Frogy2.0 - Automated external reconnaissance and Attack Surface Management

Transcript

1. #BHUSA @BlackHatEvents Frogy 2.0 – Zero-Cost External ASM See What

   Attackers See of Your Organization On the Internet Chintan Gurjar github.com/iamthefrogy chintangurjar.com

2. #BHUSA @BlackHatEvents The Frog Behind the Lens • Chintan Gurjar

   (CEH, CCFA/CCFH (CrowdStrike), CTIA (Threat Intel), OSCP, CBE (Blockchain), SANS MGT516 (VM)). • 13+ years in penetration testing, security assessments, threat intelligence & vulnerability management. • Techno managerial blend from small security consulting ➔ small product based ➔ Big4 consulting ➔ Big product-based firms. • Worked for some known reputed firms – KPMG New Zealand, Tesco, TikTok, Marks and Spencer. • Builder for large security programs for big firms. • Course author of Applied Attack Surface Analysis & Reduction – EC-Council. • Technical reviewer of book – Resilient Cybersecurity: Reconstruct your defense strategy in an evolving cyber world. • Creator of multiple checklists, visual guides at www.chintangurjar.com. • Co-trainer at HackCon 11 – Securing mobile platforms and mobile apps (Android and iOS). • MSc. Computer Security & Forensics from UK. chintangurjar.com github.com/iamthefrogy

3. #BHUSA @BlackHatEvents Agenda • Motivation & Goals • Architecture &

   Design • Recon Modules Deep Dive • Scoring & Prioritization • Reporting & Templates • Demo Workflow • Roadmap & Q&A www.chintangurjar.com https://github.com/iamthefrogy

4. #BHUSA @BlackHatEvents Motivation & Goal • Zero-cost solution • Lightweight,

   local, no external dependencies • Aggregate multiple recon tools into one workflow • Attack-surface is the core focus • Cluttered market from open-source to commercial • From analyst to CISO everyone can use • Produce a self-contained, interactive HTML and CSV report • Enterprise ready toolkit (VM, CTI, CMDB, SOC, PM) www.chintangurjar.com https://github.com/iamthefrogy

5. #BHUSA @BlackHatEvents Architecture & Design www.chintangurjar.com https://github.com/iamthefrogy • Bash wrapper

   orchestrating multiple tools • Parallelized phases with configurable timeouts • Modular: discovery → verification → scoring → reporting

6. #BHUSA @BlackHatEvents Recon Modules Deep Dive www.chintangurjar.com https://github.com/iamthefrogy

7. #BHUSA @BlackHatEvents Scoring & Prioritization www.chintangurjar.com https://github.com/iamthefrogy • Quantifies disparate

   risk factors into a single “attractiveness” score for data-driven target prioritization • Blends external visibility with security hygiene for 360° asset profiling • Enables rapid triage by score tiers so teams focus scarce resources on the highest-impact assets first

8. #BHUSA @BlackHatEvents Demo Workflow Start • Prepare domains.txt (with one

   or more primary domains, you can name any file) • chmod 777 * ➔ Give permissions. • docker build -t frogy:latest . ➔ Build docker image • docker run --rm -it -v "$(pwd):/opt/frogy" -w /opt/frogy --entrypoint /bin/bash frogy:latest ➔ Run a container • ./frogy.sh target.txt ➔ Run the tool • Open generated output/run-*/report.html End www.chintangurjar.com https://github.com/iamthefrogy

9. #BHUSA @BlackHatEvents Reporting • Standalone HTML dashboard • Light/Dark mode

   theme • Interactive sortable tables • Deep dive into filters and paginations • Instant C-Suite to SOC/VM/CTI/Purple team handoff • Mouse-over score breakdown for detailed understanding • One-click CSV export • Custom Branding via header.html & footer.html • Embedded charts and metrics www.chintangurjar.com https://github.com/iamthefrogy

10. #BHUSA @BlackHatEvents Roadmap & Q&A • Support for MAC and

    other Linux distros • Docker support • Enhance scoring • Customisable options • Community feedback implementation www.chintangurjar.com https://github.com/iamthefrogy

11. #BHUSA @BlackHatEvents