How to find assets using Favicon Hashes?

Favicons are one of the most overlooked assets of a website and are at best serving the purpose of helping you identify a particular tab out of a dozen open ones. They are also one of the most underrated tools when it comes to finding assets during penetration tests and bug hunting. In this blog, we will take a look at how we can combine tools like Shodan, FireEye, and Favicons to find hidden assets and public-facing services.

What Are Favicons?

On most modern browsers, whenever you open a webpage, a small icon appears on the top left corner, right before the title. That is what we call a favicon.

Favicon Example

Favicons are basically just icons, usually a logo associated with a website. They are used in Browser tabs, in the History tabs, Bookmarks dropdown, Search Bar recommendations, etc. They help to easily identify URLs and pages associated with any particular website, making navigation faster.

This icon is generally fetched from the /favicon.ico endpoint and browsers automatically request it when you browse through any website.

Calculating Favicon Hashes

To find the public-facing assets of an organization, we will use Shodan. Shodan uses mmh3 to hash favicons that are then indexed during their periodic crawls. You can also find a list of popular favicon hashes over at Favicon MapMurmurHash3(mmh3) is a hash function explicitly designed to facilitate hash-based lookups instead of the traditional cryptographic function.

To find the mmh3 hash of a favicon, you can use the following python3 script:

 1#!/usr/bin/env python3
 2import mmh3
 3import sys
 4import codecs
 5import requests
 6
 7if len(sys.argv) != 2:
 8    print(f"Usage: {sys.argv[0]} [Favicon URL]")
 9    sys.exit(0)
10
11try:
12    response = requests.get(sys.argv[1])
13    favicon = codecs.encode(response.content, 'base64')
14    hash = mmh3.hash(favicon)
15    print(f"Favicon Hash: {hash}")
16except Exception as e:
17    print(f"Error occured as: {e}", file=sys.stderr)
18

The above program takes the full URL to a favicon, requests it, and calculates its hash. For example, we can find the favicon hash of the Debian Wiki as follows:

1$ python3 favicon_hash_finder.py https://wiki.debian.org/htdocs/favicon.ico
2Favicon Hash: 1320981061

Finding Favicon Hash of the Debian Wiki

Similarly, you can use the script to find out the favicon hashes pertaining to any website you want.

 

Using Shodan to Hunt for Assets

Once we have the Favicon hash, we can look it up on Favicon Map. However, the preferred way to search for assets is to use Shodan Search. Shodan allows us to search through their database by using favicon hashes with the http.favicon.hash parameter.

For example, building upon our example, to search for assets belonging to the Debian Wiki via Shodan Search, we can issue the following search query:

http.favicon.hash:1320981061 

Using Shodan Filters to search for favicon hash

This technique can be really useful to find sensitive assets belonging to an organization. For example, to look for Confluence servers belonging to, let’s say, Expliot.io to test for CVE-2022-26134, you can find the favicon hash of Confluence Servers and pair it with another query as such:

org:"expliot.io" http.favicon.hash:-305179312 

Alternatively, we can also use the CLI tool to hunt for assets using the following syntax:

1$ shodan search org:"expliot.io" http.favicon.hash:-305179312 --fields ip_str,port --separator " " 

Using Favicon Hases With Zoomeye

Favicon hashes are an underrated but extremely powerful entity, the utility of which extends beyond just Shodan. If Shodan fails to show relevant results, we can apply the same technique to search alternatives like Zoomeye which uses the same mmh3 algorithm.

For example, to search assets belonging to the Debian Wiki, we can use the following Zoomeye query:

iconhash:"-305179312"  

This would list out all the public-facing assets of the target in the Zoomeye database, and we can find new assets which Shodan might have missed.

Conclusion

Therefore, it is imperative that Favicons, in spite of appearing very trivial, are a powerful asset. It can help pentesters and bug bounty hunters expand their scope by uncovering hidden services and IP addresses. With search engines like Shodan and Zoomeye, continuously crawling the internet, we can find assets pertaining to almost all organizations: from mid-range to big ones. Hence, a combination of these makes it an indispensable information-gathering technique.

About Payatu

Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Want to check the security posture of your organization? Browse through Payatu’s services and get started with the most effective cybersecurity assessments.

Have any specific requirements in mind? Let us know about them here and someone from our team will get in touch with you.

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE DATASHEET

Fill in your details and get your copy of the datasheet in few seconds

DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by