Awesome
AMT Forensics for Linux
This README contains instructions on how to use the scripts in this repository to retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password. The ideas from the script can be used to retrieve other pertinent information from Intel AMT via the ME Interface (MEI).
[TOC]
Prerequisites
- Linux machine with a provisioned AMT
- For testing, you can manually provision AMT yourself in 10 steps.
- Make sure
/dev/mei
exists.- You may need to
sudo ln -s /dev/mei0 /dev/mei
. - If this doesn't exist then this most likely means AMT is not enabled & provisioned.
- You may need to
- Python & OpenWSMAN installed
- Python 2.7 with python-enum34 (
sudo apt-get install python-enum34
) - The
wsman
binary in $PATH:sudo apt-get install wsmancli
- For other platforms see https://openwsman.github.io/
Setup
The Local Manageability Service (LMS) for Linux needs to built and started:
- Download lms-8.0.0-7.tar.gz and unzip it. You can read more info about LMS for Linux here.
- Copy lms.patch from this repository into the unziped directory.
- Carry out the following commands:
user@host:~/Downloads/lms-8.0.0-7$ patch -p1 < lms.patch
user@host:~/Downloads/lms-8.0.0-7$ chmod u+x configure
user@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-daemon=no
user@host:~/Downloads/lms-8.0.0-7$ # fix problems and re-run until all OK.
user@host:~/Downloads/lms-8.0.0-7$ make
user@host:~/Downloads/lms-8.0.0-7$ sudo src/lms
You should be able to load http://localhost:16992/ in your browser now.
Note: On some machines, restarting lms and/or machine is required.
If problems continue, re-try with debugging enabled:
user@host:~/Downloads/lms-8.0.0-7$ make clean
user@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-debug --enable-daemon=no
user@host:~/Downloads/lms-8.0.0-7$ make
user@host:~/Downloads/lms-8.0.0-7$ sudo src/lms
Usage
Once LMS is successfully running as per above, start a new shell:
user@host:~$ cd amt-forensics/
user@host:~/amt-forensics$ chmod u+x gather_audit_logs.sh
user@host:~/amt-forensics$ sudo ls # gather_audit_logs.sh does a hidden sudo
user@host:~/amt-forensics$ ./gather_audit_logs.sh
user@host:~/amt-forensics$ python ./decode_amt_auditlog.py > decoded_log.txt
user@host:~/amt-forensics$ cat decoded_log.txt # Sample Output as example.
[
{
"AuditAppID": "NETWORK_TIME_APPID",
"EventID": "AMT Provisioning Started",
"InitType": "HTTP_DIGEST",
"UsernameLength": 9,
"Username": "$$OsAdmin",
"TimeStamp": 1072922804,
"TimeStamp_readable": "2004-01-01 03:06:44",
"MCLocationType": "IPV4_ADDR",
"NetAddressLength": 9,
"NetAddress": "127.0.0.1",
"ExtendedDataLength": 4,
"ExtendedData": "V\"\u00b8\u009c"
},
{
"AuditAppID": "SECURITY_ADMIN_APPID",
"EventID": "AMT Provisioning Started",
"InitType": "LOCAL_INITIATOR",
"TimeStamp": 1506659359,
"TimeStamp_readable": "2017-09-29 06:29:19",
"MCLocationType": "NONE",
"NetAddressLength": 0,
"ExtendedDataLength": 0
}
]
user@host:~/amt-forensics$
Web Interface Login
To login via http://localhost:16992/logon.htm, you can obtain password for the user $$osAdmin as per follows:
user@host:~/amt-forensics$ sudo python amt_local_sys_account.py
[Password String]
user@host:~/amt-forensics$
You can then use the username $$osAdmin and the printed password string to login.
Info from all APIs
The getallinfo.sh
script under the all_api_calls
directory will
attempt to gather info from all available AMT WSMAN APIs. This can be useful
for manual searching & inspiration during forensics.
Disclaimer
This is not an official Google product.