Status: Planned
- AWS S3 bucket enumeration for authorized assessments.
- Lambda proxy support for controlled distributed testing.
- Result aggregation layer.
- Configuration profiles for different assessment types.
Status: Planned
- HTML report generation.
- Baseline comparison.
- Noise reduction heuristics.
- Integration-ready output for security pipelines.
Crabkit must only be used in environments where explicit authorization has been granted.
Acceptable use cases include:
- Internal security assessments.
- Authorized penetration testing.
- Bug bounty programs within defined scope.
- Educational labs and controlled training environments.
- Defensive validation of exposed services.
Unacceptable use includes:
- Scanning systems without permission.
- Attempting to bypass access controls.
- Targeting third-party infrastructure outside an approved scope.
- Using the tool for unauthorized exploitation or disruption.
The author assumes no responsibility for misuse of this software.
Crabkit aims to follow production-grade Rust engineering practices:
- Clear module boundaries.
- Explicit error handling.
- Minimal global state.
- Conservative defaults.
- Configurable runtime behavior.
- Auditable code paths.
- Deterministic CLI behavior.
- CI-ready build pipeline.
Recommended quality checks:
cargo fmt
cargo clippy -- -D warnings
cargo testThis project is licensed under the MIT License.