GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → google → Amt Forensics

google / Amt Forensics

Licence: apache-2.0
Retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

linuxforensicsintel

Projects that are alternatives of or similar to Amt Forensics

Diffy
Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.
Stars: ✭ 555 (+1400%)
Mutual labels:  forensics
Memlabs
Educational, CTF-styled labs for individuals interested in Memory Forensics
Stars: ✭ 696 (+1781.08%)
Mutual labels:  forensics
Minos
A minimal bare bones operating system based on a monolithic kernel design written purely in Assembly language
Stars: ✭ 12 (-67.57%)
Mutual labels:  intel
Hindsight
Web browser forensics for Google Chrome/Chromium
Stars: ✭ 589 (+1491.89%)
Mutual labels:  forensics
Coriander
Build NVIDIA® CUDA™ code for OpenCL™ 1.2 devices
Stars: ✭ 665 (+1697.3%)
Mutual labels:  intel
Inventory Hunter
⚡️ Get notified as soon as your next CPU, GPU, or game console is in stock
Stars: ✭ 778 (+2002.7%)
Mutual labels:  intel
Hdmi
Send video/audio over HDMI on an FPGA
Stars: ✭ 533 (+1340.54%)
Mutual labels:  intel
Introductiontovulkan
Source code examples for "API without Secrets: Introduction to Vulkan" tutorial
Stars: ✭ 972 (+2527.03%)
Mutual labels:  intel
Freenos
FreeNOS (Free Niek's Operating System) is an experimental microkernel based operating system for learning purposes written in C++. You may use the code as you wish under the terms of the GPLv3.
Stars: ✭ 683 (+1745.95%)
Mutual labels:  intel
Gensum
Powerful checksum generator!
Stars: ✭ 12 (-67.57%)
Mutual labels:  forensics
Compute Runtime
Intel® Graphics Compute Runtime for oneAPI Level Zero and OpenCL™ Driver
Stars: ✭ 593 (+1502.7%)
Mutual labels:  intel
Sha256 Simd
Accelerate SHA256 computations in pure Go using Accelerate SHA256 computations in pure Go using AVX512, SHA Extensions for x86 and ARM64 for ARM. On AVX512 it provides an up to 8x improvement (over 3 GB/s per core). SHA Extensions give a performance boost of close to 4x over native.
Stars: ✭ 657 (+1675.68%)
Mutual labels:  intel
Usbrip
Tracking history of USB events on GNU/Linux
Stars: ✭ 903 (+2340.54%)
Mutual labels:  forensics
The holy book of x86
A simple guide to x86 architecture, assembly, memory management, paging, segmentation, SMM, BIOS....
Stars: ✭ 577 (+1459.46%)
Mutual labels:  intel
Tr1pd
tamper resistant audit log
Stars: ✭ 13 (-64.86%)
Mutual labels:  forensics
Cldnn
Compute Library for Deep Neural Networks (clDNN)
Stars: ✭ 537 (+1351.35%)
Mutual labels:  intel
Tf Coriander
OpenCL 1.2 implementation for Tensorflow
Stars: ✭ 775 (+1994.59%)
Mutual labels:  intel
Firefed
🕵️ A tool for Firefox profile analysis, data extraction, forensics and hardening
Stars: ✭ 37 (+0%)
Mutual labels:  forensics
Pcapfs
A FUSE module to mount captured network data
Stars: ✭ 17 (-54.05%)
Mutual labels:  forensics
Kaudit
Alcide Kubernetes Audit Log Analyzer - Alcide kAudit
Stars: ✭ 23 (-37.84%)
Mutual labels:  forensics
View All Similar Projects ➔

AMT Forensics for Linux

This README contains instructions on how to use the scripts in this repository to retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password. The ideas from the script can be used to retrieve other pertinent information from Intel AMT via the ME Interface (MEI).

[TOC]

Prerequisites

  1. Linux machine with a provisioned AMT
  • For testing, you can manually provision AMT yourself in 10 steps.
  • Make sure /dev/mei exists.
    • You may need to sudo ln -s /dev/mei0 /dev/mei.
    • If this doesn't exist then this most likely means AMT is not enabled & provisioned.
  1. Python & OpenWSMAN installed
  • Python 2.7 with python-enum34 (sudo apt-get install python-enum34)
  • The wsman binary in $PATH:

Setup

The Local Manageability Service (LMS) for Linux needs to built and started:

  1. Download lms-8.0.0-7.tar.gz and unzip it. You can read more info about LMS for Linux here.
  2. Copy lms.patch from this repository into the unziped directory.
  3. Carry out the following commands:
[email protected]:~/Downloads/lms-8.0.0-7$ patch -p1 < lms.patch
[email protected]:~/Downloads/lms-8.0.0-7$ chmod u+x configure
[email protected]:~/Downloads/lms-8.0.0-7$ ./configure --enable-daemon=no
[email protected]:~/Downloads/lms-8.0.0-7$ # fix problems and re-run until all OK.
[email protected]:~/Downloads/lms-8.0.0-7$ make
[email protected]:~/Downloads/lms-8.0.0-7$ sudo src/lms

You should be able to load http://localhost:16992/ in your browser now.

Note: On some machines, restarting lms and/or machine is required.

If problems continue, re-try with debugging enabled:

[email protected]:~/Downloads/lms-8.0.0-7$ make clean
[email protected]:~/Downloads/lms-8.0.0-7$ ./configure --enable-debug --enable-daemon=no
[email protected]:~/Downloads/lms-8.0.0-7$ make
[email protected]:~/Downloads/lms-8.0.0-7$ sudo src/lms

Usage

Once LMS is successfully running as per above, start a new shell:

[email protected]:~$ cd amt-forensics/
[email protected]:~/amt-forensics$ chmod u+x gather_audit_logs.sh
[email protected]:~/amt-forensics$ sudo ls # gather_audit_logs.sh does a hidden sudo
[email protected]:~/amt-forensics$ ./gather_audit_logs.sh
[email protected]:~/amt-forensics$ python ./decode_amt_auditlog.py > decoded_log.txt
[email protected]:~/amt-forensics$ cat decoded_log.txt # Sample Output as example.
[
  {
    "AuditAppID": "NETWORK_TIME_APPID",
    "EventID": "AMT Provisioning Started",
    "InitType": "HTTP_DIGEST",
    "UsernameLength": 9,
    "Username": "$$OsAdmin",
    "TimeStamp": 1072922804,
    "TimeStamp_readable": "2004-01-01 03:06:44",
    "MCLocationType": "IPV4_ADDR",
    "NetAddressLength": 9,
    "NetAddress": "127.0.0.1",
    "ExtendedDataLength": 4,
    "ExtendedData": "V\"\u00b8\u009c"
  },
  {
    "AuditAppID": "SECURITY_ADMIN_APPID",
    "EventID": "AMT Provisioning Started",
    "InitType": "LOCAL_INITIATOR",
    "TimeStamp": 1506659359,
    "TimeStamp_readable": "2017-09-29 06:29:19",
    "MCLocationType": "NONE",
    "NetAddressLength": 0,
    "ExtendedDataLength": 0
  }
]
[email protected]:~/amt-forensics$

Web Interface Login

To login via http://localhost:16992/logon.htm, you can obtain password for the user $$osAdmin as per follows:

[email protected]:~/amt-forensics$ sudo python amt_local_sys_account.py
[Password String]
[email protected]:~/amt-forensics$

You can then use the username $$osAdmin and the printed password string to login.

Info from all APIs

The getallinfo.sh script under the all_api_calls directory will attempt to gather info from all available AMT WSMAN APIs. This can be useful for manual searching & inspiration during forensics.

Disclaimer

This is not an official Google product.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].