Sandman is a backdoor that meant to work on hardened networks during red team engagements.
Sandman works as a stager and leverages NTP (protocol to sync time & date) to get and run an arbitrary shellcode from a pre defined server.
Since NTP is a protocol that is overlooked by many defenders resulting wide network accessability.
Run on windows / *nix machine:
python3 sandman_server.py "Network Adapter" "Payload Url" "optional: ip to spoof"-
Network Adapter: The adapter that you want the server to listen on (for example: Ethernet for Windows, eth0 for *nix).
-
Payload Url: The URL to your shellcode, it could be your agent (for example, CobaltStrike or meterpreter) or another stager.
-
IP to Spoof: If you want to spoof a legitiment IP address (for example, time.microsoft.com's ip address). TBA
To start, you can compile the SandmanBackdoor as mentioned below, because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as a NTP provider TBA or just execute / inject it.
-
Getting and executing an arbitrary payload from an attacker's controlled server.
-
Can work on hardened networks since NTP is usually allowed in FW.
-
Impsersonating a legitiment NTP server via IP spoofing. TBA
- Python 3.9
- Requiremenets specified in the requirements file.
To compile the backdoor itself I used Visual Studio 2022, but as mentioned in the usage section it can be compiled with both VS2022 and csc.
-
A shellcode is injected to RuntimeBroker.
-
Suspicious NTP communication, starts with known magic header.
Thanks to who already contributed and I'll happily accept contribution, make a pull request and I will review it!