Discussion in 'Application Software' started by Mr.X, Sep 10, 2015.
You need to login to view this posts content.
You need to login to view this posts content.
Tried some wireshark analysis the other day, it was messy and difficult to comprehend. Separating the legit from the suspicious traffic was impossible for a beginner.
@roga: Welcome to the world of Reverse Engineering.
Before You can interpret a capture, You need to learn about UDP, TCP/IP and HTTP(S) protocols. You need to know what to look for. If You want to analyze the operations of a program, You have to know what the various keys in the Windows Registry are for. Not to mention what messages are being processed as well as sent.
If You want to understand what's going on with an executable file,You need to learn x86 ASM. (16, 32 and 64 bit)
You have your work cut out for You. I suggest You start by reading Charles Petzolds book on Windows programming.
Then, find a book called "The Art of Asm"
At that point, You will have scratched the surface.
Why thank you you are everywhere on this forum!
As explained in the other thread I am avoiding the hardcore reading on computing. My network analysis is restricted to seeing what IP the computer is connecting to. Some software make this kind of analysis easy, example TCPview and firewall monitor. Wireshark does not make it easy because it captures everything and floods the user with information. I shall leave the wireshark analysis to experts like you, and watch what you and others report on MDL!
I'm hanging to do this for W7. Just gotta' wait for my Fiddler Handbook to arrive... much easier to refer to text as opposed to screen display while you are trying to analyse, etc...
In regards to Wireshark, yeah... it is hell messy to spot every tidbit, but for the most-part one could apply a filter for "DNS" and sit back and watch the callouts, not just for MS (yet to occur for me today, but they will) but for every god-damn app you have installed and every website you visit. I must admit, slapping some of the DNS stuff into my Hosts file has made a difference somewhat. What also made things quieter was fondling about:config in Firefox (it isn't just MS turning its OS into a terminal, it is also Mozilla!).
The packet capture display is improved in Wireshark if you do: Edit - Properties - Protocols - TCP - "untick" Allow subdissector to reassemble TCP streams.
I changed the title but the purpose of my thread, that is to properly analyze Windows telemetry traffic.
However I took Wireshark out of the question as I read there are other tools which might be used and/or are easier to use.
The main and important thing here is the analysis not the tools per se.
Thank @ all.
I knew I smelt compost when I heard about Microsoft Azure!
If W10 is a service, doesn't that mean it's at kernel level? Also... wouldn't this mean that the only way to avoid full phone-home behaviour would be to run W10 with no net access at all... from a seperate rig? Might be worth checking out if your BIOS can switch off your onboard LAN (if you have one) so sole use remains with NIC.
*coughs* Thank f**k for Linux *cough*
To test the shellbag stuff out, type this into your search engine - "Privazer Shellbag Analyzer Cleaner". It should be first cab off the rank. I haven't tried this lil' app out yet since I have the option in Privazer itself. So pick and choose what you wish...
The Online Paranoia Forum Blog page also mentions ShellBags... might be worth a read.
windsman , marzametal
I don't think that was what the OP had in mind about where this thread should go,
With that said I fired up a clean install of Windows 10 Pro in VMWare and spent less than an hour in total letting Fiddler do it's thing and so far have not found any info that even the less tec savy MDL users already know and found these processes that hide themselves by default from broadcasting to localhost (Fiddler has a way to change that behaviour)
I believe that is why changing your hosts file has no effect on blocking some of the telemetry sites but one thing I want to try one day is to change the name of my localhost in hosts file to something like "FuMicrosoft"
One more thing about trying capture HTTPS traffic and try to decode it is that some services might use certificate pinning to thwart that
Assigned Access Lock app
Email and accounts
Films & TV Test Account
Mail and Calendar
Microsoft .Net Native Framework Package 1.0
Microsoft .Net Native Runtime Package 1.0
Microsoft People Test Account
Microsoft Phone Companion
Microsoft Solitaire Collection
Microsoft Visual C++ 2015 Runtime Package
Microsoft Visual C++ Runtime Package
Microsoft family restrictions
SearchSearch the web and Windows
Usermode Font Driver Host
Windows Alarms & Clock
Windows Default Lock Screen
Windows Shell Experience
Windows Voice Recorder
Work or school account
Xbox Game UI
Xbox Identity Provider
windows_ie_ac_001Created by IE
No problem, i know what Mr.X have in mind, this was just a parenthesis.
your comment is interesting.
I thought I would share a pic of Fiddler doing it's thing
Most of this was from cortanna searching for snipping tool
Some encrypted traffic
I know I should of found something interesting but I was in a rush when I did it
Looking at that gif in the first post, after switching off every setting Windows can't stop talking to M$ servers, right?
very impressive dude, thanks for share