██████╗██████╗ ████████╗
██╔════╝██╔══██╗╚══██╔══╝
██║ ██████╔╝ ██║
██║ ██╔══██╗ ██║
╚██████╗██║ ██║ ██║
╚═════╝╚═╝ ╚═╝ ╚═╝
Why This Exists
Most load testing tools are glorified curl loops. They spawn threads, fire requests, and call it a day. But the BEAM VM — the battle-tested runtime behind WhatsApp, Discord, and RabbitMQ — can do something no other VM can: spawn millions of lightweight processes that actually perform.
CrushIt exploits this. Not as a toy. As a weapon.
What It Does
CrushIt is a penetration testing framework that turns your machine into a stress-testing powerhouse. One binary. One command. Up to 1,000,000 concurrent workers hammering a target.
./crush_it --url http://target.com --concurrency 100000 --forever --allow-remote
That's it. That's the attack.
The Numbers
On a standard laptop against a Python HTTP server:
| Workers | Requests | Throughput | Avg Latency |
|---|---|---|---|
| 50 | 6,856 | 1,382 req/s | 7ms |
| 200 | 6,234 | 1,020 req/s | 147ms |
Against a real web application with database queries, auth middleware, and template rendering? Those numbers drop to zero fast. That's the point.
How It Works
┌─────────────────────────────────────┐
│ Supervisor (one_for_one) │
│ ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐ │
│ │ W1 │ │ W2 │ │ W3 │ │ ... │ │
│ └──┬──┘ └──┬──┘ └──┬──┘ └──┬──┘ │
│ │ │ │ │ │
│ └───────┴───────┴───────┘ │
│ ↓ │
│ Collector │
│ (atomics-based counting) │
└─────────────────────────────────────┘
Each worker is a GenServer that:
- Checks cancellation/deadline/request cap
- Fires an HTTP request via
:httpc - Reports result to collector
- Loops immediately — no idle time
The collector uses :atomics for lock-free counting. No mutexes. No bottlenecks. Pure BEAM.
The TUI (Ink + React)
Three screens:
Configure — Set URL, workers, duration, method, headers. Toggle DOS mode.
Running — Live metrics with sparklines:
1810 req · 1810 ok · 0 fail · 187 req/s · 263ms avg · 9.65s
Latency p50=246ms · p95=256ms · p99=259ms
███████████████████████████████████████████████████████
Status 200:1810
Report — Pass/fail verdict based on success rate.
DOS Mode
./crush_it --url http://target.com --forever --concurrency 500
Runs indefinitely. Workers loop continuously. No pause between requests. The target either handles it or dies. Ctrl+C to stop.
Features
- 1M workers — BEAM handles it. Your target might not.
- 6 HTTP methods — GET, POST, PUT, DELETE, PATCH, HEAD
- Custom headers & body — Auth tokens, content types, whatever
- Ramp-up — Stagger worker startup to simulate gradual load
- Request cap — Stop after N total requests
- Latency percentiles — p50, p95, p99 computed from rolling buffer
- JSON streaming — Pipe to jq, dashboards, custom tools
- Live TUI — No 300-line config files. Point, configure, crush.
Install
git clone https://codeberg.org/PandaternOSS/Crush_it.git
cd Crush_it
./build.sh
Requires Elixir 1.14+ and Node.js 18+.
The Philosophy
Security tools should be:
- Simple — One binary, one command
- Honest — Show real metrics, not inflated marketing numbers
- Powerful — Exploit the platform's strengths (BEAM = processes)
CrushIt doesn't pretend to be a sophisticated APT framework. It's a hammer. Sometimes you need a hammer.
Built With
- Elixir — BEAM VM, supervision trees, OTP
- Ink — React for CLIs
- esbuild — Fast JS bundling
- :httpc — Erlang's built-in HTTP client
by valt
This tool is for authorized security testing only. Get permission before hammering anything you don't own.
Top comments (0)