TROMMEL sifts through embedded device files to identify potential vulnerable indicators. The tool can be used to search files and configurations in a directory and find potential vulnerability. Usually any security scanner will produced reports and finding without properly confirming the system vulnerability.

Vulnerability scanner allow security professional to automate and accelerate the vulnerability assessment while it will be required to validate any security issue reported. This tool can be an additional way to verify files for vulnerabilities. TROMMEL identifies the following indicators related to:

• Secure Shell (SSH) key files
• Secure Socket Layer (SSL) key files
• Internet Protocol (IP) addresses
• Uniform Resource Locator (URL)
• email addresses
• shell scripts
• web server binaries
• configuration files
• database files
• specific binaries files (i.e. Dropbear, BusyBox, etc.)
• shared object library files
• web application scripting variables, and
• Android application package (APK) file permissions.

Upon execution, TROMMEL provides the following feedback to the researcher in the terminal and writes 2 (CSV parsable) results files:

• Results will be saved to User-Supplied-File-Name_Trommel_YYYYMMDD_HHMMSS.
• Hashes of files will be saved to User-Supplied-File-Name_TROMMEL_Hash_Results_YYYYMMDD_HHMMSS.

Checks the system architecture by using the BusyBox binary. The text file is named according to the above naming convention and will contain the following information preceding the identified indicators:

• TROMMEL Results File Name: [Researcher Supplied File Name]
• Directory: [Researcher Supplied Directory]
• There are [Count of Files] total files within the directory.

The results should be reviewed to identify and remove false positives and to identify indicators that need further analysis for potential vulnerabilities.

Dependencies

• Python-Magic – See documentation for instructions for Python3-magic installation

Usage

$ trommel.py --help

Output TROMMEL results to a file based on a given directory. By default, only searches plain text files.

$ trommel.py -p /directory -o output_file

Output TROMMEL results to a file based on a given directory. Search both binary and plain text files.

$ trommel.py -p /directory -o output_file -b

Notes

• The intended to assist researchers during firmware analysis to find potential vulnerabilities
• Network defenders can benefit as well to assess devices on their network or for devices they plan to add to their network
• Devices can include IoT (web cams, smart devices (light bulbs, plugs, switches, TVs, fridge, coffee maker, etc.)), SCADA/ICS, routers, really anything with an embedded flash chip that boots an OS on startup.
• TROMMEL has been tested using Python3 on Kali Linux x86_64.