/wconv

wconv - Converting Windows native formats into human readable form

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

wconv


wconv is a simple command line utility that can be used to parse and convert Windows related formats into human readable forms. Additionally, it supports simple modifications on Windows related formats.

example-gif

Table of Contents


Installation


wconv can be build and installed as a pip package. The following command installs wconv for your current user profile:

$ pip3 install wconv

You can also build wconv from source and install it directly by using the following commands:

$ git clone https://github.com/qtc-de/wconv
$ cd wconv
$ pip3 install -r requirements.txt
$ python3 setup.py sdist
$ pip3 install dist/*

Additionally, wconv ships a bash-completion script. The completion script is installed automatically, but relies on the completion-helpers package. If completion-helpers is already installed, autocompletion for wconv should work after installing the pip package. Otherwise, you may need to copy the completion script manually:

$ cp wconv/resources/bash_completion.d/wconv ~/.bash_completion.d

Supported Operations


wconv is written as a Python library, but also contains a small reference implementation that uses the library functions to perform some useful operations. In the following some supported operations are demonstrated.

$ wconv --help
usage: wconv [-h] {ace,sddl,sid,uac} ...

wconv is a command line utility that can be used to parse and convert certain Windows related representations into human readable formats. Currently the tool supports parsing and convetion of ACE, SDDL, SID and
UAC values.

positional arguments:
  {ace,sddl,sid,uac}
    ace               convert integer ace
    sddl              convert sddl string into readable permissions
    sid               convert Windows SecurityIdentifier formats
    uac               convert integer UserAccountControl

optional arguments:
  -h, --help          show this help message and exit

ACE Module


The ACE module supports operations to work with Windows ACE values. Its main purpose is to convert ACE values from binary or SDDL format into human readable form.

$ wconv ace --help 
usage: wconv ace [-h] [--ace-flags] [--ace-types] [--ace-permissions] [--from-string] [--type PERMISSION-TYPE] [-t PERMISSION] [--trustees] [-v] [ACE-VALUE]

positional arguments:
  ACE-VALUE             integer ace value

optional arguments:
  -h, --help            show this help message and exit
  --ace-flags           show available ACE flags
  --ace-types           show available ACE types
  --ace-permissions     show permission definitions for requested type
  --from-string         interpret ace value als ace-string (sddl format)
  --type PERMISSION-TYPE
                        permission type (defaul: file)
  -t PERMISSION, --toggle PERMISSION
                        toogles specified permission on the ace value
  --trustees            display available trustees
  -v, --verbose         verbose output
From Integer

Parses the given integer as an ACE. This is the default action and does not require an additional flag. The --type parameter can again be used to change the displayed permission types.

$ wconv ace 0x00050010
[+] Numeric:	0x00050010
[+] Permissions:	
[+] 		+ DELETE
[+] 		+ WRITE_DAC
[+] 		+ WRITE_EXTENDED_ATTRIBUTES
From String

Parse ACE from string in SDDL format. The --type parameter can again be used to change the displayed permission types.

$ wconv ace --from-string '(A;OICINPFA;RPSDWD;;;BU)'
[+] ACE Type:	ACCESS_ALLOWED
[+] Trustee:	Users
[+] Numeric:	0x00050010
[+] Permissions:	
[+] 		+ WRITE_EXTENDED_ATTRIBUTES
[+] 		+ DELETE
[+] 		+ WRITE_DAC
Toggle Permission

Toggle the specified permission on the ACE value:

$ wconv ace 0x00050010 -t WP -t GA
[+] Numeric:	0x10050030
[+] Permissions:	
[+] 		+ GENERIC_ALL
[+] 		+ DELETE
[+] 		+ WRITE_DAC
[+] 		+ WRITE_EXTENDED_ATTRIBUTES
[+] 		+ EXECUTE
Display ACE Flags

Displays a list of all available ACE flags:

$ wconv ace --ace-flags
[+] CI - CONTAINER_INHERIT
[+] OI - OBJECT_INHERIT
[+] NP - NO_PROPAGATE_INHERIT
[+] IO - INHERIT_ONLY
[+] ID - INHERITED
[+] SA - SUCCESSFUL_ACCESS
[+] FA - FAILED_ACCESS
Display ACE Types

Displays a list of all available ACE types:

$ wconv ace --ace-types
[+] A - ACCESS_ALLOWED
[+] D - ACCESS_DENIED
[+] OA - ACCESS_ALLOWED_OBJECT
[+] OD - ACCESS_DENIED_OBJECT
[+] AU - SYSTEM_AUDIT
[+] AL - SYSTEM_ALARM
[+] OU - SYSTEM_AUDIT_OBJECT
[+] OL - SYSTEM_ALARM_OBJECT
Display ACE Permissions

Displays a list of all available ACE permissions:

$ wconv ace --ace-permissions
[+] 10000000 - GA - GENERIC_ALL
[+] 20000000 - GX - GENERIC_EXECUTE
[+] 40000000 - GW - GENERIC_WRITE
[+] 80000000 - GR - GENERIC_READ
[+] 00010000 - SD - DELETE
[+] 00020000 - RC - READ_CONTROL
[+] 00040000 - WD - WRITE_DAC
[+] 00080000 - WO - WRITE_OWNER
[+] 00000001 - CC - READ
[+] 00000002 - DC - WRITE
[+] 00000004 - LC - APPEND
[+] 00000008 - SW - READ_EXTENDED_ATTRIBUTES
[+] 00000010 - RP - WRITE_EXTENDED_ATTRIBUTES
[+] 00000020 - WP - EXECUTE
[+] 00000040 - DT - MEANINGLESS
[+] 00000080 - LO - READ_ATTRIBUTES
[+] 00000100 - CR - WRITE_ATTRIBUTES

The default permission type is set to file, but can be changed using the --type parameter:

$ wconv ace --ace-permissions --type service
[+] 10000000 - GA - GENERIC_ALL
[+] 20000000 - GX - GENERIC_EXECUTE
[+] 40000000 - GW - GENERIC_WRITE
[+] 80000000 - GR - GENERIC_READ
[+] 00010000 - SD - DELETE
[+] 00020000 - RC - READ_CONTROL
[+] 00040000 - WD - WRITE_DAC
[+] 00080000 - WO - WRITE_OWNER
[+] 00000001 - CC - QUERY_CONFIG
[+] 00000002 - DC - CHANGE_CONFIG
[+] 00000004 - LC - QUERY_STATISTIC
[+] 00000008 - SW - ENUM_DEPENDENCIES
[+] 00000010 - RP - START
[+] 00000020 - WP - STOP
[+] 00000040 - DT - PAUSE
[+] 00000080 - LO - INTERROGATE
[+] 00000100 - CR - USER_DEFINIED
Trustees

Display all available trustees:

$ wconv ace --trustees 
[+] AN - Anonymous
[+] AO - Account Operators
[+] AU - Authenticated Users
[+] BA - Administrators
[+] BG - Guests
[+] BO - Backup Operators
[+] BU - Users
[+] CA - Certificate Publishers
[+] CD - Certificate Services DCOM Access
[+] CG - Creator Group
[+] CO - Creator Owner
[+] DA - Domain Admins
[+] DC - Domain Computers
[+] DD - Domain Controllers
[+] DG - Domain Guests
[+] DU - Domain Users
[+] EA - Enterprise Admins
[+] ED - Enterprise Domain Controllers
[+] RO - Enterprise Read-Only Domain Controllers
[+] PA - Group Policy Admins
[+] IU - Interactive Users
[+] LA - Local Administrator
[+] LG - Local Guest
[+] LS - Local Service
[+] SY - Local System
[+] NU - Network
[+] LW - Low Integrity
[+] ME - Medium Integrity
[+] HI - High Integrity
[+] SI - System Integrity
[+] NO - Network Configuration Operators
[+] NS - Network Service
[+] PO - Printer Operators
[+] PS - Self
[+] PU - Power Users
[+] RS - RAS Servers
[+] RD - Remote Desktop Users
[+] RE - Replicator
[+] RC - Restricted Code
[+] RU - Pre-Win2k Compatibility Access
[+] SA - Schema Administrators
[+] SO - Server Operators
[+] SU - Service
[+] WD - Everyone
[+] WR - Write restricted Code

SDDL Module


The SDDL module supports operations to convert SDDL strings into human readable forms.

$ wconv sddl --help
usage: wconv sddl [-h] [--add-everyone] [--add-anonymous] [-t PERMISSION-TYPE] [-v] [SDDL-STRING]

positional arguments:
  SDDL-STRING           sddl string

optional arguments:
  -h, --help            show this help message and exit
  --add-everyone        add full permissions for everyone
  --add-anonymous       add full permissions for anonymous
  -t PERMISSION-TYPE, --type PERMISSION-TYPE
                        permission type (file, directory, service, ...)
  -v, --verbose         verbose output
Parse SDDL

Parses the given SDDL string. This is the default action and does not require additional arguments.

$ wconv sddl 'O:BAG:SYD:PAI(D;OICI;FA;;;BA)(A;OICIIO;RPDTSDWD;;;CO)'
[+] ACL Type:	DACL
[+] Owner:	Administrators
[+] Group:	Local System
[+] ACE List:
[+] ==================================
[+]     ACE Type:	ACCESS_DENIED
[+]     Trustee:	Administrators
[+]     Numeric:	0x000f01ff
[+]     Permissions:	
[+]     		+ READ_CONTROL
[+]     		+ DELETE
[+]     		+ WRITE_DAC
[+]     		+ WRITE_OWNER
[+]     		+ SYNCHRONIZE
[+]     		+ READ
[+]     		+ WRITE
[+]     		+ APPEND
[+]     		+ READ_EXTENDED_ATTRIBUTES
[+]     		+ WRITE_EXTENDED_ATTRIBUTES
[+]     		+ EXECUTE
[+]     		+ MEANINGLESS
[+]     		+ READ_ATTRIBUTES
[+]     		+ WRITE_ATTRIBUTES
[+] ==================================
[+]     ACE Type:	ACCESS_ALLOWED
[+]     Trustee:	Creator Owner
[+]     Numeric:	0x00050050
[+]     Permissions:	
[+]     		+ WRITE_EXTENDED_ATTRIBUTES
[+]     		+ MEANINGLESS
[+]     		+ DELETE
[+]     		+ WRITE_DAC
[+] ==================================

The default permission type is file and can be changed with the --type parameter:

$ wconv sddl 'O:BAG:SYD:PAI(D;OICI;FA;;;BA)(A;OICIIO;RPDTSDWD;;;CO)' --type service
[+] ACL Type:	DACL
[+] Owner:	Administrators
[+] Group:	Local System
[+] ACE List:
[+] ==================================
[+]     ACE Type:	ACCESS_DENIED
[+]     Trustee:	Administrators
[+]     Numeric:	0x000f01ff
[+]     Permissions:	
[+]     		+ READ_CONTROL
[+]     		+ DELETE
[+]     		+ WRITE_DAC
[+]     		+ WRITE_OWNER
[+]     		+ SYNCHRONIZE
[+]     		+ READ
[+]     		+ WRITE
[+]     		+ APPEND
[+]     		+ READ_EXTENDED_ATTRIBUTES
[+]     		+ WRITE_EXTENDED_ATTRIBUTES
[+]     		+ EXECUTE
[+]     		+ MEANINGLESS
[+]     		+ READ_ATTRIBUTES
[+]     		+ WRITE_ATTRIBUTES
[+] ==================================
[+]     ACE Type:	ACCESS_ALLOWED
[+]     Trustee:	Creator Owner
[+]     Numeric:	0x00050050
[+]     Permissions:	
[+]     		+ START
[+]     		+ PAUSE
[+]     		+ DELETE
[+]     		+ WRITE_DAC
[+] ==================================
Add Everyone

Add full access for everyone to the specified SDDL:

$ wconv sddl --add-everyone 'O:BAG:SYD:PAI(D;OICI;FA;;;BA)(A;OICIIO;RPDTSDWD;;;CO)' 
[+] O:BAG:SYD:PAI(D;OICI;FA;;;BA)(A;OICIIO;RPDTSDWD;;;CO)(A;;GAGRGWGXRCSDWDWOSSCCDCLCSWRPWPDTLOCR;;;WD)
Add Anonymous

Add full access for anonymous to the specified SDDL:

$ wconv sddl --add-anonymous 'O:BAG:SYD:PAI(D;OICI;FA;;;BA)(A;OICIIO;RPDTSDWD;;;CO)' 
[+] O:BAG:SYD:PAI(D;OICI;FA;;;BA)(A;OICIIO;RPDTSDWD;;;CO)(A;;GAGRGWGXRCSDWDWOSSCCDCLCSWRPWPDTLOCR;;;AN)

SID Module


The SID module can be used to convert between different representations of Windows SecurityIdentifiers. One use case is querying Active Directory via LDAP, where the objectSID attributes are stored as base64 encoded binary blobs.

$ wconv sid --help
usage: wconv sid [-h] [--to-b64] [--raw] [--well-known] [SID-VALUE]

positional arguments:
  SID-VALUE     sid value (default format: base64)

optional arguments:
  -h, --help    show this help message and exit
  --to-b64      converts formatted sid to base64
  --raw         specify sid as raw hex string
  --well-known  display list of well known sids
From Base64

Converts a SID from base64 format to its human readable form. This is the default action and does not require any flags:

$ wconv sid AQUAAAAAAAUVAAAAsexT/iL5hu1Kf3avAAIAAA==
[+] SID: S-1-5-21-4266912945-3985045794-2943778634-512 (DOMAIN_ADMINS)
To Base64

Converts a SID from its human readable form to base64:

$ wconv sid --to-b64 S-1-5-21-4266912945-3985045794-2943778634-512
[+] AQUAAAAAAAUVAAAAsexT/iL5hu1Kf3avAAIAAA==
From Raw

Converts a SID from raw hex representation to its human readable format:

$ echo -n "AQUAAAAAAAUVAAAAsexT/iL5hu1Kf3avAAIAAA==" | base64 -d | xxd -p
010500000000000515000000b1ec53fe22f986ed4a7f76af00020000
$ wconv sid --raw 010500000000000515000000b1ec53fe22f986ed4a7f76af00020000
[+] SID: S-1-5-21-4266912945-3985045794-2943778634-512 (DOMAIN_ADMINS)
Well Known

Display list of well known SIDs:

$ wconv sid --well-known 
[+] S-1-0-0                   - NULL
[+] S-1-1-0                   - EVERYONE
[+] S-1-2-0                   - LOCAL
[+] S-1-2-1                   - CONSOLE_LOGON
[+] S-1-3-0                   - CREATOR_OWNER
[+] S-1-3-1                   - CREATOR_GROUP
[+] S-1-3-2                   - OWNER_SERVER
[+] S-1-3-3                   - GROUP_SERVER
[+] S-1-3-4                   - OWNER_RIGHTS
[+] S-1-5                     - NT_AUTHORITY
[...]

UAC Module


The UAC module can parse integer UserAccountControl values from ActiveDirectory into a human readable format. You can also toggle specific UAC Flags and output the corresponding integer representation again.

$ wconv uac --help
usage: wconv uac [-h] [--mapping] [-t FLAG] [UAC-VALUE]

positional arguments:
  UAC-VALUE             binary user account control

optional arguments:
  -h, --help            show this help message and exit
  --mapping             display UserAccountControl mappings
  -t FLAG, --toggle FLAG
                        toogles specified flag on the UserAccountControl value
Parse UAC

Parses a UserAccountControl value in its different components. This is the default action and does not require additional arguments:

$ wconv uac 1114624
[+] UserAccountControl:	1114624 (0x00110200)
[+]	+ NORMAL_ACCOUNT
[+]	+ DONT_EXPIRE_PASSWORD
[+]	+ NOT_DELEGATED
Toggle Flag

Adds the specified flag(s) to the UAC value:

$ wconv uac 1114624 -t DONT_REQ_PREAUTH -t TRUSTED_FOR_DELEGATION 
[+] UserAccountControl:	5833216 (0x00590200)
[+]	+ NORMAL_ACCOUNT
[+]	+ DONT_EXPIRE_PASSWORD
[+]	+ TRUSTED_FOR_DELEGATION
[+]	+ NOT_DELEGATED
[+]	+ DONT_REQ_PREAUTH
Display Mappings

Display the integer to flag mappings:

$ wconv uac --mapping
[+] 0x00000001 - SCRIPT
[+] 0x00000002 - ACCOUNTDISABLE
[+] 0x00000008 - HOMEDIR_REQUIRED
[+] 0x00000010 - LOCKOUT
[+] 0x00000020 - PASSWD_NOTREQD
[+] 0x00000040 - PASSWD_CANT_CHANGE
[+] 0x00000080 - ENCRYPTED_TEXT_PWD_ALLOWED
[+] 0x00000100 - TEMP_DUPLICATE_ACCOUNT
[+] 0x00000200 - NORMAL_ACCOUNT
[+] 0x00000800 - INTERDOMAIN_TRUST_ACCOUNT
[+] 0x00001000 - WORKSTATION_TRUST_ACCOUNT
[+] 0x00002000 - SERVER_TRUST_ACCOUNT
[+] 0x00010000 - DONT_EXPIRE_PASSWORD
[+] 0x00020000 - MNS_LOGON_ACCOUNT
[+] 0x00040000 - SMARTCARD_REQUIRED
[+] 0x00080000 - TRUSTED_FOR_DELEGATION
[+] 0x00100000 - NOT_DELEGATED
[+] 0x00200000 - USE_DES_KEY_ONLY
[+] 0x00400000 - DONT_REQ_PREAUTH
[+] 0x00800000 - PASSWORD_EXPIRED
[+] 0x01000000 - TRUSTED_TO_AUTH_FOR_DELEGATION
[+] 0x04000000 - PARTIAL_SECRETS_ACCOUNT

Library Information


Please notice that the wconv library is not really well thought out. A good term to describe it is quick and dirty, as I required the functionality of wconv and decided to write the functions in a reusable way. However, everything was written on the fly and many sections could be written better and may contain bugs. Pull requests to improve the library are always welcome :)

Resources


Here is a list of some resources that contain the required information about the different supported Windows structures.

Copyright 2020, Tobias Neitzel and the wconv contributors.