Teradata ODBC SQL Query Module - Metasploit
This page contains detailed information about how to use the auxiliary/admin/teradata/teradata_odbc_sql metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Teradata ODBC SQL Query Module
Module: auxiliary/admin/teradata/teradata_odbc_sql
Source code: modules/auxiliary/admin/teradata/teradata_odbc_sql.py
Disclosure date: 2018-03-29
Last modification time: 2021-05-17 17:04:49 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 1025
List of CVEs: -
This module is also known as Teradata ODBC Authentication Scanner.
SQL query module for ODBC connections to local Teradata databases. Port specification (TCP 1025 by default) is not necessary for ODBC connections. Requires ODBC driver and Python Teradata module.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/admin/teradata/teradata_odbc_sql
msf auxiliary(teradata_odbc_sql) > show options
... show and set options ...
msf auxiliary(teradata_odbc_sql) > set RHOSTS ip-range
msf auxiliary(teradata_odbc_sql) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(teradata_odbc_sql) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(teradata_odbc_sql) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(teradata_odbc_sql) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
The teradata_odbc_sql module is used to run SQL queries for Teradata databases.
Vulnerable Application
- Teradata Database
- Teradata Express
Teradata databases can be identified by scanning for TCP port 1025. An Nmap version scan can confirm if the service is recognized as Teradata.
The teradata_odbc_login module can be used to brute-force credentials.
Extra Requirements
This module requires the Teradata ODBC driver and the Teradata python library.
ODBC Driver for Kali Linux 2017.3
- Download the Teradata ODBC driver for Ubuntu from downloads.teradata.com.
- Refer to the Ubuntu package README for up-to-date instructions.
- Install lib32stdc++6 if necessary.
- Install the ODBC drivers:
dpkg -i [package].deb
- Copy /opt/teradata/client/ODBC_64/odbc.ini to /root/.odbc.ini .
- Or your home directory if not root.
- Make sure odbc.ini has been renamed to .obdc.ini .
Configuration for OS X
On OS X the Python client needs to be pointed to the ODBC driver manually. Create ~/udaexec.ini
with the following contents:
ini
[CONFIG]
odbcLibPath=/usr/lib/libiodbc.dylib
Python Package
pip install teradata
Verification Steps
- Deploy a Teradata Express test environment.
- Install the OBCD driver and python package.
- Start msfconsole.
- Do:
use auxiliary/admin/teradata/teradata_odbc_sql
- Do:
set RHOSTS [IPs]
- Do:
set USERNAME [username to try]
- Do:
set PASSWORD [password to try]
- The default Teradata credentials are the matching username and password 'DBC'.
- Set a SQL query for the 'SQL' option.
- The default is
SELECT DATABASENAME FROM DBC.DATABASES
- The default is
- Do:
run
msf > use auxiliary/admin/teradata/teradata_odbc_sql
msf auxiliary(admin/teradata/teradata_odbc_sql) > show options
Module options (auxiliary/admin/teradata/teradata_odbc_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD dbc yes Password
RHOSTS yes The target address range or CIDR identifier
SQL SELECT DATABASENAME FROM DBC.DATABASES yes SQL query to perform
THREADS 1 yes The number of concurrent threads
USERNAME dbc yes Username
msf auxiliary(admin/teradata/teradata_odbc_sql) > set RHOSTS 192.168.0.2
RHOSTS => 192.168.0.2
msf auxiliary(admin/teradata/teradata_odbc_sql) > run
[*] Running for 192.168.0.2...
[*] 192.168.0.2 - dbc:dbc - Starting
[*] 192.168.0.2 - Creating connection: %s
[*] 192.168.0.2 - Loading ODBC Library: %s
[*] 192.168.0.2 - Available drivers: Teradata Database ODBC Driver 16.20,
[*] 192.168.0.2 - Connection successful. Duration: %.3f seconds. Details: %s
[+] 192.168.0.2 - dbc:dbc - Login Successful
[*] 192.168.0.2 - Starting - SELECT DATABASENAME FROM DBC.DATABASES
[*] 192.168.0.2 - Query Successful. Duration: %.3f seconds,%sQuery: %s%s
[+] 192.168.0.2 - Row 1: [DatabaseUser ]
[+] 192.168.0.2 - Row 2: [All ]
[+] 192.168.0.2 - Row 3: [SYSJDBC ]
[+] 192.168.0.2 - Row 4: [TDStats ]
[+] 192.168.0.2 - Row 5: [TD_SYSXML ]
[+] 192.168.0.2 - Row 6: [PUBLIC ]
[+] 192.168.0.2 - Row 7: [DBC ]
[+] 192.168.0.2 - Row 8: [SYSBAR ]
[+] 192.168.0.2 - Row 9: [TD_SYSGPL ]
[+] 192.168.0.2 - Row 10: [SYSLIB ]
[+] 192.168.0.2 - Row 11: [SQLJ ]
[+] 192.168.0.2 - Row 12: [LockLogShredder ]
[+] 192.168.0.2 - Row 13: [Default ]
[+] 192.168.0.2 - Row 14: [TDPUSER ]
[+] 192.168.0.2 - Row 15: [TD_SYSFNLIB ]
[+] 192.168.0.2 - Row 16: [EXTUSER ]
[+] 192.168.0.2 - Row 17: [tdwm ]
[+] 192.168.0.2 - Row 18: [SystemFe ]
[+] 192.168.0.2 - Row 19: [External_AP ]
[+] 192.168.0.2 - Row 20: [TDQCD ]
[+] 192.168.0.2 - Row 21: [dbcmngr ]
[+] 192.168.0.2 - Row 22: [Sys_Calendar ]
[+] 192.168.0.2 - Row 23: [SysAdmin ]
[+] 192.168.0.2 - Row 24: [TD_SERVER_DB ]
[+] 192.168.0.2 - Row 25: [TDMaps ]
[+] 192.168.0.2 - Row 26: [SYSUDTLIB ]
[+] 192.168.0.2 - Row 27: [Crashdumps ]
[+] 192.168.0.2 - Row 28: [SYSSPATIAL ]
[+] 192.168.0.2 - Row 29: [MyUser ]
[+] 192.168.0.2 - Row 30: [SYSUIF ]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the admin/teradata/teradata_odbc_sql auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/teradata/teradata_odbc_sql
msf6 auxiliary(admin/teradata/teradata_odbc_sql) > show info
Name: Teradata ODBC SQL Query Module
Module: auxiliary/admin/teradata/teradata_odbc_sql
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2018-03-29
Provided by:
Ted Raffle (actuated)
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
password dbc yes Password
rport 1025 yes Port to target, ignored by the ODBC driver
sql SELECT DATABASENAME FROM DBC.DATABASES yes SQL query to perform
username dbc yes Username
Description:
SQL query module for ODBC connections to local Teradata databases.
Port specification (TCP 1025 by default) is not necessary for ODBC
connections. Requires ODBC driver and Python Teradata module.
References:
https://developer.teradata.com/tools/reference/teradata-python-module
https://downloads.teradata.com/download/connectivity/odbc-driver/linux
Also known as:
Teradata ODBC Authentication Scanner
Module Options
This is a complete list of options available in the admin/teradata/teradata_odbc_sql auxiliary module:
msf6 auxiliary(admin/teradata/teradata_odbc_sql) > show options
Module options (auxiliary/admin/teradata/teradata_odbc_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
password dbc yes Password
rport 1025 yes Port to target, ignored by the ODBC driver
sql SELECT DATABASENAME FROM DBC.DATABASES yes SQL query to perform
username dbc yes Username
Advanced Options
Here is a complete list of advanced options supported by the admin/teradata/teradata_odbc_sql auxiliary module:
msf6 auxiliary(admin/teradata/teradata_odbc_sql) > show advanced
Module advanced options (auxiliary/admin/teradata/teradata_odbc_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/teradata/teradata_odbc_sql module can do:
msf6 auxiliary(admin/teradata/teradata_odbc_sql) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/teradata/teradata_odbc_sql auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/teradata/teradata_odbc_sql) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Python Teradata module missing, cannot continue
Here is a relevant code snippet related to the "Python Teradata module missing, cannot continue" error message:
57: # Metasploit LogHandler
58: module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
59:
60: # Return error for missing dependency
61: if dependencies_missing:
62: logging.error('Python Teradata module missing, cannot continue')
63: return
64:
65: # Set variables to current RHOST, and USERNAME and PASSWORD options
66: host = args['rhost']
67: user = args['username']
Go back to menu.
Related Pull Requests
- #15212 Merged Pull Request: Converts Python shebangs over to Python 3
- #12524 Merged Pull Request: Convert all python code to python3. Fixes #12506.
- #10570 Merged Pull Request: AKA Metadata Refactor
- #10109 Merged Pull Request: Added Teradata ODBC Login and SQL modules and documentation
References
- CVE: Not available
- https://developer.teradata.com/tools/reference/teradata-python-module
- https://downloads.teradata.com/download/connectivity/odbc-driver/linux
See Also
Check also the following modules related to this module:
- auxiliary/scanner/teradata/teradata_odbc_login
- auxiliary/admin/mssql/mssql_sql
- auxiliary/admin/mysql/mysql_sql
- auxiliary/admin/oracle/oracle_sql
- auxiliary/admin/postgres/postgres_sql
- auxiliary/admin/http/sysaid_sql_creds
- auxiliary/admin/http/typo3_news_module_sqli
- auxiliary/admin/http/wp_google_maps_sqli
- auxiliary/admin/http/wp_symposium_sql_injection
- auxiliary/admin/mssql/mssql_enum
- auxiliary/admin/mssql/mssql_enum_domain_accounts
- auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli
- auxiliary/admin/mssql/mssql_enum_sql_logins
- auxiliary/admin/mssql/mssql_escalate_dbowner
- auxiliary/admin/mssql/mssql_escalate_dbowner_sqli
- auxiliary/admin/mssql/mssql_escalate_execute_as
- auxiliary/admin/mssql/mssql_escalate_execute_as_sqli
- auxiliary/admin/mssql/mssql_exec
- auxiliary/admin/mssql/mssql_findandsampledata
- auxiliary/admin/mssql/mssql_idf
- auxiliary/admin/mssql/mssql_ntlm_stealer
- auxiliary/admin/mssql/mssql_ntlm_stealer_sqli
- auxiliary/admin/mssql/mssql_sql_file
- auxiliary/admin/mysql/mysql_enum
- auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli
- exploit/windows/scada/citect_scada_odbc
Authors
- Ted Raffle (actuated)
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.