Awesome Open Source
Awesome Open Source

AMT Forensics for Linux

This README contains instructions on how to use the scripts in this repository to retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password. The ideas from the script can be used to retrieve other pertinent information from Intel AMT via the ME Interface (MEI).



  1. Linux machine with a provisioned AMT
  • For testing, you can manually provision AMT yourself in 10 steps.
  • Make sure /dev/mei exists.
    • You may need to sudo ln -s /dev/mei0 /dev/mei.
    • If this doesn't exist then this most likely means AMT is not enabled & provisioned.
  1. Python & OpenWSMAN installed
  • Python 2.7 with python-enum34 (sudo apt-get install python-enum34)
  • The wsman binary in $PATH:


The Local Manageability Service (LMS) for Linux needs to built and started:

  1. Download lms-8.0.0-7.tar.gz and unzip it. You can read more info about LMS for Linux here.
  2. Copy lms.patch from this repository into the unziped directory.
  3. Carry out the following commands:
[email protected]:~/Downloads/lms-8.0.0-7$ patch -p1 < lms.patch
[email protected]:~/Downloads/lms-8.0.0-7$ chmod u+x configure
[email protected]:~/Downloads/lms-8.0.0-7$ ./configure --enable-daemon=no
[email protected]:~/Downloads/lms-8.0.0-7$ # fix problems and re-run until all OK.
[email protected]:~/Downloads/lms-8.0.0-7$ make
[email protected]:~/Downloads/lms-8.0.0-7$ sudo src/lms

You should be able to load http://localhost:16992/ in your browser now.

Note: On some machines, restarting lms and/or machine is required.

If problems continue, re-try with debugging enabled:

[email protected]:~/Downloads/lms-8.0.0-7$ make clean
[email protected]:~/Downloads/lms-8.0.0-7$ ./configure --enable-debug --enable-daemon=no
[email protected]:~/Downloads/lms-8.0.0-7$ make
[email protected]:~/Downloads/lms-8.0.0-7$ sudo src/lms


Once LMS is successfully running as per above, start a new shell:

[email protected]:~$ cd amt-forensics/
[email protected]:~/amt-forensics$ chmod u+x
[email protected]:~/amt-forensics$ sudo ls # does a hidden sudo
[email protected]:~/amt-forensics$ ./
[email protected]:~/amt-forensics$ python ./ > decoded_log.txt
[email protected]:~/amt-forensics$ cat decoded_log.txt # Sample Output as example.
    "EventID": "AMT Provisioning Started",
    "InitType": "HTTP_DIGEST",
    "UsernameLength": 9,
    "Username": "$$OsAdmin",
    "TimeStamp": 1072922804,
    "TimeStamp_readable": "2004-01-01 03:06:44",
    "MCLocationType": "IPV4_ADDR",
    "NetAddressLength": 9,
    "NetAddress": "",
    "ExtendedDataLength": 4,
    "ExtendedData": "V\"\u00b8\u009c"
    "EventID": "AMT Provisioning Started",
    "InitType": "LOCAL_INITIATOR",
    "TimeStamp": 1506659359,
    "TimeStamp_readable": "2017-09-29 06:29:19",
    "MCLocationType": "NONE",
    "NetAddressLength": 0,
    "ExtendedDataLength": 0
[email protected]:~/amt-forensics$

Web Interface Login

To login via http://localhost:16992/logon.htm, you can obtain password for the user $$osAdmin as per follows:

[email protected]:~/amt-forensics$ sudo python
[Password String]
[email protected]:~/amt-forensics$

You can then use the username $$osAdmin and the printed password string to login.

Info from all APIs

The script under the all_api_calls directory will attempt to gather info from all available AMT WSMAN APIs. This can be useful for manual searching & inspiration during forensics.


This is not an official Google product.

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
python (54,408
linux (2,508
forensics (72
intel (67