Weaponizing favicon.ico for BugBounties , OSINT and what not
Hello there , I am too lazy when it comes to writing blogs and writeups but Hey look I wrote this one xD.
Long Story Short
I have been using favicon.ico hashes for finding new assets/IP addresses and technologies owned by a company from a long time now. Recently I realized an increase in trend of this fairly small and simple trick on twitter, below are some screenshots :
So I decided to write a blog on the same , I will try to explain my methodology and how I use fingerprint based detection using favicon hashes and will show the working of “FavFreak” a tool of mine for making your work a hell lot easier. Lets dive into this “The lesser known art of Recon using Favicon hashes”
Introduction
What is favicon.ico
Modern Browsers will show you a small image/icon to the left side of the webpage title , that icon is known as favicon.ico . This is icon is generally fetched from https://anywebsite/favicon.ico
and browsers automatically request it when you will browse any website.
How to calculate Favicon hashes from favicon.ico
Using Python 2
Using Python 3
Source : https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a
Example :
Lets calculate the favicon hash for https://medium.com/favicon.ico
I think I have covered enough basics about favicon.ico and favicon hashes . Now lets dive into the interesting part.
Favicon Hashes + Shodan
You can search for assets/IPs using favicon hashes on shodan using http.favicon.hash:[Favicon hash here]
filter.
Example :
Generally the favicon hash of any spring boot application is 116323821
. So we can use this shodan filter http.favicon.hash:116323821
for finding Spring Boot instances .
Here is a oneliner for doing the same using shodan CLI :
$ shodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}'
Result :
Note : This is just one example, you can use different favicon hashes for different services. Be creative !
My Methodology
I start with my Recon process and try to find as many assets as possible , I then find the favicon hashes for each domain/subdomains/IPs then I match those favicon hashes with my fingerprints.json
.
$ cat fingerprints.json
{
"116323821" : "Potential Spring Boot instance",
"blah-blah" : "Potential XYZ instance",
.. .. .. .. ..
.. .. .. .. ..
and so on}
If any favicon hash matches with any of the fingerprints present in fingerprints.json , then I store those matched hashes in a different file and I hunt for already known issues on those webapps(For ex : Testing for /env , /heapdump , /logfile in Spring Boot applications if any of the hash matches with my Spring Boot Fingerprint).
Automating all this
I have created a tool named “FavFreak” that makes my work a hell lot easier, it takes a list of urls (with https or http protocol) from stdin ,then it fetches favicon.ico and calculates its hash value. It sorts the domains/subdomains/IPs according to their favicon hashes and the most interesting part is , It matches calculated favicon hashes with the favicon hashes present in the fingerprint dictionary , If matched then it will show you the results in the output, there is option to generate shodan dorks as well (that is pretty basic and you can do it manually as well)
Example
$ cat urls.txt | python3 favfreak.py -o output
Fetching /favicon.ico and generating hashes :
Subdomains/IPs Sorted according to their Favicon hashes :
FingerPrint Based favicon Hash detection :
Fingerprint dictionary looks like this :
If you are lazy then you add --shodan
and it will generate shodan dorks for your based on the calculated favicon hashes :
Be creative and add your own fingerprint favicon hashes !
FavFreak can be found here : https://github.com/devanshbatham/FavFreak
Contact
Shoot my DM : @0xAsm0d3us
#Offtopic but Important
This COVID pandemic affected animals too (in an indirect way) . I will be more than happy if you will show some love for Animals by donating to Animal Aid Unlimited ,Animal Aid Unlimited saves animals through street animal rescue, spay/neuter and education. Their mission is dedicated to the day when all living beings are treated with compassion and love. ✨