Sandman is a backdoor that’s meant to work on hardened networks throughout pink staff engagements.
Sandman works as a stager and leverages NTP (a protocol to sync time & date) to get and run an arbitrary shellcode from a pre-defined server.
Since NTP is a protocol that’s missed by many defenders leading to extensive community accessibility.
Utilization
SandmanServer (Utilization)
Run on home windows / *nix machine:
python3 sandman_server.py "Community Adapter" "Payload Url" "non-obligatory: ip to spoof"
-
Community Adapter: The adapter that you really want the server to pay attention on (for instance Ethernet for Home windows, eth0 for *nix).
-
Payload Url: The URL to your shellcode, it might be your agent (for instance, CobaltStrike or meterpreter) or one other stager.
-
IP to Spoof: If you wish to spoof a legit IP tackle (for instance, time.microsoft.com’s IP tackle).
SandmanBackdoor (Utilization)
To begin, you possibly can compile the SandmanBackdoor as talked about beneath, as a result of it’s a single light-weight C# executable you possibly can execute it through ExecuteAssembly, run it as an NTP supplier or simply execute/inject it.
SandmanBackdoorTimeProvider (Utilization)
To make use of it, you’ll need to observe easy steps:
- Add the next registry worth:
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient" /v DllName /t REG_SZ /d "C:PathToTheDll.dll"
- Restart the w32time service:
sc cease w32time
sc begin w32time
NOTE: Ensure you are compiling with the x64 choice and never any CPU choice!
Capabilities
-
Getting and executing an arbitrary payload from an attacker’s managed server.
-
Can work on hardened networks since NTP is normally allowed in FW.
-
Impersonating a legit NTP server through IP spoofing.
Setup
SandmanServer (Setup)
SandmanBackdoor (Setup)
To compile the backdoor I used Visible Studio 2022, however as talked about within the utilization part it may be compiled with each VS2022 and CSC. You’ll be able to compile it both utilizing the USE_SHELLCODE and use Orca’s shellcode or with out USE_SHELLCODE to make use of WebClient.
SandmanBackdoorTimeProvider (Setup)
To compile the backdoor I used Visible Studio 2022, additionally, you will want to put in DllExport (through Nuget or another method) to compile it. You’ll be able to compile it both utilizing the USE_SHELLCODE and use Orca’s shellcode or with out USE_SHELLCODE to make use of WebClient.
IOCs
Contributes
Due to those that already contributed and I am going to fortunately settle for contributions, make a pull request and I’ll evaluation it!