TROMMEL: identify potential vulnerable indicators

TROMMEL sifts through directories of files to identify indicators that may contain vulnerabilities.

It identifies the following indicators related to:

• Secure Shell (SSH) key files
• Secure Socket Layer (SSL) key files
• Internet Protocol (IP) addresses
• Uniform Resource Locator (URL)
• email addresses
• shell scripts
• webserver binaries
• configuration files
• database files
• specific binaries files (i.e. Dropbear, BusyBox, etc.)
• shared object library files
• web application scripting variables, and
• Android application package (APK) file permissions.

It has also integrated vFeed which allows for further in-depth vulnerability analysis of identified indicators to enrich the output.

• integrates vFeed, which is a database wrapper that pulls in content from Common Vulnerabilities and Exposures (CVE) database, Exploit-DB, and Metasploit.
• vFeed offers a free, downloadable Community Database for non-commercial users.
• This integration allows for further in-depth vulnerability analysis of identified indicators.
• significantly lessens the manual analysis time of the researcher by automating much of the vulnerability discovery and analysis process.
• Upon execution, it provides the following feedback to the researcher in the terminal:
  • it is working to sift through the files.
  • Results will be saved to “[Researcher Supplied File Name]_Trommel_YYYYMMDD_HHMMSS”
• The identified indicators are then saved to a text file in the current working directory of TROMMEL.
• The text file is named according to the above naming convention and will contain the following information preceding the identified indicators:
  • Trommel Results File Name: [Researcher Supplied File Name]
  • Directory: [Researcher Supplied Directory]
  • There are [Count of Files] total files within the directory.
  • Results could be vulnerabilities. These results should be verified as false positives may exist.
• The indicators should be reviewed to identify and remove false positives and to identify indicators that need further analysis for potential vulnerabilities.

Changelog

2019-08-2

Changed

• Added dependency of Pyfiglet for banner printing
• Removed one-off search capability. If you want new search items create an issue to have me add it to the config

Added

• Added parsing of passwd files to highlight users with shell access
• Added a few more keywords

Install

• Download: git clone https://github.com/CERTCC-Vulnerability-Analysis/trommel.git
• Download vFeed database from vFeed tool from https://vfeed.io/pricing/.
  • This database needs to be placed in the root of the working directory.
• Python-magic
  • For Linux:
    • pip install python-magic
  • For Mac:
    • brew install libmagic
    • pip install python-magic

Usage

$ trommel.py –help

Output TROMMEL results to a file based on a given directory

$ trommel.py -p /directory -o output_file

Tutorial

Copyright 2017 Carnegie Mellon University. All Rights Reserved.

Source: https://github.com/CERTCC-Vulnerability-Analysis/