Skip to content

Latest commit

 

History

History
62 lines (33 loc) · 2.26 KB

README.md

File metadata and controls

62 lines (33 loc) · 2.26 KB

Sandman

Image image image

Sandman is a backdoor that meant to work on hardened networks during red team engagements.

Sandman works as a stager and leverages NTP (protocol to sync time & date) to get and run an arbitrary shellcode from a pre defined server.

Since NTP is a protocol that is overlooked by many defenders resulting wide network accessability.

Usage

sandman

SandmanServer (Usage)

Run on windows / *nix machine:

python3 sandman_server.py "Network Adapter" "Payload Url" "optional: ip to spoof"
  • Network Adapter: The adapter that you want the server to listen on (for example: Ethernet for Windows, eth0 for *nix).

  • Payload Url: The URL to your shellcode, it could be your agent (for example, CobaltStrike or meterpreter) or another stager.

  • IP to Spoof: If you want to spoof a legitiment IP address (for example, time.microsoft.com's ip address). TBA

SandmanBackdoor (Usage)

To start, you can compile the SandmanBackdoor as mentioned below, because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as a NTP provider TBA or just execute / inject it.

Capabilities

  • Getting and executing an arbitrary payload from an attacker's controlled server.

  • Can work on hardened networks since NTP is usually allowed in FW.

  • Impsersonating a legitiment NTP server via IP spoofing. TBA

Setup

SandmanServer (Setup)

  • Python 3.9
  • Requiremenets specified in the requirements file.

SandmanBackdoor (Setup)

To compile the backdoor itself I used Visual Studio 2022, but as mentioned in the usage section it can be compiled with both VS2022 and csc.

IOCs

  • A shellcode is injected to RuntimeBroker.

  • Suspicious NTP communication, starts with known magic header.

Contributes

Thanks to who already contributed and I'll happily accept contribution, make a pull request and I will review it!