Teradata ODBC Login Scanner Module - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/teradata/teradata_odbc_login metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Teradata ODBC Login Scanner Module
Module: auxiliary/scanner/teradata/teradata_odbc_login
Source code: modules/auxiliary/scanner/teradata/teradata_odbc_login.py
Disclosure date: 2018-03-30
Last modification time: 2021-05-17 17:04:49 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 1025
List of CVEs: -
This module is also known as Teradata ODBC Login Scanner.
Login scanner module for ODBC connections to Teradata databases. Port specification (TCP 1025 by default) is not necessary for ODBC connections. Blank passwords are not supported by ODBC connections. Requires ODBC driver and Python Teradata module.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/teradata/teradata_odbc_login
msf auxiliary(teradata_odbc_login) > show options
... show and set options ...
msf auxiliary(teradata_odbc_login) > set RHOSTS ip-range
msf auxiliary(teradata_odbc_login) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(teradata_odbc_login) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(teradata_odbc_login) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(teradata_odbc_login) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
The teradata_odbc_login module is used to brute-force credentials for Teradata databases.
Vulnerable Application
- Teradata Database
- Teradata Express
Teradata databases can be identified by scanning for TCP port 1025. An Nmap version scan can confirm if the service is recognized as Teradata.
Extra Requirements
This module requires the Teradata ODBC driver and the Teradata python library.
ODBC Driver for Kali Linux 2017.3
- Download the Teradata ODBC driver for Ubuntu from downloads.teradata.com.
- Refer to the Ubuntu package README for up-to-date instructions.
- Install lib32stdc++6 if necessary.
- Install the ODBC drivers:
dpkg -i [package].deb
- Copy /opt/teradata/client/ODBC_64/odbc.ini to /root/.odbc.ini .
- Or your home directory if not root.
- Make sure odbc.ini has been renamed to .obdc.ini .
Configuration for OS X
On OS X the Python client needs to be pointed to the ODBC driver manually. Create ~/udaexec.ini
with the following contents:
ini
[CONFIG]
odbcLibPath=/usr/lib/libiodbc.dylib
Python Package
pip install teradata
Verification Steps
- Deploy a Teradata Express test environment.
- Install the OBCD driver and python package.
- Start msfconsole.
- Do:
use auxiliary/scanner/teradata/teradata_odbc_login
- Do:
set RHOSTS [IPs]
- Do:
set USERNAME [username to try]
- Do:
set PASSWORD [password to try]
- The default Teradata credentials are the matching username and password 'dbc'.
- Do:
run
msf > use auxiliary/scanner/teradata/teradata_odbc_login
msf auxiliary(scanner/teradata/teradata_odbc_login) > set RHOSTS 192.168.0.2
RHOSTS => 192.168.0.2
msf auxiliary(scanner/teradata/teradata_odbc_login) > set USERNAME dbc
USERNAME => dbc
msf auxiliary(scanner/teradata/teradata_odbc_login) > set PASSWORD dbc
PASSWORD => dbc
msf auxiliary(scanner/teradata/teradata_odbc_login) > run
[*] Running for 192.168.0.2...
[*] 192.168.0.2:1025 - Creating connection: %s
[*] 192.168.0.2:1025 - Loading ODBC Library: %s
[*] 192.168.0.2:1025 - Method succeeded with info: [26] 523 24
[*] 192.168.0.2:1025 - Method succeeded with info: [26] 523 24
[*] 192.168.0.2:1025 - Available drivers: Teradata Database ODBC Driver 16.20,
[*] 192.168.0.2:1025 - Creating connection using ODBC ConnectString: %s
[*] 192.168.0.2:1025 - Setting AUTOCOMMIT to %s
[*] 192.168.0.2:1025 - FETCH_SIZE: 1
[*] 192.168.0.2:1025 - Buffer size for column %s: %s
[*] 192.168.0.2:1025 - SELECT SESSION returned %s
[*] 192.168.0.2:1025 - Executing query on session %s using SQLExecDirectW: %s
[*] 192.168.0.2:1025 - Committing transaction...
[*] 192.168.0.2:1025 - Created session %s.
[*] 192.168.0.2:1025 - Creating cursor %s for session %s.
[*] 192.168.0.2:1025 - Connection successful. Duration: %.3f seconds. Details: %s
[*] 192.168.0.2:1025 - Closing cursor %s for session %s.
[*] 192.168.0.2:1025 - Closing session %s...
[*] 192.168.0.2:1025 - Session %s closed.
[+] 192.168.0.2:1025 - [1/1] - dbc:dbc - Success
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/teradata/teradata_odbc_login auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/teradata/teradata_odbc_login
msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show info
Name: Teradata ODBC Login Scanner Module
Module: auxiliary/scanner/teradata/teradata_odbc_login
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2018-03-30
Provided by:
Ted Raffle (actuated)
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
rport 1025 yes Port to target, ignored by the ODBC driver
sleep_interval no Time in seconds to wait between login attempts
userpass no A list of username/password combinations to try
Description:
Login scanner module for ODBC connections to Teradata databases.
Port specification (TCP 1025 by default) is not necessary for ODBC
connections. Blank passwords are not supported by ODBC connections.
Requires ODBC driver and Python Teradata module.
References:
https://developer.teradata.com/tools/reference/teradata-python-module
https://downloads.teradata.com/download/connectivity/odbc-driver/linux
Also known as:
Teradata ODBC Login Scanner
Module Options
This is a complete list of options available in the scanner/teradata/teradata_odbc_login auxiliary module:
msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show options
Module options (auxiliary/scanner/teradata/teradata_odbc_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
rport 1025 yes Port to target, ignored by the ODBC driver
sleep_interval no Time in seconds to wait between login attempts
userpass no A list of username/password combinations to try
Advanced Options
Here is a complete list of advanced options supported by the scanner/teradata/teradata_odbc_login auxiliary module:
msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show advanced
Module advanced options (auxiliary/scanner/teradata/teradata_odbc_login):
Name Current Setting Required Description
---- --------------- -------- -----------
MaxGuessesPerService 0 no Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
MaxGuessesPerUser 0 no Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:
22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
MaxMinutesPerService 0 no Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
PASSWORD_SPRAY false yes Reverse the credential pairing order. For each password, attempt every possible user.
REMOVE_PASS_FILE false yes Automatically delete the PASS_FILE on module completion
REMOVE_USERPASS_FILE false yes Automatically delete the USERPASS_FILE on module completion
REMOVE_USER_FILE false yes Automatically delete the USER_FILE on module completion
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
TRANSITION_DELAY 0 no Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/teradata/teradata_odbc_login module can do:
msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/teradata/teradata_odbc_login auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/teradata/teradata_odbc_login) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Python Teradata module missing, cannot continue
Here is a relevant code snippet related to the "Python Teradata module missing, cannot continue" error message:
59: return True
60:
61:
62: def run(args):
63: if dependencies_missing:
64: module.log('Python Teradata module missing, cannot continue', level=error)
65: return
66:
67: # Define UdaExec ODBC connection "application" globally, must be before LogHandler
68: udaExec = teradata.UdaExec(appName="Auth", version="1.0", logConsole=False, configureLogging=False)
69: module.LogHandler.setup(msg_prefix='{}:{} - '.format(args['rhost'], 1025))
Go back to menu.
Related Pull Requests
- #15212 Merged Pull Request: Converts Python shebangs over to Python 3
- #12524 Merged Pull Request: Convert all python code to python3. Fixes #12506.
- #10570 Merged Pull Request: AKA Metadata Refactor
- #10109 Merged Pull Request: Added Teradata ODBC Login and SQL modules and documentation
References
- CVE: Not available
- https://developer.teradata.com/tools/reference/teradata-python-module
- https://downloads.teradata.com/download/connectivity/odbc-driver/linux
See Also
Check also the following modules related to this module:
- auxiliary/admin/teradata/teradata_odbc_sql
- exploit/dialup/multi/login/manyargs
- exploit/windows/scada/citect_scada_odbc
Authors
- Ted Raffle (actuated)
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.