Frogy: The New Recon Tool That Maps and Prioritizes Your Entire Attack Surface
Frogy 2.0 is an automated external reconnaissance and Attack Surface Management (ASM) toolkit designed to map out an organization’s entire internet presence. It identifies assets, IP addresses, web applications, and other metadata across the public internet and then smartly prioritizes them with highest (most attractive) to lowest (least attractive) from an attacker’s playground perspective.
Approx. Time Duration
Key pipeline stages: 17-step bash workflow.
Assumptions for timing: official Docker container on a mid-range cloud VM (≈2 vCPU, 4–8 GB RAM), fast but not unlimited network egress (Nat/ISP throttled around 50–100 Mbps), no upstream rate bans, and default script throttles (httpx -t 5 -rl 15, Katana -c 5, curl timeouts 25 s). Times grow nearly linearly with live subdomains because Naabu, curl login probes, tlsx, and dig/whois loops iterate per host/endpoint.
| Total Discovered Subdomains | Typical Runtime (wallclock) | Primary Bottleneck / Rationale |
|---|---|---|
| 2-digit (≤ 99) | ~20 – 40 minutes | Naabu still scans ~180 ports per host; each live endpoint then hits httpx twice (JSON + screenshots), Katana depth-3 crawl, curl login detection, and tlsx handshakes. DNS/email hygiene (dig) plus whois lookups run sequentially across every subdomain. |
| 3-digit (100 – 999) | ~45 – 120 minutes | Port scanning now covers tens of thousands of probes; Katana/curl loops grow proportionally and are mostly sequential; tlsx and screenshotting contend for CPU. DNSSEC/SPF/DKIM checks and ipinfo enrichments fan out to hundreds of hosts, each with multiple dig/whois calls. |
| 4-digit (1 000 – 9 999) | ~3 – 6 hours | Millions of port probes through Naabu plus repeated httpx/curl/TLS passes saturate rate limits, while Katana depth-3 crawls queue for hours. Large JSON merging (jq, sort) and disk writes (screenshots, responses) add I/O overhead. External services (crt.sh, whois, TLS endpoints) throttle aggressive parallelism. |
| 5-digit (10 000 – 99 999) | ~8 – 18 hours | Naabu must touch tens of millions of host:port combos; httpx, tlsx, Katana, and curl runs become the dominant wallclock cost due to conservative rate limits and timeouts. Massive DNS/email hygiene loops hammer resolver APIs, and IP enrichment (whois.cymru, reverse DNS) further drags. Expect retries, remote throttling, and storage pressure from screenshots/responses. |
Note: real runtimes can swing widely based on upstream rate-limits, packet loss, depth of Katana crawling, and whether endpoints time out (forcing every curl/httpx call to wait a full 15–25 s). Adjusting tool flags (e.g., trimming port catalog, lowering Katana depth, upping httpx -t) can significantly shorten runs at the cost of coverage.
Features
-
Comprehensive recon:
Aggregate subdomains and assets using multiple tools (CHAOS, Subfinder, Assetfinder, crt.sh) to map an organization’s entire digital footprint. -
Live asset verification:
Validate assets with live DNS resolution and port scanning (using DNSX and Naabu) to confirm what is publicly reachable. -
In-depth web recon:
Collect detailed HTTP response data (via HTTPX) including metadata, technology stack, status codes, content lengths, and more. -
Smart prioritization:
Use a composite scoring system that considers homepage status, login identification, technology stack, and DNS data and much more to generate risk score for each assets helping bug bounty hunters and pentesters focus on the most promising targets to start attacks with. -
Professional reporting:
Generate a dynamic, colour-coded HTML report with a modern design and dark/light theme toggle.
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
