- Notifications
You must be signed in to change notification settings - Fork5
Retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password.
License
google/amt-forensics
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This README contains instructions on how to use the scripts in this repositoryto retrieve Intel AMT's Audit Log from a Linux machine without knowing theadmin user's password. The ideas from the script can be used to retrieveother pertinent information from Intel AMT via the ME Interface (MEI).
[TOC]
- Linux machine with a provisioned AMT
- For testing, you canmanuallyprovisionAMT yourself in 10 steps.
- Make sure
/dev/meiexists.- You may need to
sudo ln -s /dev/mei0 /dev/mei. - If this doesn't exist then this most likely means AMT is notenabled & provisioned.
- You may need to
- Python & OpenWSMAN installed
- Python 2.7 with python-enum34 (
sudo apt-get install python-enum34) - The
wsmanbinary in $PATH:sudo apt-get install wsmancli- For other platforms seehttps://openwsman.github.io/
The Local Manageability Service (LMS) for Linux needs to built and started:
- Downloadlms-8.0.0-7.tar.gzand unzip it. You can read more info about LMS for Linuxhere.
- Copy lms.patch from this repository into the unziped directory.
- Carry out the following commands:
user@host:~/Downloads/lms-8.0.0-7$ patch -p1< lms.patchuser@host:~/Downloads/lms-8.0.0-7$ chmod u+x configureuser@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-daemon=nouser@host:~/Downloads/lms-8.0.0-7$# fix problems and re-run until all OK.user@host:~/Downloads/lms-8.0.0-7$ makeuser@host:~/Downloads/lms-8.0.0-7$ sudo src/lms
You should be able to loadhttp://localhost:16992/ in your browser now.
Note: On some machines, restarting lms and/or machine is required.
If problems continue, re-try withdebugging enabled:
user@host:~/Downloads/lms-8.0.0-7$ make cleanuser@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-debug --enable-daemon=nouser@host:~/Downloads/lms-8.0.0-7$ makeuser@host:~/Downloads/lms-8.0.0-7$ sudo src/lms
Once LMS is successfully running as per above, start a new shell:
user@host:~$cd amt-forensics/user@host:~/amt-forensics$ chmod u+x gather_audit_logs.shuser@host:~/amt-forensics$ sudo ls# gather_audit_logs.sh does a hidden sudouser@host:~/amt-forensics$ ./gather_audit_logs.shuser@host:~/amt-forensics$ python ./decode_amt_auditlog.py> decoded_log.txtuser@host:~/amt-forensics$ cat decoded_log.txt# Sample Output as example.[ {"AuditAppID":"NETWORK_TIME_APPID","EventID":"AMT Provisioning Started","InitType":"HTTP_DIGEST","UsernameLength": 9,"Username":"$$OsAdmin","TimeStamp": 1072922804,"TimeStamp_readable":"2004-01-01 03:06:44","MCLocationType":"IPV4_ADDR","NetAddressLength": 9,"NetAddress":"127.0.0.1","ExtendedDataLength": 4,"ExtendedData":"V\"\u00b8\u009c" }, {"AuditAppID":"SECURITY_ADMIN_APPID","EventID":"AMT Provisioning Started","InitType":"LOCAL_INITIATOR","TimeStamp": 1506659359,"TimeStamp_readable":"2017-09-29 06:29:19","MCLocationType":"NONE","NetAddressLength": 0,"ExtendedDataLength": 0 }]user@host:~/amt-forensics$
To login viahttp://localhost:16992/logon.htm, you canobtain password for the user$$osAdmin as per follows:
user@host:~/amt-forensics$ sudo python amt_local_sys_account.py[Password String]user@host:~/amt-forensics$
You can then use the username$$osAdmin and the printed passwordstring to login.
Thegetallinfo.sh script under theall_api_calls directory willattempt to gather info from all available AMT WSMAN APIs. This can be usefulfor manual searching & inspiration during forensics.
This is not an official Google product.