Exploit – Remote Access using Intel AMT BIOS Extension

by | Jan 14, 2018 | Exploitation

Exploit - Remote Access using Intel AMT BIOS Extension

This tutorial demonstrates creating remote access on a device using Intel AMT BIOS extension. The exploit was recently explained by F-Secure. The documentation from Intel on AMT can be found here.

This tutorial demonstrates access from one Windows device to another on the same network. The target device must be physically connected to the network. Depending on your device/version, accessing the AMT menu and the screens presented may be slightly different. However, the configuration items are the same.

 

Software

  • Intel’s Active Management Technology (nothing to download; you either have it or you don’t)
  • VNC Viewer Plus – Not free!
    • MeshCommander is a free alternative. This was not tested for this tutorial.

 

Preparation

Screenshots are included at the end of the tutorial for ease of finding commands.

Open a command prompt on the target device. Find the IP address of the device and write it down for future use.

  • WinLogo + R
  • cmd
  • C:\>ipconfig
    • It may be useful to run net config workstation to obtain the hostname and workgroup as well.
  • Search for the IP address (typically a LAN adapter showing an IPv4 address)

Reboot the target machine.

At the boot screen, hold down the Ctrl button and continually press P until the MEBx menu opens. Alternatively, you can press Ctrl + P just once if you have the timing right.

 

Configuring Intel(R) Management Engine BIOS Extension

If this is your first time accessing this menu, you will be prompted to enter the current password and create a new one.

  • Default password: admin
  • Alternative default: P@ssw0rd

The new password must meet the following criteria:

  • 8 or more characters
  • Uppercase letter
  • Lowercase letter
  • Number
  • Special character

The first setting to change may be found in either Intel(R) ME General Settings or Intel(R) AMT Configuration depending on your device.

  • Select Intel(R) accordingly to find Power Control
    • Select Intel(R) ME ON in Host Sleep States
      • Enable Mobile: ON in S0, ME Wake in S3, S4-5 (AC only)
    • Select Idle Timeout
      • Change default value to 65535

The rest of the settings will be found in Intel(R) AMT Configuration.

  • Select Intel(R) AMT Configuration
    • Select SOL/IDER/KVM
      • Enable SOL, IDER, and KVM
    • Select User Consent
      • Select User Opt-in
        • Change default value to None
    • Select Activate Network Access
      • Press to continue
    • Verify Activate Network Access has changed to Unconfigure Network Access

Exit the Intel(R) Management Engine BIOS Extension by selecting Exit on the main menu.

 

Remote Access to Target Device

Open VNC Viewer Plus (or MeshCommand; steps will vary).

  • Change Connection Mode to Intel AMT KVM
  • Change Encryption to None
  • Select the text box for AMT Server and enter the IP address (or hostname)
  • Press Connect
  • Select Yes when asked to verify the fully-qualified domain name
  • Enter the credentials
    • Username: admin
    • Password: *previously set when configuring AMT*

Congratulations! You now have remote access to the target device.

 

Screenshots

Intel(R) ME Password

Main Menu

Power Control

Host Sleep States

Idle Timeout

AMT Configuration

SOL/IDER/KVM

SOL

IDER

KVM

User Consent

User Opt-in

Activate Network Access

Yes

Unconfigure Network Access

VNC Viewer Plus Configuration

Fully-Qualified Domain

Login Screen

Credentials

Remote Accessed