Skip to content
forked from iamthefrogy/frogy

My subdomain enumeration script. It's unique in the way it is built upon.

Notifications You must be signed in to change notification settings

w3llr00t3d/frogy

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Made with ❤️ ❤️ ❤️ from frogy

My Goal is to create an the open-source Attack Surface Management solution and make it capable to find all the IPs, domains, subdomains, live websites, login portals for one company.

How it can help a large company (Some usecases):

  • Vulnerability management team: Can use the result to feed into their known and unknown assets database to prioritize intel activities.
  • Threat intel team: Can use the result to keep their asset inventory data up to date with known and unknown assets facing the Internet.
  • Asset inventory team: Can use the result to identify all assets they are monitoring vs not monitoring and then slowly increase their coverage.
  • SOC team: Can use the result to identify what all assets they are monitoring vs. not monitoring and then increase their coverage slowly.
  • Patch management team: Many large organizations are unaware of their legacy, abandoned assets facing the Internet; they can utilize this result to identify what assets need to be taken offline if they are not being used.

It has multiple use cases depending your organization's processes and technology landscpae.

Logic
Frogy

Features

  • 🐸 Horizontal subdomain enumeration
  • 🐸 Vertical subdomain enumeration
  • 🐸 Resolving subdomains to IP
  • 🐸 Identifying live web applications
  • 🐸 Identifying web applications with login portals enabled
  • Requirements: Go Language, Python 3.+, jq

  • Installation

    chmod +x install.sh
    ./install.sh
  • Usage

    ./frogy.sh
  • Demo

    demo

  • Output

    Output file will be saved inside the output/company_name/outut.csv folder. Where company_name is any company name which you give as an input to 'Organization Name' at the start of the script.
    

TODO

  • ✔️ Efficient folder structure management
  • ✔️ Resolving subdomains using dig
  • ✔️ Add dnscan for extened subdomain enum scope
  • ✔️ Eliminate false positives.
  • ✔️ Bug Fixed, for false positive reporting of domains and subdomains.
  • ✔️ Searching domains through crt.sh via registered organization name from WHOIS instead of domain name created some garbage data. Filtered result to only grab domains and nothing else.
  • ✔️ Now finds live websites on all standard/non-standard ports.
  • ✔️ Now finds all websites with login portals. It also checks websites home page that redirects to login page automatically upon opening.
  • ✔️ Now finds live web application based on top 1000 shodan http/https ports through facet analysis. Uses Naabu for fast port scan followed by httpx. (Credit: @nbk_2000)
  • ✔️ Generate CSV (Root domains, Subdomains, Live sites, Login Portals)
  • ✔️ Now provides output for resolved subdomains
  • ✔️ Added WayBackEngine support from another project
  • ✔️ Added BufferOver support from another project.
  • ✔️ Added Amass coverage.
  • 🚧 Add docker support to avoid dependency issues.
  • 🚧 Add progress bar for each main feature runnign so it shows some progress while running.
  • 🚧 Reducing execution time by performing resolved asset's port discovery.

A very warm thanks to the authors of the tools used in this script.

Initial repo created - A few weeks back below date.
Date - 4 March 2019, Open-sourced
Date - 19 March 2021, Major changes

Warning/Disclaimer: Read the detailed disclaimer at my blog - https://github.com/iamthefrogy/Disclaimer-Warning/blob/main/README.md
Logo credit - www.designevo.com

About

My subdomain enumeration script. It's unique in the way it is built upon.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 93.2%
  • Python 6.8%