Skip to content
This repository has been archived by the owner on Nov 5, 2022. It is now read-only.
/ amt-forensics Public archive

Retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password.


Notifications You must be signed in to change notification settings


AMT Forensics for Linux

This README contains instructions on how to use the scripts in this repository to retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password. The ideas from the script can be used to retrieve other pertinent information from Intel AMT via the ME Interface (MEI).



  1. Linux machine with a provisioned AMT
  • For testing, you can manually provision AMT yourself in 10 steps.
  • Make sure /dev/mei exists.
    • You may need to sudo ln -s /dev/mei0 /dev/mei.
    • If this doesn't exist then this most likely means AMT is not enabled & provisioned.
  1. Python & OpenWSMAN installed
  • Python 2.7 with python-enum34 (sudo apt-get install python-enum34)
  • The wsman binary in $PATH:


The Local Manageability Service (LMS) for Linux needs to built and started:

  1. Download lms-8.0.0-7.tar.gz and unzip it. You can read more info about LMS for Linux here.
  2. Copy lms.patch from this repository into the unziped directory.
  3. Carry out the following commands:
user@host:~/Downloads/lms-8.0.0-7$ patch -p1 < lms.patch
user@host:~/Downloads/lms-8.0.0-7$ chmod u+x configure
user@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-daemon=no
user@host:~/Downloads/lms-8.0.0-7$ # fix problems and re-run until all OK.
user@host:~/Downloads/lms-8.0.0-7$ make
user@host:~/Downloads/lms-8.0.0-7$ sudo src/lms

You should be able to load http://localhost:16992/ in your browser now.

Note: On some machines, restarting lms and/or machine is required.

If problems continue, re-try with debugging enabled:

user@host:~/Downloads/lms-8.0.0-7$ make clean
user@host:~/Downloads/lms-8.0.0-7$ ./configure --enable-debug --enable-daemon=no
user@host:~/Downloads/lms-8.0.0-7$ make
user@host:~/Downloads/lms-8.0.0-7$ sudo src/lms


Once LMS is successfully running as per above, start a new shell:

user@host:~$ cd amt-forensics/
user@host:~/amt-forensics$ chmod u+x
user@host:~/amt-forensics$ sudo ls # does a hidden sudo
user@host:~/amt-forensics$ ./
user@host:~/amt-forensics$ python ./ > decoded_log.txt
user@host:~/amt-forensics$ cat decoded_log.txt # Sample Output as example.
    "EventID": "AMT Provisioning Started",
    "InitType": "HTTP_DIGEST",
    "UsernameLength": 9,
    "Username": "$$OsAdmin",
    "TimeStamp": 1072922804,
    "TimeStamp_readable": "2004-01-01 03:06:44",
    "MCLocationType": "IPV4_ADDR",
    "NetAddressLength": 9,
    "NetAddress": "",
    "ExtendedDataLength": 4,
    "ExtendedData": "V\"\u00b8\u009c"
    "EventID": "AMT Provisioning Started",
    "InitType": "LOCAL_INITIATOR",
    "TimeStamp": 1506659359,
    "TimeStamp_readable": "2017-09-29 06:29:19",
    "MCLocationType": "NONE",
    "NetAddressLength": 0,
    "ExtendedDataLength": 0

Web Interface Login

To login via http://localhost:16992/logon.htm, you can obtain password for the user $$osAdmin as per follows:

user@host:~/amt-forensics$ sudo python
[Password String]

You can then use the username $$osAdmin and the printed password string to login.

Info from all APIs

The script under the all_api_calls directory will attempt to gather info from all available AMT WSMAN APIs. This can be useful for manual searching & inspiration during forensics.


This is not an official Google product.


Retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password.




Code of conduct

Security policy





No releases published


No packages published