Orion Incident Response Live CD
unencrypted in the presence of an active attack, a packet capture can undermine all defensive efforts.
Orion provides a trusted communication framework that is configured in a secure fashion, and uses encrypted protocols to tunnel communications between team members. At the same time, the team can share desktop sessions, voice, and chat sessions. Many tools and protocols have built in encryption for communication. However, Orion tries to keep this simple by using the secure shell (SSH) protocol to tunnel all traffic. In this way, the Orion users can know that normal traffic will always be SSH between the known responder systems and other traffic is automatically abnormal and suspicious. As long the protocol can be tunneled over SSH, it can be used in Orion.
Orion includes a number of tools (and leverages ones already found in BackTrack) to assist the responders in the setup of secure communications.
new-ssh-key: creates a new RSA2 key pair. Puts the private key in ~/.ssh/orion and the public key in ~/.ssh/orion.pub. Use a strong passphrase. The passphrase will be used to encrypt the private key with 3DES.
copy-ssh-key: Copies the orion pub key to a remote host and places it in ~/.ssh/authorized keys. Uses ssh-copy-id from BackTrack.
proxy-start: Create a proxy tunnel using ssh -D localhost:9050 <user>@<host> The tunnel will listen on localhost:9050, making it compatible with TOR and proxychains.
proxychains: is already installed in BackTrack, and therefore Orion. Once proxy- start has been executed, a command like "proxychains ssh <otherhost>" will proxy an SSH login to <otherhost> via <host>.
orion-tunnel: uses SSH to allow the responder to log into the primary handler's machine and tunnel the list of services typically supported by Orion.