Cybersecurity

The Death Metal Suite

Coalfire Cybersecurity Team

April 10, 2019

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. 

Access the code for the Death Metal Suite from Github now

Overview

Intel Active Management Technology (AMT) is a feature provided by Intel for remote administration. If you happen to have a corporate laptop, odds are you too have AMT built into your system. To a sysadmin, AMT eases access to machines for the sake of assisting employees with technical issues, even if the hard drive has failed or been affected by ransomware. This is due primarily to the fact that AMT does not require a functioning operating system for accessibility. Its configuration and operating environment reside completely within its own dedicated hardware!

Death Metal is a toolkit designed to exploit AMT’s legitimate features, as the AMT framework’s functionality, designed for innocent system administration purposes, inadvertently allows these features to be used by hackers for surreptitious persistence. This is because many of the legitimate features violate the expectations of sysadmins and endpoint protection software. I liken AMT to “lolbins,” which is a short form of “living off the land binary,” but instead of operating at a software level, Death Metal operates from a hardware level. With the Death Metal suite, we are essentially misusing and abusing mainstream commercial functionality in unexpected ways. Within the information security community, attacks against AMT itself are not news; however, Death Metal will introduce new ways to begin attacking the AMT framework in a practical, red-team fashion.

Features

For about a month during the development of Death Metal, I focused on implanting the various protocols used by AMT in Python. This required some reverse engineering on the fly, as the AMT technology is not entirely documented. (Some features are proprietary.) I've also discovered useful quirks and was able to code a few programs that bring the Death Metal suite together.

It’s a known fact in the information security industry that everything tool needs a cool name, which is why the suite of tools I developed is called Death Metal! I am channeling Metalocalypse because it’s dangerous to take oneself (or one’s tools) too seriously.

Before we dive in, it's important to note that at the time of this writing, the collection of tools within the Death Metal suite amount to a sophisticated evil maid attack. Currently, there is reason to suspect that AMT can be enabled and configured through pure software (via MEI PCI interface and in admin control mode); however, what I have so far in Death Metal requires provisioning via BIOS or USB.

Tool set

The Keyboard Video Multiplexer (KVM) is an AMT remoting technology that provides VNC access to the target computer, comprising video output and keyboard/mouse input. All the network interactivity is completely invisible to the running operating system, including the network stack! A host-based firewall or packet sniffer running on the target system will NOTdetect nor prevent an attacker from connecting to restricted devices. For this feature, I wrote a simple Duckyscript interpreter capable of sending malicious keystrokes over the KVM feature. One unique aspect of my implementation in Death Metal is that it does not trigger the tell-tale flashing border, which normally indicates that a KVM connection is underway. (Under normal use of the KVM feature, a banner surrounds the victim’s screen indicating remote connectivity; however, with the Death Metal suite this banner will not present itself to the victim, but an icon still flashes).

Here is a video of an attacker using Pickles to send data to a target system with AMT provisioned on it:

The victim machine responds accordingly, and the running Wireshark on the system does not see the AMT data on UDP port 16994:

AMT can be remotely configured via a WM-Management protocol with a custom authentication scheme. There are a myriad of configurable and/or query-able items that exist within this protocol, and I have only begun implementing a small subset of them. For this feature, I have written a tool that can remotely enable KVM, disable user consent, secure boot, bios passwords, as well as wipe AMT audit logs. Analyzing unpacked firmware images suggest that there are a few interesting undocumented items within this space.

Here is Nathan wiping logs from AMT:

IDER (IDE Redirection) is a proprietary Intel technology that enables remotely attaching floppy and CD/DVD devices. I reverse engineered and implemented this within Toki enough to remotely attach CD/DVD devices to a running operating system. It is also possible to successfully boot computers into arbitrary ISOs using Toki! It is now possible to remotely connect to a compromised system and turn it into a penetration testing or forensics platform.

Here is the Toki serving a remote disk to a target machine:

The victim machine believes that a drive has been mounted:

Computers with AMT (enabled or not) can be detected on the network (firewall or not) very quickly with specially crafted UDP packets. Even though Rockso uses UDP, this network traffic too will be completely invisible to host-based tools used to analyze network traffic because the target port resides in the hardware itself. I have written a scanner that discovers potential targets, printing out their firmware version numbers, and enabled status.

Advice for the Blue Team

The best advice I have at reducing the risks inherent to AMT is to buy systems without it enabled. If that is not possible, provision your systems before someone malicious does, change the password, and disable everything you can. Pressing ctrl+p during system boot is the most common way of entering the MEBX (Management Engine Bios Extension) menu system, which exposes the configuration options. The default password is admin. It really pains me to say this, because it reduces office pranking potential – but if someone has beaten you to it, popping out the little coin-cell battery clears the password (on Dell laptops at least).

Advice for the Red Team

Try this out on FedRAMP engagements including an assessment of golden laptop configurations 😉.

This has been a fun project so far, and there is so much more to be done. Did you know it can speak WiFi and IPv6? Be sure to check out the github repo here for future developments! (I intend to release a USB AMT provisioning tool to assist in creating evil thumb drives.) Also, I believe AMT crashed on me several times during the development of this project, and I hope to turn those crashes into something . . . darker.

My hope is that you enjoyed the read and will use this information to raise awareness of this potentially dangerous set of features!

Credits: https://senseless.info/ has a C implementation of the IDER protocol; it greatly accelerated my work. Thanks a ton!