X hits on this document

151 views

0 shares

0 downloads

0 comments

19 / 47

Orion Incident Response Live CD

1

6.5. Collaboration

The orion-tunnel command uses SSH port forwarding to forward a short list of services to the primary responder’s system. For example, if the secondary responder runs orion- tunnel and then opens the URL http://localhost/ in a web browser, it will display (via encrypted SSH tunnel) the RTIR server web interface from the primary system.

Port forwarding works by initiating an SSH session with one or more -L command line arguments, such that -L lport:rhost:rport forwards connections from port lport on localhost to port rport on the host rport. One could also use dynamic port forwarding (the -D option) to forward all connections using the SOCKS protocol, but the connections between handler systems are kept to a minimum, by design, to avoid any unwelcome surprises and also to make connections to 127.0.0.1:<port> do “the right thing” automatically whether the primary handler is local or remote.

Server

Port (protocol)

Orion web site

8010 (http)

Citadel

25/465 (smtp/s), 8504 (http), 993 (imaps), 5222 (xmpp)

RTIR web interface

80 (http)

Xplico

9876 (http)

6.5.1. Shared Desktop

Desktop sharing is also an extremely valuable capability during incident response. In Orion, desktops can be shared using VNC (Virtual Network Computing) tunneled over SSH. The x11vnc program allows the X11 system to share display zero (:0). This means a remote VNC session will connect to the console being used by the local user. The remote user then uses the Enhanced TightVNC tool, SSVNC (http://www.karlrunge.com/x11vnc/ssvnc.html), to tunnel a connection to the VNC session over SSH.

John Jarocki, john.jarocki@gmail.com

Document info
Document views151
Page views152
Page last viewedFri Dec 09 16:58:48 UTC 2016
Pages47
Paragraphs864
Words8806

Comments