This tests Intel AMT for the authentication bypass vulnerability.
See https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability for details.
Tested on a few vuln hosts, works as expected.
Added nse for INTEL-SA-00075.
3 modifications you should make:
In addition to "AMT", "Intel(R) Con. Management Engine 5.0.1" (and 5.0.2) could also be vulnerable. Supposedly < 6.0 is safe, but you never know until you try yourself. Maybe just check for Intel(R) or AMT in the early check?
I think a simpler way to check would be to run the script only on port Intel AMT web server ports: 16992, 16993, 623 and 664 without checking the HTTP response server header field contains AMT or Intel Active management technology string.
Thanks for the comments. Do you know if the remote ports can be changed in the configuration?
Remote ports can't be changed. The only thing that can change are the following:
If AMT is configured in SSL, it will listen to port 16993 (both WS-MAN and Web interface) and 664 (WS-MAN only, DASH standard)
AMT can be comfigured to support both HTTP and HTTPS at same time. In such configuration, it will listen to the following port: 16992, 16993, 623 and 624.
Redirection ports 16994 (tcp) and 16995 (tls) can be enabled or not depending on the configuration.