Shodan

#1. Finding websites that use similar favicon.ico

This is useful for identifying phishing websites as they generally clone your custom favicon.ico file. Shodan provides a search filter (signed-in users only) for searching specific favicon.ico files. This is done by first converting the favicon.ico file into a hash value and this hash value is queried in the Shodan database. The following is the search filter:

http.favicon.hash:<hash-of-favicon.ico>

Deep Dive: http.faviconShodan Blog

Source

Tool

1. favscan

The favscan tool provided in the above blog does not work correctly at the time of writing this article [18/01/2024].

Download links provided in Blog

1. get_favicon_hash.py

GitHub - Mr-P-D/Favicon-Hash-For-Shodan.io: this script will help you find favicon hashes which you can use to shodan to get more details about an assetGitHub

Command

1. favscan

favscan -v <domain for e.g. shodan.>

1. get_favicon_hash.py

python3 get_favicon_hash.py
# Prompts for input. Provide te favicon.ico URL.

Example

1. favscan

└─# favscan -v cloudflare.com
Requesting URL: cloudflare.com
Adding 'https' scheme to URL: cloudflare.com
1900658278

1. get_favicon_hash.py

└─# python3 get_favicon_hash.py 
Enter Favicon URL to get the mmh3-HASH: https://facebook.com/favicon.ico
-560962771
Now Use this on Shodan For Searching,http.favicon.hash:-560962771

<Screenshots>