Favicons are one of the most overlooked assets of a website and are at best serving the purpose of helping you identify a particular tab out of a dozen open ones. They are also one of the most underrated tools when it comes to finding assets during penetration tests and bug hunting. In this blog, we will take a look at how we can combine tools like Shodan, FireEye, and Favicons to find hidden assets and public-facing services.
What Are Favicons?
On most modern browsers, whenever you open a webpage, a small icon appears on the top left corner, right before the title. That is what we call a favicon.
Favicons are basically just icons, usually a logo associated with a website. They are used in Browser tabs, in the History tabs, Bookmarks dropdown, Search Bar recommendations, etc. They help to easily identify URLs and pages associated with any particular website, making navigation faster.
This icon is generally fetched from the /favicon.ico endpoint and browsers automatically request it when you browse through any website.
Calculating Favicon Hashes
To find the public-facing assets of an organization, we will use Shodan. Shodan uses mmh3 to hash favicons that are then indexed during their periodic crawls. You can also find a list of popular favicon hashes over at Favicon Map. MurmurHash3(mmh3) is a hash function explicitly designed to facilitate hash-based lookups instead of the traditional cryptographic function.
To find the mmh3 hash of a favicon, you can use the following python3 script:
1#!/usr/bin/env python3
2import mmh3
3import sys
4import codecs
5import requests
6
7if len(sys.argv) != 2:
8 print(f"Usage: {sys.argv[0]} [Favicon URL]")
9 sys.exit(0)
10
11try:
12 response = requests.get(sys.argv[1])
13 favicon = codecs.encode(response.content, 'base64')
14 hash = mmh3.hash(favicon)
15 print(f"Favicon Hash: {hash}")
16except Exception as e:
17 print(f"Error occured as: {e}", file=sys.stderr)
18
The above program takes the full URL to a favicon, requests it, and calculates its hash. For example, we can find the favicon hash of the Debian Wiki as follows:
1$ python3 favicon_hash_finder.py https://wiki.debian.org/htdocs/favicon.ico
2Favicon Hash: 1320981061
Similarly, you can use the script to find out the favicon hashes pertaining to any website you want.
Â
Using Shodan to Hunt for Assets
Once we have the Favicon hash, we can look it up on Favicon Map. However, the preferred way to search for assets is to use Shodan Search. Shodan allows us to search through their database by using favicon hashes with the http.favicon.hash parameter.
For example, building upon our example, to search for assets belonging to the Debian Wiki via Shodan Search, we can issue the following search query:
http.favicon.hash:1320981061
This technique can be really useful to find sensitive assets belonging to an organization. For example, to look for Confluence servers belonging to, let’s say, Expliot.io to test for CVE-2022-26134, you can find the favicon hash of Confluence Servers and pair it with another query as such:
org:"expliot.io" http.favicon.hash:-305179312
Alternatively, we can also use the CLI tool to hunt for assets using the following syntax:
1$ shodan search org:"expliot.io" http.favicon.hash:-305179312 --fields ip_str,port --separator " "
Using Favicon Hases With Zoomeye
Favicon hashes are an underrated but extremely powerful entity, the utility of which extends beyond just Shodan. If Shodan fails to show relevant results, we can apply the same technique to search alternatives like Zoomeye which uses the same mmh3 algorithm.
For example, to search assets belonging to the Debian Wiki, we can use the following Zoomeye query:
iconhash:"-305179312"
This would list out all the public-facing assets of the target in the Zoomeye database, and we can find new assets which Shodan might have missed.
Conclusion
Therefore, it is imperative that Favicons, in spite of appearing very trivial, are a powerful asset. It can help pentesters and bug bounty hunters expand their scope by uncovering hidden services and IP addresses. With search engines like Shodan and Zoomeye, continuously crawling the internet, we can find assets pertaining to almost all organizations: from mid-range to big ones. Hence, a combination of these makes it an indispensable information-gathering technique.
About Payatu
Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s services and get started with the most effective cybersecurity assessments.
Have any specific requirements in mind? Let us know about them here and someone from our team will get in touch with you.
