Automating SFTP Creation for KAPE’s Sake!

Well, hello there blog. Been a while :)

KAPE + SFTP Output

If you’ve been watching the DFIR space over the past month or so, you’ve undoubtedly witnessed the release of a true game-changing tool in KAPE released by the (of course), Mr. @EricRZimmerman. Here’s a recent post from Eric in case this is the first you’re hearing of it:

While there are a ton of posts that can come out of working with KAPE and designing modules, one thing that caught my attention was when Eric added in support for SFTP out:

Now we’re talking truly game-changing. By adding in SFTP output, Eric has removed the necessity for a system to necessarily be on the network or VPN’d in to retrieve the data. Furthermore, the data is automatically pushed to a central location, which really means I don’t have to go pull it back.

With this great feature built in, the next necessary step is to make setting up an SFTP easy. After all — we don’t want to be cross-pollinating client data or have some infrequently-used SFTP server just running. Furthermore, I’m a firm believer that these types of instances (such as an SFTP collecting one-time triage data) should be short-lived. Thus — we want this to exist only for the period of time that we need it, and then it should go away.

Quick note: As of the writing of this post, Eric has yet to release this feature and it’s still in beta. I’ve been able to test it with success, so look out for an updated version soon!

Automating the SFTP Build

I’ve been messing around with lately (something about needing to create a platform for curriculum development :), and I thought this would be a perfect candidate. I also wanted to chroot the SFTP directory so that in case the credential fell into the “wrong” hands, they could only go so far. You could go a step further and either remove read permissions from the SFTP user (thereby making them write-only), and/or setup a job to watch and move files out of the upload directory ASAP, so even if someone got access, it’d be short-lived.

For this endeavor, I put together a terraform config for creating a DigitalOcean droplet and followed these SFTP instructions: My goal was to create something quick and easy. Overall — this config took about five minutes to put together. It could definitely be cleaned up (could easily move inline remote-exec to a script), but works quickly.

Let’s get to the good stuff first. Here’s a copy of the script:

Here’s the output:

digitalocean_droplet.sftp-server: Creation complete after 56s (ID: 136006035)
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
SFTP Config =
    IP Address:
Username: sftp
Password: <redacted>
Monthly Price: $ 20
    KAPE Line: --scs --scu sftp --scpw "<redacted>"
SFTP Command: sftp sftp@

I wanted to ensure a couple of things got included:

  • The SFTP config, including the IP address, username, and password. Passwords should not be stored in plaintext, however we need them for the SFTP command-line option.
  • The monthly price is display. Can’t say you forgot about those cloud bills now!
  • A KAPE-specific command line is also provided. This means you can build out your KAPE config and then just append this at the end.
  • Take a look at that time. 56 seconds — not bad! I can kick off this script while talking on the phone, and by the time I’ve grabbed another sip of coffee, the server is up and running. I did get it down to 49 seconds at one point…

Script Usage

A couple of things to note if you want to use this config yourself:

  • You’ll need to grab your own DigitalOcean API and upload your preferred SSH key. The config needs to connect back to the system to provision the SFTP user appropriately.
  • The password is generated randomly by the script. It’s a 20-character upper/lower/numeric/special random feature within terraform. If you want to have a static password, change accordingly.
  • The sftp account is the account name of choice. Again — change if you want to, just make sure you change everywhere.
  • The SSH config additions are straight from the blog post that’s referenced in the script. If you’re doing something else, again — change accordingly.

Again — you can find a copy of the config over here:

Happy Forensicating!