Re: Is a port scan good enough?

Date: 2017-05-02 02:18 pm (UTC)
timmc: (0)
From: [personal profile] timmc

I configured AMT on my work-provided Thinkpad T430s laptop (default password admin, new password must meet requirements) and connected it to ethernet.

When I scanned my home LAN with nmap -p16992,16993,16994,16995,623,664 192.168.1.0/24 I only found that one machine listening on any of the ports:

Nmap scan report for 192.168.1.142
Host is up (0.0036s latency).
PORT      STATE  SERVICE
623/tcp   open   oob-ws-http
664/tcp   closed secure-aux-bus
16992/tcp open   amt-soap-http
16993/tcp closed amt-soap-https
16994/tcp closed unknown
16995/tcp closed unknown

I also confirmed that AMT was the culprit:

$ curl -sS http://192.168.1.142:623 -i
HTTP/1.1 303 See Other
Location: /logon.htm
Content-Length: 0
Server: Intel(R) Active Management Technology 8.1.2

$ curl -sS http://192.168.1.142:16992 -i
HTTP/1.1 303 See Other
Location: /logon.htm
Content-Length: 0
Server: Intel(R) Active Management Technology 8.1.2

The logon.htm page says "Web browser access to Intel® Active Management Technology is disabled on this computer, or the page in the address bar is unavailable."

Note that making those curl calls from the machine itself results in connection refused! (No matter whether I call via localhost or wlan0 or eth0 LAN IPs.) It has to be from another machine.

The machine in question is willing to try to listen on those ports at the OS level, but an attempt to connect and send data is intercepted by AMT. That's another way you could tell, I suppose.

I did not observe these behaviors when connected over WiFi instead of ethernet.

From:
Anonymous
OpenID
Identity URL: 
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org


 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags