TROMMEL: identify potential vulnerable indicators

TROMMEL sifts through directories of files to identify indicators that may contain vulnerabilities.

It identifies the following indicators related to:

  • Secure Shell (SSH) key files
  • Secure Socket Layer (SSL) key files
  • Internet Protocol (IP) addresses
  • Uniform Resource Locator (URL)
  • email addresses
  • shell scripts
  • web server binaries
  • configuration files
  • database files
  • specific binaries files (i.e. Dropbear, BusyBox, etc.)
  • shared object library files
  • web application scripting variables, and
  • Android application package (APK) file permissions.

It has also integrated vFeed which allows for further in-depth vulnerability analysis of identified indicators to enrich the output.

  • integrates vFeed, which is a database wrapper that pulls in content from Common Vulnerabilities and Exposures (CVE) database, Exploit-DB, and Metasploit.
  • vFeed offers a free, downloadable Community Database for non-commercial users.
  • This integration allows for further in-depth vulnerability analysis of identified indicators.
  • significantly lessens the manual analysis time of the researcher by automating much of the vulnerability discovery and analysis process.
  • Upon execution, it provides the following feedback to the researcher in the terminal:
    • it is working to sift through the files.
    • Results will be saved to “[Researcher Supplied File Name]_Trommel_YYYYMMDD_HHMMSS”
  • The identified indicators are then saved to a text file in the current working directory of TROMMEL.
  • The text file is named according to the above naming convention and will contain the following information preceding the identified indicators:
    • Trommel Results File Name: [Researcher Supplied File Name]
    • Directory: [Researcher Supplied Directory]
    • There are [Count of Files] total files within the directory.
    • Results could be vulnerabilities. These results should be verified as false positives may exist.
  • The indicators should be reviewed to identify and remove false positives and to identify indicators that need further analysis for potential vulnerabilities.




  • Added additional indicators and updated README and Documentation


  • Download: git clone
  • Download vFeed database from vFeed tool from
    • This database needs to be placed in the root of the working directory.
  • Python-magic
    • For Linux:
      • pip install python-magic
    • For Mac:
      • brew install libmagic
      • pip install python-magic


$ –help

Output TROMMEL results to a file based on a given directory

$ -p /directory -o output_file


Copyright 2017 Carnegie Mellon University. All Rights Reserved.