- Notifications
You must be signed in to change notification settings - Fork5
Retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password.
License
google/amt-forensics
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This README contains instructions on how to use the scripts in this repositoryto retrieve Intel AMT's Audit Log from a Linux machine without knowing theadmin user's password. The ideas from the script can be used to retrieveother pertinent information from Intel AMT via the ME Interface (MEI).
[TOC]
- Linux machine with a provisioned AMT
- For testing, you canmanuallyprovisionAMT yourself in 10 steps.
- Make sure
/dev/meiexists.- You may need to
sudo ln -s /dev/mei0 /dev/mei. - If this doesn't exist then this most likely means AMT is notenabled & provisioned.
- You may need to
- Python & OpenWSMAN installed
- Python 2.7 with python-enum34 (
sudo apt-get install python-enum34) - The
wsmanbinary in $PATH:sudo apt-get install wsmancli- For other platforms seehttps://openwsman.github.io/
The Local Manageability Service (LMS) for Linux needs to built and started:
- Downloadlms-8.0.0-7.tar.gzand unzip it. You can read more info about LMS for Linuxhere.
- Copy lms.patch from this repository into the unziped directory.
- Carry out the following commands:
user@host:~/Downloads/lms-8.0.0-7$ patch -p1< lms.patchuser@host:~/Downloads/lms-8.0.0-7$ chmod u+x configureuser@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-daemon=nouser@host:~/Downloads/lms-8.0.0-7$# fix problems and re-run until all OK.user@host:~/Downloads/lms-8.0.0-7$ makeuser@host:~/Downloads/lms-8.0.0-7$ sudo src/lms
You should be able to loadhttp://localhost:16992/ in your browser now.
Note: On some machines, restarting lms and/or machine is required.
If problems continue, re-try withdebugging enabled:
user@host:~/Downloads/lms-8.0.0-7$ make cleanuser@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-debug --enable-daemon=nouser@host:~/Downloads/lms-8.0.0-7$ makeuser@host:~/Downloads/lms-8.0.0-7$ sudo src/lms
Once LMS is successfully running as per above, start a new shell:
user@host:~$cd amt-forensics/user@host:~/amt-forensics$ chmod u+x gather_audit_logs.shuser@host:~/amt-forensics$ sudo ls# gather_audit_logs.sh does a hidden sudouser@host:~/amt-forensics$ ./gather_audit_logs.shuser@host:~/amt-forensics$ python ./decode_amt_auditlog.py> decoded_log.txtuser@host:~/amt-forensics$ cat decoded_log.txt# Sample Output as example.[ {"AuditAppID":"NETWORK_TIME_APPID","EventID":"AMT Provisioning Started","InitType":"HTTP_DIGEST","UsernameLength": 9,"Username":"$$OsAdmin","TimeStamp": 1072922804,"TimeStamp_readable":"2004-01-01 03:06:44","MCLocationType":"IPV4_ADDR","NetAddressLength": 9,"NetAddress":"127.0.0.1","ExtendedDataLength": 4,"ExtendedData":"V\"\u00b8\u009c" }, {"AuditAppID":"SECURITY_ADMIN_APPID","EventID":"AMT Provisioning Started","InitType":"LOCAL_INITIATOR","TimeStamp": 1506659359,"TimeStamp_readable":"2017-09-29 06:29:19","MCLocationType":"NONE","NetAddressLength": 0,"ExtendedDataLength": 0 }]user@host:~/amt-forensics$
To login viahttp://localhost:16992/logon.htm, you canobtain password for the user$$osAdmin as per follows:
user@host:~/amt-forensics$ sudo python amt_local_sys_account.py[Password String]user@host:~/amt-forensics$
You can then use the username$$osAdmin and the printed passwordstring to login.
Thegetallinfo.sh script under theall_api_calls directory willattempt to gather info from all available AMT WSMAN APIs. This can be usefulfor manual searching & inspiration during forensics.
This is not an official Google product.
About
Retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password.
Topics
Resources
License
Code of conduct
Security policy
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Releases
Packages0
Uh oh!
There was an error while loading.Please reload this page.
Contributors2
Uh oh!
There was an error while loading.Please reload this page.