An Automated Exterior Reconnaissance And Assault Floor Administration (ASM) Toolkit

Frogy 2.0 is an automated exterior reconnaissance and Assault Floor Administration (ASM) toolkit designed to map out a company’s total web presence. It identifies belongings, IP addresses, internet purposes, and different metadata throughout the general public web after which well prioritizes them with highest (most engaging) to lowest (least enticing) from an attacker’s playground perspective.

• Complete recon:
  Mixture subdomains and belongings utilizing a number of instruments (CHAOS, Subfinder, Assetfinder, crt.sh) to map a company’s total digital footprint.

• Stay asset verification:
  Validate belongings with stay DNS decision and port scanning (utilizing DNSX and Naabu) to substantiate what’s publicly reachable.

• In-depth internet recon:
  Acquire detailed HTTP response information (through HTTPX) together with metadata, expertise stack, standing codes, content material lengths, and extra.

• Good prioritization:
  Use a composite scoring system that considers homepage standing, login identification, expertise stack, and DNS information and far more to generate threat rating for every belongings serving to bug bounty hunters and pentesters deal with essentially the most promising targets to start out assaults with.

• Skilled reporting:
  Generate a dynamic, colour-coded HTML report with a contemporary design and darkish/gentle theme toggle.

Danger Scoring: Asset Attractiveness Defined

On this device, threat scoring is predicated on the notion of asset attractiveness—the concept that sure attributes or traits make an asset extra attention-grabbing to attackers. If we see extra of those attributes, the general rating goes up, indicating a broader “assault floor” that adversaries might leverage. Under is an summary of how every issue contributes to the ultimate threat rating.

Screenshots

1. Objective of the Asset

• Worker-Meant Property
  If a subdomain or system is supposed for inside (worker/colleague) use, it is usually greater worth for attackers. Inner portals or dashboards have a tendency to carry delicate information or provide privileged performance. Subsequently, if the area is flagged as worker‐solely, its rating will increase.

2. URLs Discovered

• Legitimate/Accessible URL
  If the device identifies a workable URL (e.g., HTTP/HTTPS) for the asset, it means there’s an actual endpoint to assault. An asset that is not listening on an online port or is offline is much less attention-grabbing—so any resolvable URL raises the rating barely.

3. Login Interfaces

• Login Pages
  The presence of a login type signifies some type of entry management or person authentication. Attackers usually goal logins to brute‐power credentials, try SQL injection, or exploit session dealing with. Thus, any found login endpoint bumps the rating.

4. HTTP Standing 200

• Accessible Standing Code
  If an endpoint really returns a 200 OK, it usually means the web page is legitimately reachable and responding with content material. A 200 OK is extra attention-grabbing to attackers than a 404 or a redirect—so a 200 standing modestly will increase the chance.

5. TLS Model

• Fashionable vs. Outdated TLS
  If an asset is utilizing older SSL/TLS protocols (or no TLS), that is an even bigger threat. Nevertheless, to simplify:
• TLS 1.2 or 1.3 is taken into account commonplace (no penalty).
• Something older or absent is penalized by including to the rating.

6. Certificates Expiry

• Imminent Expiry
  Certificates expiring quickly (inside a number of weeks) can point out potential mismanagement or the next likelihood of downtime or misconfiguration. Quick‐time period expiry home windows (≤ 7 days, ≤ 14 days, ≤ 30 days) add a cumulative increase to the chance rating.

7. Lacking Safety Headers

• Safety Header Hygiene
  The device checks for typical headers like:
• Strict-Transport-Safety (HSTS)
• X-Body-Choices
• Content material-Safety-Coverage
• X-XSS-Safety
• Referrer-Coverage
• Permissions-Coverage

Lacking or disabled headers imply an endpoint is extra susceptible to widespread internet exploits. Every absent header increments the rating.

8. Open Ports

• Port Publicity
  The extra open ports (and related companies) an asset exposes, the broader the potential assault floor. Every open port provides to the chance rating.

9. Expertise Stack (Tech Depend)

• Variety of Applied sciences Detected
  Attackers love multi‐tech stacks as a result of extra software program → extra potential CVEs or misconfigurations. Every recognized expertise (e.g., Apache, PHP, jQuery, and so forth.) provides to the general attractiveness of the goal.

Placing It All Collectively

Every issue above contributes a number of factors to the ultimate threat rating. For instance:

1. +1 if the aim is worker‐supposed
2. +1 if the asset is a legitimate URL
3. +1 if a login is discovered
4. +1 if it returns HTTP 200
5. +1 if TLS is older than 1.2 or absent
6. +1–3 for certificates expiring quickly (≤ 30 days)
7. +1 for every lacking safety header
8. +1 per open port
9. +1 per detected expertise
10. +1 per every administration ports open
11. +1 per every database ports open

As soon as all components are tallied, we get a numeric threat rating. Greater means extra attention-grabbing and doubtlessly provides extra room for pentesters to check round to an attacker.

Why This Issues
This strategy helps you shortly prioritize which belongings warrant deeper testing. Subdomains with excessive counts of open ports, superior inside utilization, lacking headers, or login panels are extra complicated, extra privileged, or extra more likely to be misconfigured—due to this fact, your safety workforce can deal with these first.

Set up

Clone the repository and run the installer script to arrange all dependencies and instruments:

chmod +x set up.sh
./set up.sh

Utilization

chmod +x frogy.sh
./frogy.sh domains.txt

Video Demo

Future Roadmap

• Accomplished ✅ ~~Including safety and compliance-related information (SSL/TLS hygiene, SPF, DMARC, Headers and so forth)~~
• Accomplished ✅ ~~Permit to filter column information.~~
• Accomplished ✅ ~~Add extra analytics primarily based on new information.~~
• Accomplished ✅ ~~Determine login portals.~~
• Accomplished ✅ ~~Primary dashboard/analytics if potential.~~
• Accomplished ✅ ~~Show all open ports in one of many desk columns.~~
• Accomplished ✅ ~~Pagination to entry data quicker with out choking or lagging on the house web page.~~
• Accomplished ✅ ~~Change font coloration in darkmode.~~
• Accomplished ✅ ~~Determine conventional endpoints vs. API endpoints.~~
• Accomplished ✅ ~~Figuring out customer-intended vs colleague-intended purposes.~~
• Accomplished ✅ ~~Improve prioritisation for goal selecting. (Scoring primarily based on administration ports, login discovered, buyer vs colleague supposed apps, safety headers not set, ssl/tls utilization, and so forth.)~~
• Accomplished ✅ ~~Implement parallel run, day out performance.~~
• Accomplished ✅ ~~Scan SSL/TLS for the url:port sample and never simply area:443 sample.-~~
• Accomplished ✅ ~~Utilizing mouseover on the assault floor column’s rating, now you can know why and the way rating is calculated-~~
• Accomplished ✅ ~~Generate CSV output similar as HTML desk.~~
• Accomplished ✅ ~~Self-contained HTML output is generated now. So no must host a file on internet server to entry outcomes.~~
• Accomplished ✅ ~~So as to add all DNS data (A, MX, SOA, SRV, CNAME, CAA, and so forth.)~~
• Accomplished ✅ ~~Consolidate the 2 CDN charts into one.~~
• Accomplished ✅ ~~Added PTR report column to the primary desk.~~
• Accomplished ✅ ~~Applied horizontal and vertical scrolling for tables and charts, with the primary title row frozen for simpler information reference whereas scrolling.~~
• Accomplished ✅ ~~Added screenshot performance.~~
• Accomplished ✅ ~~Added logging performance. Logs are saved at /logs/logs.log~~
• Accomplished ✅ ~~Added additional rating for the administration and database ports uncovered.~~
• Clear up the display screen jerk subject.
• Determine deserted and undesirable purposes.