3

I have found a way to check a users password with python. If i type in a wrong password it gives back: "password wrong" and with the right passwor it will give: "password correct" and writes the password to a file.

I tried this for a user without a password. If I don't give a password or an empty string it still return "wrong password". Is there a way to fix this?

This is my code:

try:
    win32security.LogonUser(
        username,
        domain,
        password,
        win32security.LOGON32_LOGON_NETWORK,
        win32security.LOGON32_PROVIDER_DEFAULT
    )
except win32security.error:
    tkinter.messagebox.showerror("Title", "Password wrong!")
else:

    user_password_file = open("password.txt", "a")
    if password not in open(filename1).read():
        user_password_file.write(username + ":" + password + "\n")
    tkinter.messagebox.showinfo("Title", "Password correct")

For the username I use this for my gui:

self.selected_user_var = tkinter.StringVar()
        self.selected_user_var.set(user_list[0])
        self.select_user_macos = tkinter.OptionMenu(self.user_tools, self.selected_user_var, *user_list)
        self.select_user_macos.grid(row=1, column=3, padx=5, sticky=tkinter.W, pady=5)

The list is filled with usernames with this: 

            server = None
            level = 0
            filter_win32 = win32netcon.FILTER_NORMAL_ACCOUNT
            resume_handle = 0
            user_list = []
            while True:
                result = win32net.NetUserEnum(server, level, filter_win32, resume_handle)
                user_list += [user['name'] for user in result[0]]
                resume_handle = result[2]
                if not resume_handle:
                    break
            user_list.sort()

For the password I use a simple Entry: 

self.entry_user_password = tkinter.Entry(self.user_tools, width=30, bd=1,
                                            textvariable=self.var_user_password)
self.entry_user_password.grid(row=2, column=3, padx=5, sticky=tkinter.W, pady=5)
Ma0
  • 15,057
  • 4
  • 35
  • 65
Max Koning
  • 172
  • 2
  • 19
  • Have you tried passing None? – Glazbee Dec 14 '18 at 13:16
  • @Glazbee I just tried it with None (python's equivalent of NULL) and it gives an error that it has to be a string. – Max Koning Dec 14 '18 at 13:21
  • Can you `print(e.winerror)` in your `except` block? According to [this answer](https://stackoverflow.com/questions/42488961/check-if-local-account-has-a-blank-password-using-python), an error could still be returned for policy reasons. For reference [`ERROR_LOGON_FAILURE = 1326` and `ERROR_ACCOUNT_RESTRICTION = 1327`](https://github.com/SublimeText/Pywin32/blob/master/lib/x32/win32/lib/winerror.py) – fhdrsdg Dec 14 '18 at 13:59
  • Yes, when providing no password, I get the 1327 error code. When providing a wrong password I get 1326. – Max Koning Dec 14 '18 at 14:01
  • Well then you can check for the value of the error code to find out whether the password is actually wrong or not, right? – fhdrsdg Dec 17 '18 at 10:30
  • So, you suggest to just assume that the (blank) password is correct when I get error 1327? I have tested it a few times and I get 1326 with wrong login credentials, but I don't know if something else can trigger error 1327. Wouldn't it be a bad thing to assume that error 1327 is correct password and login, but just can't login? – Max Koning Dec 17 '18 at 10:55
  • 1
    I suggest that when the password is wrong, the error code will be 1326. If you get anything else, the password is probably correct but there's something else that's throwing an error. – fhdrsdg Dec 17 '18 at 14:09
  • Yes, I think it is windows policy to not allow blank passwords. I think the password is actually never checked and just returns this error code. I will just make an if statement for the blank password with a messagebox. Thanks for the help! – Max Koning Dec 17 '18 at 15:24
  • `I think the password is actually never checked and just returns this error code.` I think this is incorrect, but you can easily check this. For the account without password, do enter a password. If the returned error is 1326 instead of 1327 then the password clearly *is* being checked and a wrong password always gives 1326. – fhdrsdg Dec 18 '18 at 08:24
  • Are you trying to "hack" other users? It's not so ethical. The very fact that you don't know how to do it should be a signal not to ("*with great power comes great responsibility*") and the former shouldn't be held by one that doesn't have the latter. If this is what you're after, I hope you won't find an answer :) – CristiFati Jan 04 '19 at 12:19
  • @CristiFati I am not trying to "hack" people. This is a feature of a tool that helps investigators when they have a pc from a suspect that is turned on. With this they can check if the password is correct if a suspect gives it without turning off the computer. I really shouldn't have to explain myself to you, I just find it fascinating that the first thing you think of is hacking. The fact that I don't have this knowledge is, because I am new to Python and nobody knows everything. I think Stackoverflow is the place where you can learn and teach others. – Max Koning Jan 07 '19 at 12:05

0 Answers0