[Q]-How to properly analyze Windows telemetry traffic?

Discussion in 'Application Software' started by Mr.X, Sep 10, 2015.

  1. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    6,131
    13,717
    210
  2. sml156

    sml156 MDL Member

    Sep 8, 2009
    130
    70
    10
    #2 sml156, Sep 10, 2015
    Last edited: Sep 10, 2015
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    3,715
    4,048
    120
    #4 Michaela Joy, Sep 11, 2015
    Last edited: Sep 11, 2015
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. roga

    roga MDL Member

    Aug 12, 2015
    144
    63
    10
    Tried some wireshark analysis the other day, it was messy and difficult to comprehend. Separating the legit from the suspicious traffic was impossible for a beginner.
     
  5. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    3,715
    4,048
    120
    @roga: Welcome to the world of Reverse Engineering. ;)

    Before You can interpret a capture, You need to learn about UDP, TCP/IP and HTTP(S) protocols. You need to know what to look for. If You want to analyze the operations of a program, You have to know what the various keys in the Windows Registry are for. Not to mention what messages are being processed as well as sent.

    If You want to understand what's going on with an executable file,You need to learn x86 ASM. (16, 32 and 64 bit)

    You have your work cut out for You. I suggest You start by reading Charles Petzolds book on Windows programming.

    Then, find a book called "The Art of Asm"

    At that point, You will have scratched the surface. :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. roga

    roga MDL Member

    Aug 12, 2015
    144
    63
    10
    Why thank you :eek: you are everywhere on this forum!
    As explained in the other thread I am avoiding the hardcore reading on computing. My network analysis is restricted to seeing what IP the computer is connecting to. Some software make this kind of analysis easy, example TCPview and firewall monitor. Wireshark does not make it easy because it captures everything and floods the user with information. I shall leave the wireshark analysis to experts like you, and watch what you and others report on MDL!
     
  7. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    3,715
    4,048
    120
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. marzametal

    marzametal MDL Novice

    Apr 30, 2015
    16
    2
    0
    I'm hanging to do this for W7. Just gotta' wait for my Fiddler Handbook to arrive... much easier to refer to text as opposed to screen display while you are trying to analyse, etc...

    In regards to Wireshark, yeah... it is hell messy to spot every tidbit, but for the most-part one could apply a filter for "DNS" and sit back and watch the callouts, not just for MS (yet to occur for me today, but they will) but for every god-damn app you have installed and every website you visit. I must admit, slapping some of the DNS stuff into my Hosts file has made a difference somewhat. What also made things quieter was fondling about:config in Firefox (it isn't just MS turning its OS into a terminal, it is also Mozilla!).

    The packet capture display is improved in Wireshark if you do: Edit - Properties - Protocols - TCP - "untick" Allow subdissector to reassemble TCP streams.
     
  9. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    6,131
    13,717
    210
    @Everybody

    I changed the title but the purpose of my thread, that is to properly analyze Windows telemetry traffic.
    However I took Wireshark out of the question as I read there are other tools which might be used and/or are easier to use.
    The main and important thing here is the analysis not the tools per se.

    Thank @ all.
     
  10. sml156

    sml156 MDL Member

    Sep 8, 2009
    130
    70
    10
    #11 sml156, Sep 11, 2015
    Last edited: Sep 12, 2015
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. windsman

    windsman MDL Expert

    Jan 11, 2010
    1,341
    1,007
    60
  12. marzametal

    marzametal MDL Novice

    Apr 30, 2015
    16
    2
    0
    #13 marzametal, Sep 12, 2015
    Last edited: Sep 12, 2015
    I knew I smelt compost when I heard about Microsoft Azure!

    If W10 is a service, doesn't that mean it's at kernel level? Also... wouldn't this mean that the only way to avoid full phone-home behaviour would be to run W10 with no net access at all... from a seperate rig? Might be worth checking out if your BIOS can switch off your onboard LAN (if you have one) so sole use remains with NIC.

    *coughs* Thank f**k for Linux *cough*

    To test the shellbag stuff out, type this into your search engine - "Privazer Shellbag Analyzer Cleaner". It should be first cab off the rank. I haven't tried this lil' app out yet since I have the option in Privazer itself. So pick and choose what you wish...

    The Online Paranoia Forum Blog page also mentions ShellBags... might be worth a read.
     
  13. sml156

    sml156 MDL Member

    Sep 8, 2009
    130
    70
    10
    #14 sml156, Sep 12, 2015
    Last edited: Sep 12, 2015
    windsman , marzametal

    I don't think that was what the OP had in mind about where this thread should go,

    With that said I fired up a clean install of Windows 10 Pro in VMWare and spent less than an hour in total letting Fiddler do it's thing and so far have not found any info that even the less tec savy MDL users already know and found these processes that hide themselves by default from broadcasting to localhost (Fiddler has a way to change that behaviour)

    I believe that is why changing your hosts file has no effect on blocking some of the telemetry sites but one thing I want to try one day is to change the name of my localhost in hosts file to something like "FuMicrosoft"

    One more thing about trying capture HTTPS traffic and try to decode it is that some services might use certificate pinning to thwart that

    3D Builder
    @{Microsoft.BingFinance_4.4.200.0_x86
    @{Microsoft.BingSports_4.4.200.0_x86
    @{Microsoft.MicrosoftOfficeHub_17.6020.23801.0_x64
    App connector
    Assigned Access Lock app
    Bio Enrollment
    Contact SupportContact
    Email and accounts
    Films & TV Test Account
    Get Started
    Groove Music
    MSN News
    MSN Weather
    Mail and Calendar
    Microsoft .Net Native Framework Package 1.0
    Microsoft .Net Native Runtime Package 1.0
    Microsoft Edge
    Microsoft People Test Account
    Microsoft Phone Companion
    Microsoft Photos
    Microsoft Solitaire Collection
    Microsoft Visual C++ 2015 Runtime Package
    Microsoft Visual C++ Runtime Package
    Microsoft family restrictions
    OneNoteOneNoteMicrosoft.Office.OneNote_17.6131.10021.0_x64
    PurchaseDialogPrint Dialog
    SearchSearch the web and Windows
    StoreStoreMicrosoft.WindowsStore_2015.8.25.0_x64
    Usermode Font Driver Host
    Windows Alarms & Clock
    Windows Calculator
    Windows Camera
    Windows Default Lock Screen
    Windows Feedback
    Windows Maps
    Windows Shell Experience
    Windows Spotlight
    Windows Voice Recorder
    Work or school account
    Xbox
    Xbox Game UI
    Xbox Identity Provider
    Your account
    microsoft.windows.authhost
    ms-resource:/manifest/DisplayName
    windows_ie_ac_001Created by IE
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. windsman

    windsman MDL Expert

    Jan 11, 2010
    1,341
    1,007
    60
    No problem, i know what Mr.X have in mind, this was just a parenthesis.

    your comment is interesting.

    windsman.
     
  15. sml156

    sml156 MDL Member

    Sep 8, 2009
    130
    70
    10
    #16 sml156, Sep 13, 2015
    Last edited: Sep 13, 2015
    I thought I would share a pic of Fiddler doing it's thing

    Most of this was from cortanna searching for snipping tool



    Searching for snipping tool.gif


    Some encrypted traffic

    encripted.PNG

    some decrypted

    unencripted.PNG

    I know I should of found something interesting but I was in a rush when I did it
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. cdavisdeco

    cdavisdeco MDL Senior Member

    Jul 8, 2015
    267
    52
    10
    Looking at that gif in the first post, after switching off every setting Windows can't stop talking to M$ servers, right?
     
  17. sml156

    sml156 MDL Member

    Sep 8, 2009
    130
    70
    10
    #18 sml156, Sep 14, 2015
    Last edited: Sep 14, 2015
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. cdavisdeco

    cdavisdeco MDL Senior Member

    Jul 8, 2015
    267
    52
    10
  19. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    4,062
    4,502
    150
    very impressive dude, thanks for share :clap:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...