Company with Quality System Certification of Conformity with UNI EN ISO 9001:2015
Italeri S.p.a | Cap. Soc. Euro 5.200.000 i.v. R.E.A. Bo n.311919 C.F. e R.I. BO n.03708190370 P. Iva IT00652841206 M. B0011362
Here’s a good write‑up for an — whether you're documenting a tool, writing a blog post, or presenting it as part of a security assessment. RPyC Extractor: Uncovering Hidden Remote Python Objects What is RPyC? RPyC (Remote Python Call) is a transparent, symmetrical Python RPC library. It allows a client to call functions and access objects on a remote Python server as if they were local. While powerful for legitimate distributed computing, RPyC also presents a significant security risk if exposed without proper authentication or access controls. The Need for an Extractor During penetration tests or Red Team engagements, we often encounter misconfigured RPyC services — open to the network with no authentication, or with weak/default credentials ( user:pass ). Once connected, the remote service may expose privileged operations (file access, command execution, even os or subprocess modules). The challenge is: How do we systematically discover and extract the remote object hierarchy without manual guesswork?
Company with Quality System Certification of Conformity with UNI EN ISO 9001:2015
Italeri S.p.a | Cap. Soc. Euro 5.200.000 i.v. R.E.A. Bo n.311919 C.F. e R.I. BO n.03708190370 P. Iva IT00652841206 M. B0011362
