Sandman

Sandman is a backdoor that meant to work on hardened networks during red team engagements.

Sandman works as a stager and leverages NTP (protocol to sync time & date) to get and run an arbitrary shellcode from a pre defined server.

Since NTP is a protocol that is overlooked by many defenders resulting wide network accessability.

Usage

SandmanServer (Usage)

Run on windows / *nix machine:

python3 sandman_server.py "Network Adapter" "Payload Url" "optional: ip to spoof"

Network Adapter: The adapter that you want the server to listen on (for example: Ethernet for Windows, eth0 for *nix).
Payload Url: The URL to your shellcode, it could be your agent (for example, CobaltStrike or meterpreter) or another stager.
IP to Spoof: If you want to spoof a legitiment IP address (for example, time.microsoft.com's ip address). TBA

SandmanBackdoor (Usage)

To start, you can compile the SandmanBackdoor as mentioned below, because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as a NTP provider TBA or just execute / inject it.

Capabilities

Getting and executing an arbitrary payload from an attacker's controlled server.
Can work on hardened networks since NTP is usually allowed in FW.
Impsersonating a legitiment NTP server via IP spoofing. TBA

Setup

SandmanServer (Setup)

Python 3.9
Requiremenets specified in the requirements file.

SandmanBackdoor (Setup)

To compile the backdoor itself I used Visual Studio 2022, but as mentioned in the usage section it can be compiled with both VS2022 and csc.

IOCs

A shellcode is injected to RuntimeBroker.
Suspicious NTP communication, starts with known magic header.

Contributes

Orca

Thanks to who already contributed and I'll happily accept contribution, make a pull request and I will review it!