Frogy2.0
Orbis is an full spectrum automated external attack surface intelligent toolkit.
Install / Use
/learn @iamthefrogy/Frogy2.0README
Orbis - Attack Surface Intelligence
Full-Spectrum Attack Surface Intelligence
Orbis automatically maps your organisation's entire internet-facing attack surface, subdomains, open ports, web applications, cloud infrastructure, TLS certificates, email posture, exposed secrets, login panels, and more, then scores and ranks every discovered asset so you know exactly where to focus first.
<img width="801" height="831" alt="image" src="https://github.com/user-attachments/assets/9e012767-ae54-4ee1-87dc-add602ecd0c8" /> <div align="left">What it does
You give it a list of domains. It does the rest.
You give it a list of domains. It does the rest.
google.com → Frogy 2.0 discovers:
apple.com • 2,000+ subdomains (passive + active enumeration)
example.com • Every open port across all live hosts
• Every web application — status, tech stack, redirects
• Login panels, exposed .env files, leaked JS secrets
• TLS certificates, cipher strengths, expiry dates
• Subdomain takeover candidates (55+ service fingerprints)
• Cloud asset inventory (AWS / Azure / GCP / Cloudflare)
• SPF / DKIM / DMARC / DNSSEC / BIMI / MTA-STS / DANE
• Third-party vendor dependencies across all surfaces
• Interactive asset relationship graph
→ Risk-scored, prioritised, searchable HTML report
Pipeline Overview
Frogy 2.0 runs a 31-step bash pipeline against your targets — fully automated from discovery to report, all stages run unconditionally.
| Phase | Steps | What happens | |-------|-------|-------------| | Seed Expansion | 1–3 | crt.sh org filter · ARIN RDAP ASN→CIDR · TLD sweep · brand variation · SEC EDGAR · WhoisXML registrant pivot (API-optional) | | Discovery | 4–9 | Subfinder + Assetfinder + crt.sh + GAU + Wayback CDX + RapidDNS + OTX/VT (API-optional) → merge + exclusion filter | | DNS & Takeover | 10–11 | DNSX full resolution (A/AAAA/CNAME/MX/NS/SPF/DMARC/DKIM/DNSSEC/BIMI/MTA-STS/DANE) · CDN/cloud tier classify · 55+ dangling-DNS fingerprints | | Port + Web | 12–16 | IPv6 discovery · Naabu port scan (~500 ports, CDN-aware) · web-port URL expansion · HTTPX fingerprinting · Shodan banner enrichment (API-optional) | | Crawl + JS | 18–19 | Katana deep crawl (JS-aware, depth 3) → JS file analysis (secrets, endpoints, SDK refs) | | Security Analysis | 21–23 | Login panel detection · TLS/cipher grading · security header compliance · CORS / BIMI / MTA-STS / DANE / WHOIS structured fields | | Intelligence | 24–29 | SaaS tenants · third-party vendor intel (100+ patterns) · API surface · colleague identification · GitHub org surface · favicon hash clustering | | Cloud | 30 | Cloud infra inventory + WAF shielding status · open storage check · bucket permutation | | Score + Report | 31 | Three-bucket risk scoring (70+ signals) → self-contained HTML report with 11 tabs |
Key Features
<details> <summary><b>Subdomain Discovery & DNS Intelligence</b></summary>- Aggregates from Subfinder, Assetfinder, crt.sh, GAU (Wayback Machine), RapidDNS, OTX, VirusTotal
- Full DNS resolution: A, AAAA, CNAME, MX, NS, SPF, DMARC, DKIM, DNSSEC
- BIMI, MTA-STS, DANE/TLSA records per domain
- WHOIS: Registrar, creation date, expiry, RegistrantOrg, RegistrantCountry per domain
- Per-project Exclusion List — assets marked out-of-scope are filtered before DNS resolution and from all future rescans
- HTTPX with
-follow-redirectscaptures final-hop metadata (not the redirect page) - Redirect deduplication in reports: HTTP:80 suppressed when HTTPS:443 exists for the same host — eliminates double-counting
- Technology stack, web server + version, CDN/WAF, content-length, status codes
- 55+ service fingerprints: GitHub Pages, AWS S3, Heroku, Netlify, Vercel, Azure, Fastly, Fly.io, and more
- Verified by fetching the expected error-page body
- Confirmed / Potential / Safe classification
- Takeover status feeds directly into the risk score
- Cipher suite inspection: flags NULL, ANON, RC4, DES, 3DES, CBC
- Protocol version (TLS 1.3 down to SSL 3.0)
- Self-signed detection, wildcard SAN detection, broken handshakes
- Certificate expiry with colour-coded urgency (expired → within 7d → within 30d → ok)
- Key algorithm (RSA / ECDSA) and key size (colour-coded: red < 2048, yellow = 2048, green ≥ 4096 / any ECDSA)
- CA type detection: Let's Encrypt vs. paid CA
- Cert Score A–F (0–100) per certificate — TLS version + cipher + expiry + key + self-signed + wildcard
- Per-domain MX record collection + automatic mail provider detection (Google Workspace, Microsoft 365, ProofPoint, Mimecast, etc.)
- SPF / DKIM / DMARC / DNSSEC evaluated per domain
- BIMI record detection, MTA-STS mode (enforce/testing/none), DANE/TLSA records (ports 443 and 25)
- Dedicated Mail Infrastructure report tab with per-domain Email Risk Score 0–100
- Structured WHOIS fields per domain: Registrar, DomainCreated, DomainExpires, DomainAge, RegistrantOrg, RegistrantCountry
- NS cluster badge — groups domains sharing the same nameservers
- Shodan service banners surfaced in the IP Addresses table (port · protocol · service pills)
- Multi-signal heuristics: password/username fields, CSRF tokens, HTTP 401/403/407, JS auth libraries, multilingual sign-in keywords, CAPTCHA indicators
- Structured JSON output including login panel type (phpMyAdmin, Jenkins, Kubernetes Dashboard, Grafana, CMS admin, remote-access gateways)
- Type used by scoring engine to apply higher penalties for high-value panels
- Covers AWS, Azure, GCP, Cloudflare, Vercel, Netlify, Fastly, Heroku, Fly.io, DigitalOcean, Hetzner
- Resource type classification: CDN, load balancer, object storage, managed DB, API gateway, serverless
- Shielding status: WAF/CDN-protected vs. direct-origin exposure
- Katana crawls every live site (depth 3)
- Deduplicated unique page count per endpoint: numeric path segments normalised (
/users/123→/users/{id}), query strings stripped - Log-scaled score contribution (+2 to +12) — measures real application complexity, not URL count inflation
- Multi-source collection: CSP headers, Katana JS analysis, MX/SPF/CNAME records, HTTP response headers
- 100+ vendor patterns classify into Analytics, CDN, Auth/Identity, Payment, Marketing, Cloud, Monitoring, and more
- Dedicated Third Parties report tab with per-category summary and full vendor detail table
- Interactive D3 v7 force-directed graph in the report — no external dependencies
- 8 node types: Domain · IP · ASN · NS · MX · Cloud · TLS Cert · Vendor
- 11 edge types: DNS · CNAME · NS · MX · ASN · Cloud · TLS SAN · Vendor · Takeover · Redirect · Favicon
- Click any node for ego-network highlight; filter by node type or edge type; search by name
- Clickable per-endpoint scorecard — click any Attack Surface Score to see a breakdown of every contributing signal
- Column visibility toggle per table — hide/show columns, state persisted in localStorage
- Section intelligence drawer — ⓘ About button in each section opens an analyst-written explanation with red flags to look for
- Column micro-tooltips — hover the
?chip on any column header for a one-sentence definition and attacker use case - 9-chart analytics grid in the Overview
- Dark / Light theme — shared between dashboard and report
Risk Scoring
Every endpoint is scored through three capped buckets (max 100). The aggregate report score is the mean of the top-5 domain endpoint scores.
| Bucket | Cap | Measures | |--------|-----|----------| | Sensitivity | 40 | Asset criticality, stack complexity, data-handling classification | | Exposure | 35 | Directly dangerous or reachable attack surfaces | | Hygiene | 25 | Misconfigurations, certificate health, compliance gaps |
<details> <summary><b>Sensitivity signals</b></summary>| Signal | Points | |--
