Teradata ODBC Login Scanner Module - Metasploit


This page contains detailed information about how to use the auxiliary/scanner/teradata/teradata_odbc_login metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview


Name: Teradata ODBC Login Scanner Module
Module: auxiliary/scanner/teradata/teradata_odbc_login
Source code: modules/auxiliary/scanner/teradata/teradata_odbc_login.py
Disclosure date: 2018-03-30
Last modification time: 2021-05-17 17:04:49 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 1025
List of CVEs: -

This module is also known as Teradata ODBC Login Scanner.

Login scanner module for ODBC connections to Teradata databases. Port specification (TCP 1025 by default) is not necessary for ODBC connections. Blank passwords are not supported by ODBC connections. Requires ODBC driver and Python Teradata module.

Module Ranking and Traits


Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage


This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/teradata/teradata_odbc_login
msf auxiliary(teradata_odbc_login) > show options
    ... show and set options ...
msf auxiliary(teradata_odbc_login) > set RHOSTS ip-range
msf auxiliary(teradata_odbc_login) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(teradata_odbc_login) > set RHOSTS 192.168.1.3-192.168.1.200 

Example 2:

msf auxiliary(teradata_odbc_login) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(teradata_odbc_login) > set RHOSTS file:/tmp/ip_list.txt

Required Options


  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base


The teradata_odbc_login module is used to brute-force credentials for Teradata databases.

Vulnerable Application


  • Teradata Database
  • Teradata Express

Teradata databases can be identified by scanning for TCP port 1025. An Nmap version scan can confirm if the service is recognized as Teradata.

Extra Requirements


This module requires the Teradata ODBC driver and the Teradata python library.

ODBC Driver for Kali Linux 2017.3

  1. Download the Teradata ODBC driver for Ubuntu from downloads.teradata.com.
  2. Refer to the Ubuntu package README for up-to-date instructions.
    1. Install lib32stdc++6 if necessary.
    2. Install the ODBC drivers: dpkg -i [package].deb
    3. Copy /opt/teradata/client/ODBC_64/odbc.ini to /root/.odbc.ini .
      • Or your home directory if not root.
      • Make sure odbc.ini has been renamed to .obdc.ini .

Configuration for OS X

On OS X the Python client needs to be pointed to the ODBC driver manually. Create ~/udaexec.ini with the following contents:
ini [CONFIG]

odbcLibPath=/usr/lib/libiodbc.dylib

Python Package

pip install teradata

Verification Steps


  1. Deploy a Teradata Express test environment.
  2. Install the OBCD driver and python package.
  3. Start msfconsole.
  4. Do: use auxiliary/scanner/teradata/teradata_odbc_login
  5. Do: set RHOSTS [IPs]
  6. Do: set USERNAME [username to try]
  7. Do: set PASSWORD [password to try]
    • The default Teradata credentials are the matching username and password 'dbc'.
  8. Do: run
msf > use auxiliary/scanner/teradata/teradata_odbc_login
msf auxiliary(scanner/teradata/teradata_odbc_login) > set RHOSTS 192.168.0.2
RHOSTS => 192.168.0.2
msf auxiliary(scanner/teradata/teradata_odbc_login) > set USERNAME dbc
USERNAME => dbc
msf auxiliary(scanner/teradata/teradata_odbc_login) > set PASSWORD dbc
PASSWORD => dbc
msf auxiliary(scanner/teradata/teradata_odbc_login) > run

[*] Running for 192.168.0.2...
[*] 192.168.0.2:1025 - Creating connection: %s
[*] 192.168.0.2:1025 - Loading ODBC Library: %s
[*] 192.168.0.2:1025 - Method succeeded with info:  [26] 523 24
[*] 192.168.0.2:1025 - Method succeeded with info:  [26] 523 24
[*] 192.168.0.2:1025 - Available drivers: Teradata Database ODBC Driver 16.20, 
[*] 192.168.0.2:1025 - Creating connection using ODBC ConnectString: %s
[*] 192.168.0.2:1025 - Setting AUTOCOMMIT to %s
[*] 192.168.0.2:1025 - FETCH_SIZE: 1
[*] 192.168.0.2:1025 - Buffer size for column %s: %s
[*] 192.168.0.2:1025 - SELECT SESSION returned %s
[*] 192.168.0.2:1025 - Executing query on session %s using SQLExecDirectW: %s
[*] 192.168.0.2:1025 - Committing transaction...
[*] 192.168.0.2:1025 - Created session %s.
[*] 192.168.0.2:1025 - Creating cursor %s for session %s.
[*] 192.168.0.2:1025 - Connection successful. Duration: %.3f seconds. Details: %s
[*] 192.168.0.2:1025 - Closing cursor %s for session %s.
[*] 192.168.0.2:1025 - Closing session %s...
[*] 192.168.0.2:1025 - Session %s closed.
[+] 192.168.0.2:1025 - [1/1] - dbc:dbc - Success
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Go back to menu.

Msfconsole Usage


Here is how the scanner/teradata/teradata_odbc_login auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/teradata/teradata_odbc_login

msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show info

       Name: Teradata ODBC Login Scanner Module
     Module: auxiliary/scanner/teradata/teradata_odbc_login
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2018-03-30

Provided by:
  Ted Raffle (actuated)

Check supported:
  No

Basic options:
  Name              Current Setting  Required  Description
  ----              ---------------  --------  -----------
  BLANK_PASSWORDS   false            no        Try blank passwords for all users
  BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
  DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
  DB_ALL_PASS       false            no        Add all passwords in the current database to the list
  DB_ALL_USERS      false            no        Add all users in the current database to the list
  PASSWORD                           no        A specific password to authenticate with
  PASS_FILE                          no        File containing passwords, one per line
  RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
  THREADS           1                yes       The number of concurrent threads (max one per host)
  USERNAME                           no        A specific username to authenticate as
  USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
  USER_AS_PASS      false            no        Try the username as the password for all users
  USER_FILE                          no        File containing usernames, one per line
  VERBOSE           true             yes       Whether to print output for all attempts
  rport             1025             yes       Port to target, ignored by the ODBC driver
  sleep_interval                     no        Time in seconds to wait between login attempts
  userpass                           no        A list of username/password combinations to try

Description:
  Login scanner module for ODBC connections to Teradata databases. 
  Port specification (TCP 1025 by default) is not necessary for ODBC 
  connections. Blank passwords are not supported by ODBC connections. 
  Requires ODBC driver and Python Teradata module.

References:
  https://developer.teradata.com/tools/reference/teradata-python-module
  https://downloads.teradata.com/download/connectivity/odbc-driver/linux

Also known as:
  Teradata ODBC Login Scanner

Module Options


This is a complete list of options available in the scanner/teradata/teradata_odbc_login auxiliary module:

msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show options

Module options (auxiliary/scanner/teradata/teradata_odbc_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
   rport             1025             yes       Port to target, ignored by the ODBC driver
   sleep_interval                     no        Time in seconds to wait between login attempts
   userpass                           no        A list of username/password combinations to try

Advanced Options


Here is a complete list of advanced options supported by the scanner/teradata/teradata_odbc_login auxiliary module:

msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show advanced

Module advanced options (auxiliary/scanner/teradata/teradata_odbc_login):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   MaxGuessesPerService  0                no        Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
   MaxGuessesPerUser     0                no        Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:
                                                    22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
   MaxMinutesPerService  0                no        Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
   PASSWORD_SPRAY        false            yes       Reverse the credential pairing order. For each password, attempt every possible user.
   REMOVE_PASS_FILE      false            yes       Automatically delete the PASS_FILE on module completion
   REMOVE_USERPASS_FILE  false            yes       Automatically delete the USERPASS_FILE on module completion
   REMOVE_USER_FILE      false            yes       Automatically delete the USER_FILE on module completion
   ShowProgress          true             yes       Display progress messages during a scan
   ShowProgressPercent   10               yes       The interval in percent that progress should be shown
   TRANSITION_DELAY      0                no        Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
   WORKSPACE                              no        Specify the workspace for this module

Auxiliary Actions


This is a list of all auxiliary actions that the scanner/teradata/teradata_odbc_login module can do:

msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options


Here is the full list of possible evasion options supported by the scanner/teradata/teradata_odbc_login auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages


This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Python Teradata module missing, cannot continue


Here is a relevant code snippet related to the "Python Teradata module missing, cannot continue" error message:

59:	        return True
60:	
61:	
62:	def run(args):
63:	    if dependencies_missing:
64:	        module.log('Python Teradata module missing, cannot continue', level=error)
65:	        return
66:	
67:	    # Define UdaExec ODBC connection "application" globally, must be before LogHandler
68:	    udaExec = teradata.UdaExec(appName="Auth", version="1.0", logConsole=False, configureLogging=False)
69:	    module.LogHandler.setup(msg_prefix='{}:{} - '.format(args['rhost'], 1025))

Go back to menu.


References


See Also


Check also the following modules related to this module:

Authors


  • Ted Raffle (actuated)

Version


This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.