TeamSpeak Hash?

Looks pretty straight forward.
(06-25-2015, 10:52 PM)radix Wrote:

Looks pretty straight forward.

This is correct for server query accounts, however does not work for channel passwords. Perhaps the channel name is used as a salt?
The irritating thing about all of this is the fact that each server query password is 8 characters long and could possibly include a capitalized, unzapitalized letter and a possibly numbers. It'd take me 250+ days on my humble 660 to check the combinations Sad
okay I investigated this a little bit and indeed there are 2+ hashing algorithms used for teamspeak, the one for the server query password was already mentioned above so I will skip that now (it is just base64 (sha1 ($pass))).

the hashing algorithm for teamspeak's channel passwords is salted indeed, the input we need:

algo = base64 (sha1 (base64 (sha1 ($pass)) . $salt))
pass = user defined password choosen when creating a new channel
salt = each server has a unique salt that you need to get from the server database (e.g. ts3server.sqlitedb), i.e. the whole virtualserver_keypair value from the server_properties table

(what is definitely not true is that the channel password depends on the channel name or other inputs/values not mentioned above)


pass = "hashcat"
salt = "MG4DAgeAAgEgAiAKrFgEtih8Habhz0R7/ABdUPrD3Mg6kM1EFkN+PBUlVgIgEDoi+WeI31fiIi8XxT+H6hIdjTnw0RmOaCrUp+​ISdJUCIQDvUMFtXGDKY7OI1AySeiA16fJBSSjp1Ie4aEFhikbd+A=="
algo = base64 (sha1 (base64 (sha1 ($pass)) . $salt))

how to generate the hash:

$ # sha1 of password
$ echo -n hashcat | sha1sum

$ # base64 encode it (to make it easier to read I use the hex to binary to base64 conversion, xxd -r is just one of many tools that convert hex to binary)
$ echo b89eaac7e61417341b710b727768294d0e6a277b | xxd -p -r | base64

$ # sha1 of the concatenation of both strings (salt is at the end)
$ echo -n uJ6qx+YUFzQbcQtyd2gpTQ5qJ3s=MG4DAgeAAgEgAiAKrFgEtih8Habhz0R7/ABdUPrD3Mg6kM1EFkN+PBUlVgIgEDoi+WeI31fiIi8XxT+​H6hIdjTnw0RmOaCrUp+ISdJUCIQDvUMFtXGDKY7OI1AySeiA16fJBSSjp1Ie4aEFhikbd+A== | sha1sum

$ # base64 encode it
$ echo 2ca0e794b58f8f02b7d146bc51f25212e561611e | xxd -p -r | base64

this LKDnlLWPjwK30Ua8UfJSEuVhYR4= hash matches exactly with the channel_password value found in the channel_properties table from the ts3server database (ts3server.sqlitedb for instance), which will be "inserted" when a user creates a new channel or "updated" if a user changes the channel password

Some further notes:
- this algorithm is not yet implemented in oclHashcat (if you want that devs implement it you need to open a trac ticket for it)
- salt length (and overall length) is very long and might therefore not allow several optimizations that oclHashcat normally can do when it comes to sha1 hashing

I'm not sure if all of this info was already discovered somewhere and made public.
I only know that it was very easy to find out how it works by looking at the database etc and make educated guesses.
Hope this helps

@chickin: now please try yourself with your "123" password example and confirm that these steps work for you too (I can't because I don't have your salt and brute-forcing the salt is of course infeasible and a waste of time and other resources).

attention: if you copy-paste text from the code section above be warned that forum posts contain zero-width spaces to make the posts easier readable (and to break the lines somewhere), remove them if you want to try the example (otherwise you might get different results)