Sandman: NTP based backdoor for red team engagements
Sandman
Sandman is a backdoor that is meant to work on hardened networks during red team engagements.
Sandman works as a stager and leverages NTP (a protocol to sync time & date) to get and run an arbitrary shellcode from a pre defined server.
Since NTP is a protocol that is overlooked by many defenders resulting in wide network accessibility.
Capabilities
-
Getting and executing an arbitrary payload from an attacker’s controlled server.
-
Can work on hardened networks since NTP is usually allowed in FW.
-
Impersonating a legitimate NTP server via IP spoofing.
Setup
SandmanServer (Setup)
- Python 3.9
- Requirements are specified in the requirements file.
Download
git clone https://github.com/Idov31/Sandman.git
SandmanBackdoor (Setup)
To compile the backdoor itself I used Visual Studio 2022, but as mentioned in the usage section it can be compiled with both VS2022 and csc.
Use
SandmanServer
Run on windows / *nix machine:
python3 sandman_server.py “Network Adapter“ “Payload Url“ “optional: ip to spoof“
-
Network Adapter: The adapter that you want the server to listen on (for example Ethernet for Windows, eth0 for *nix).
-
Payload Url: The URL to your shellcode, it could be your agent (for example, CobaltStrike or meterpreter) or another stager.
-
IP to Spoof: If you want to spoof a legitimate IP address (for example, time.microsoft.com’s ip address). TBA
SandmanBackdoor
To start, you can compile the SandmanBackdoor, because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as an NTP provider TBA or just execute/inject it.
Copyright (c) 2022, Ido Veltzman
Source: https://github.com/Idov31/
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
