Calculating the favicon hash
One of the next steps is figuring out the Murmur3 hash for the website’s favicon. This hash acts like a digital fingerprint, helping search engines recognize and index web assets. To generate it, we’ll use Python’s mmh3 module—this method is widely used by platforms like Shodan, Censys, Fofa, and Zoomeye to classify and identify sites based on their favicons.
- Calculating the hash using a python3 script:
- Use this script to run with python3 and calculate the favicon hash (insert your favicon’s URL in the line: requests.get(‘https://github.com/favicon.ico’) ).
Script:
# python 3
import mmh3
import requests
import codecs
response = requests.get('https://github.com/favicon.ico')
favicon = codecs.encode(response.content,"base64")
hash = mmh3.hash(favicon)
print(hash)
Usage:
python3 your_python_filename.py
Result: 1848946384
Source: https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a
- Or, you can use this script to calculate the hash by providing the URL as a command-line argument instead of hardcoding it inside the script.
Script:
import mmh3
import requests
import codecs
import sys
# Check if URL is provided
if len(sys.argv) != 2:
print(f"Usage: sys.argv[0] ")
sys.exit(1)
url = sys.argv[1] # Get URL from command-line argument
try:
response = requests.get(url, timeout=10) # Fetch the favicon with a timeout
favicon = codecs.encode(response.content, "base64") # Convert to base64
hash_value = mmh3.hash(favicon) # Compute mmh3 hash
print(f"Favicon mmh3 Hash: hash_value")
except requests.exceptions.RequestException as e:
print(f"Error fetching favicon: e")
Usage:
python3 your_python_filename.py https://github.com/favicon.ico
Result: Favicon mmh3 Hash: 1848946384
- You can also run this as a one-liner:
python3 -c "import mmh3, requests, codecs, sys; print(mmh3.hash(codecs.encode(requests.get(sys.argv[1], timeout=10).content, 'base64')))" "https://github.com/favicon.ico"
Result: 1848946384
Once you have calculated the Murmur3 hash of a favicon, you can use it in OSINT search engines like Shodan, Censys, Fofa, and ZoomEye to find other websites using the same favicon and other infrastructure related information.
Shodan: http.favicon.hash:1848946384
Fofa: icon_hash=”1848946384″
- Websites that automate the process:
OSINT use cases for Favicons
Since we covered enough basics about favicon.ico and favicon hashes.
Now let’s dive into the interesting part.
Find infrastructure IP’s that are not behind CDNs, reverse proxies
Websites often use services like CDNs, WAFs, or reverse proxies (Cloudflare, Imperva Incapsula, etc.) to hide their true IP addresses. But interestingly, in some cases, identifying the favicon hash can reveal the origin IP or find related organization’s infrastructure IP’s not protected by reverse proxies—essentially bypassing that layer of protection. It’s not guaranteed, but it’s a clever trick worth knowing about.
By using the favicon hash in search engines such as Shodan, Censys, FOFA, or ZoomEye, you can often uncover numerous websites or servers that share the same favicon. In many cases, these sites are hosted behind CDNs or similar protective layers, but some of them are not.
Start by entering the favicon hash into a search engine. In this write-up, we’ll focus on FOFA and Shodan, as they typically return the most comprehensive set of results.
Shodan: http.favicon.hash:1848946384
Fofa: icon_hash=”1848946384″
A basic review of the results might look something like this:
Look for Non-CDN Ips
Review the results:
- Identify IPs not protected by Cloudflare/Akamai/etc.
- Check TLS certs, HTTP headers, response titles, and HTML content for matches.
These IPs may belong to:
- Misconfigured origin servers
- Staging/pre-prod environments
- APIs leaking their real backend
Verify Origin
To confirm:
- Compare responses between the CDN-protected domain and the exposed IP.
- Look for identical titles, HTML structure, favicons, or error pages.
Favicon hash search results on FoFa search engine
Finding related infrastructure (subdomains, staging environments, hidden servers) – discovering exposed admin panels and services
Another method uses favicon hashes to help uncover related subdomains or infrastructure that may be linked to the same target or organization. It’s not always conclusive, but it can offer useful leads during an investigation. Since many organizations reuse the same favicon across production domains, subdomains, staging environments, development servers, and even forgotten assets, it’s often possible to discover them by applying the same search filter used earlier.
Using the same favicon hash filter on Fofa or Shodan:
Shodan: http.favicon.hash:1848946384
Fofa: icon_hash=”1848946384″
Alternatively, you can refine your search using additional operators—for example, to narrow results down to login portals.
Fofa:
icon_hash=”1848946384″ && (title==”Login” || title==”Sign In” || body=”login” || body=”sign in”)
Shodan:
http.favicon.hash:1848946384 title:”login”
These queries help surface systems with matching favicons and login-related content.
You can also experiment with favicon hashes combined with logical filters to uncover:
- title:”admin”
- body:”portal”
- html:”/manage”
- title:”Grafana”
- html:”phpMyAdmin”
- title:”Kibana”title:”dev”
- port:5601 (Kibana), port:8081 (SonarQube), port:15672 (RabbitMQ)
Additionally, you can use regex patterns in your Fofa queries to further refine results. This feature, however, requires a premium membership.
E.g.
icon_hash=”116323821″ && (title~=”admin” || body~=”admin” || header~=”Admin”)