
Frogy 2.0 is an automated external reconnaissance and Attack Surface Management (ASM) toolkit designed to map out an organization's entire internet presence. It identifies assets, IP addresses, web applications, and other metadata across the public internet and then smartly prioritizes them with highest (most attractive) to lowest (least attractive) from an attacker's playground perspective.
 Features
 
-  Comprehensive recon:
 Aggregate subdomains and assets using multiple tools (CHAOS, Subfinder, Assetfinder, crt.sh) to map an organization's entire digital footprint.
 
-  Live asset verification:
 Validate assets with live DNS resolution and port scanning (using DNSX and Naabu) to confirm what is publicly reachable.
 
-  In-depth web recon:
 Collect detailed HTTP response data (via HTTPX) including metadata, technology stack, status codes, content lengths, and more.
 
-  Smart prioritization:
 Use a composite scoring system that considers homepage status, login identification, technology stack, and DNS data and much more to generate risk score for each assets helping bug bounty hunters and pentesters focus on the most promising targets to start attacks with.
 
-  Professional reporting:
 Generate a dynamic, colour-coded HTML report with a modern design and dark/light theme toggle.
 
Risk Scoring: Asset Attractiveness Explained
 In this tool, risk scoring is based on the notion of asset attractivenessβthe idea that certain attributes or characteristics make an asset more interesting to attackers. If we see more of these attributes, the overall score goes up, indicating a broader "attack surface" that adversaries could leverage. Below is an overview of how each factor contributes to the final risk score.
  Screenshots
  
  
  
 
 
1. Purpose of the Asset
 
- 
Employee-Intended Assets
 If a subdomain or system is meant for internal (employee/colleague) use, it's often higher value for attackers. Internal portals or dashboards tend to hold sensitive data or offer privileged functionality. Therefore, if the domain is flagged as employeeβonly, its score increases.
2. URLs Found
 
- 
Valid/Accessible URL
 If the tool identifies a workable URL (e.g., HTTP/HTTPS) for the asset, it means there's a real endpoint to attack. An asset that isn't listening on a web port or is offline is less interestingβso any resolvable URL raises the score slightly.
3. Login Interfaces
 
- 
Login Pages
 The presence of a login form indicates some form of access control or user authentication. Attackers often target logins to bruteβforce credentials, attempt SQL injection, or exploit session handling. Thus, any discovered login endpoint bumps the score.
4. HTTP Status 200
 
- 
Accessible Status Code
 If an endpoint actually returns a200 OK, it often means the page is legitimately reachable and responding with content. A200 OKis more interesting to attackers than a404or a redirectβso a 200 status modestly increases the risk.
5. TLS Version
 
- 
Modern vs. Outdated TLS
 If an asset is using older SSL/TLS protocols (or no TLS), that's a bigger risk. However, to simplify:
- 
TLS 1.2 or 1.3 is considered standard (no penalty).
- Anything older or absent is penalized by adding to the score.
6. Certificate Expiry
 
- 
Imminent Expiry
 Certificates expiring soon (within a few weeks) can indicate potential mismanagement or a higher chance of downtime or misconfiguration. Shortβterm expiry windows (β€ 7 days, β€ 14 days, β€ 30 days) add a cumulative boost to the risk score.
7. Missing Security Headers
 
- 
Security Header Hygiene
 The tool checks for typical headers like:
- Strict-Transport-Security (HSTS)
- X-Frame-Options
- Content-Security-Policy
- X-XSS-Protection
- Referrer-Policy
- Permissions-Policy
Missing or disabled headers mean an endpoint is more prone to common web exploits. Each absent header increments the score.
 8. Open Ports
 
- 
Port Exposure
 The more open ports (and associated services) an asset exposes, the broader the potential attack surface. Each open port adds to the risk score.
9. Technology Stack (Tech Count)
 
- 
Number of Technologies Detected
 Attackers love multiβtech stacks because more software β more possible CVEs or misconfigurations. Each identified technology (e.g., Apache, PHP, jQuery, etc.) adds to the overall attractiveness of the target.
Putting It All Together
 Each factor above contributes one or more points to the final risk score. For example:
 
- +1 if the purpose is employeeβintended  
- +1 if the asset is a valid URL  
- +1 if a login is found  
- +1 if it returns HTTP 200  
- +1 if TLS is older than 1.2 or absent  
- +1β3 for certificates expiring soon (β€ 30 days)  
- +1 for each missing security header  
- +1 per open port  
- +1 per detected technology  
- +1 per each management ports open
- +1 per each database ports open
Once all factors are tallied, we get a numeric risk score. Higher means more interesting and potentially gives more room for pentesters to test around to an attacker.
  Why This Matters
 This approach helps you quickly prioritize which assets warrant deeper testing. Subdomains with high counts of open ports, advanced internal usage, missing headers, or login panels are more complex, more privileged, or more likely to be misconfiguredβtherefore, your security team can focus on those first.
 
 Installation
 Clone the repository and run the installer script to set up all dependencies and tools:
 chmod +x install.sh
./install.sh
 Usage
 chmod +x frogy.sh
./frogy.sh domains.txt
 Video Demo
 https://www.youtube.com/watch?v=LHlU4CYNj1M
 Future Roadmap
 
- Completed β
 ~~Adding security and compliance-related data (SSL/TLS hygiene, SPF, DMARC, Headers etc)~~
- Completed β
 ~~Allow to filter column data.~~
- Completed β
 ~~Add more analytics based on new data.~~
- Completed β
 ~~Identify login portals.~~
- Completed β
 ~~Basic dashboard/analytics if possible.~~
- Completed β
 ~~Display all open ports in one of the table columns.~~
- Completed β
 ~~Pagination to access information faster without choking or lagging on the home page.~~
- Completed β
 ~~Change font color in darkmode.~~
- Completed β
 ~~Identify traditional endpoints vs. API endpoints.~~
- Completed β
 ~~Identifying customer-intended vs colleague-intended applications.~~
- Completed β
 ~~Enhance prioritisation for target picking. (Scoring based on management ports, login found, customer vs colleague intended apps, security headers not set, ssl/tls usage, etc.)~~
- Completed β
 ~~Implement parallel run, time out functionality.~~
- Completed β
 ~~Scan SSL/TLS for the url:port pattern and not just domain:443 pattern.-~~
- Completed β
 ~~Using mouseover on the attack surface column's score, you can now know why and how score is calculated-~~
- Completed β
 ~~Generate CSV output same as HTML table.~~
- Completed β
 ~~Self-contained HTML output is generated now. So no need to host a file on web server to access results.~~
- Completed β
 ~~To add all DNS records (A, MX, SOA, SRV, CNAME, CAA, etc.)~~
- Completed β
 ~~Consolidate the two CDN charts into one.~~
- Completed β
 ~~Added PTR record column to the main table.~~
- Completed β
 ~~Implemented horizontal and vertical scrolling for tables and charts, with the first title row frozen for easier data reference while scrolling.~~
- Completed β
 ~~Added screenshot functionality.~~
- Completed β
 ~~Added logging functionality. Logs are stored at /logs/logs.log~~
- Completed β
 ~~Added extra score for the management and database ports exposed.~~
- Solve the screen jerk issue.
- Identify abandoned and unwanted applications.